使用托管标识从逻辑应用调用 Azure AD 保护的 API

Question

We are having an Azure AD Protect API which is hosted on prem. We have a requirement to call this API from Logic App. We have currently created or registered a new client App in App Registration for this logic App and have provided the necessary permissions and have called API passing the Bearer Token.

My question, is there a way we can leverage Managed Identity for Logic App (either User Assigned or System Assigned) for calling the API?

Answer 1

Yes there is. I wrote an article on the topic (though it is not specific to Logic Apps): https://joonasw.net/view/calling-your-apis-with-aad-msi-using-app-permissions .

You will need to create an appRoleAssignment that gives an application permission to your managed identity service principal. To do this, we must use PowerShell or Microsoft Graph API. With Azure AD PowerShell , we can do this:

Connect-AzureAD

New-AzureADServiceAppRoleAssignment -ObjectId $miSpId -Id $appRoleId -PrincipalId $miSpId -ResourceId $targetApiSpId

There we have 3 arguments you need to find:

1. miSpId: The objectId of the Managed Identity (easy, we can find this from the Identity blade in the Logic App)
2. appRoleId: The id of the appRole defined on your API's manifest (this should be easy to find as well, it's in your API's manifest)
   • If you haven't defined an appRole (app permission) on your API, you will need to do that first ( https://joonasw.net/view/defining-permissions-and-roles-in-aad )
3. targetApiSpId: The objectId of the target API service principal (this one you can get by going to Enterprise Applications and finding your API there)