ARM template for Data Factory connector in Logic Apps with Managed Identity

Question

I have a Logic App that uses the Azure Data Factory action "Create a pipeline run" that works perfectly.

This is how the Logic App looks like

The authentication method to Azure Data Factory that I use is "System assigned" managed identity.

After creating and testing the Logic App, I now want to create an ARM template to save it in the code repository for deployment, however I'm struggling to get the authentication part of the ARM template to work. I'm not sure how the syntax should be and I don't find anything in the Microsoft documentation.

In the Logic App resource I have added:

  "identity": {
    "type": "SystemAssigned"
  }

This is how the connections part of the Logic app resource looks like:

      "$connections": {
        "value": {
          "azuredatafactory": {
            "connectionId": "[parameters('connections_azuredatafactory_externalid')]",
            "connectionName": "[parameters('connections_azuredatafactory_name')]",
            "connectionProperties": {
              "authentication": {
                "type": "ManagedServiceIdentity"
              }
            },
            "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/francecentral/managedApis/azuredatafactory')]"
          }
        }
      }

And this is how the connector resource look like (I think I'm missing something here (?)):

{
  "type": "Microsoft.Web/connections",
  "apiVersion": "2016-06-01",
  "name": "[parameters('connections_azuredatafactory_name')]",
  "location": "francecentral",
  "kind": "V1",
  "properties": {
    "displayName": "[parameters('connections_azuredatafactory_displayname')]",
    "alternativeParameterValues": {},
    "parameterValueSet": {
      "name": "managedIdentityAuth",
      "values": {}
    },
    "statuses": [
      {
        "status": "Ready"
      }
    ],
    "api": {
      "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/francecentral/managedApis/azuredatafactory')]"
    }
  }
}

The error message I get when trying to deploy this through Visual studio 2022 is:

Template deployment returned the following errors: Resource Microsoft.Logic/workflows 'logic-d365-dwh-01-ip-dev-rxlse' failed with message '{ "error": { "code": "WorkflowManagedIdentityConfigurationInvalid", "message": "The workflow connection parameter 'azuredatafactory' is not valid. The API connection 'azuredatafactory' is not configured to support managed identity." } }'

Anyone who knows what the problem could be?

Answer 1

1)I have created azure logic App with 3 actions (http request, create ADF pipeline, response).

Here is the reference image:

2)Then to connect to ADF used system assigned managed identity & I have given access for logic App to create pipeline in ADF.

Here is the reference image:

3. Then I have tested in portal & it is succussed

4. Then I have exported ARM Template & downloaded.

5. Then in visual studio I have created new project of type Azure resource group then I have edited logicapp.json & logic app parameters file based on template.

6. Then I have deployed it and it is succussed.

ARM template code which I have used for reference:

{  
"$schema": "[https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"](https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#%22 "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#%22"),  
"contentVersion": "1.0.0.0",  
"parameters": {  
"workflows_so1LP_name": {  
"defaultValue": "so1LP",  
"type": "String"  
},  
"connections_azuredatafactory_1_externalid": {  
"defaultValue": "/subscriptions/<subscription-id>/resourceGroups/so1/providers/Microsoft.Web/connections/azuredatafactory-1",  
"type": "String"  
}  
},  
"variables": {},  
"resources": [  
{  
"type": "Microsoft.Logic/workflows",  
"apiVersion": "2017-07-01",  
"name": "[parameters('workflows_so1LP_name')]",  
"location": "centralus",  
"identity": {  
"type": "SystemAssigned"  
},  
"properties": {  
"state": "Enabled",  

    "definition": {  
    "$schema": "[https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#"](https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#%22 "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#%22"),  
    "contentVersion": "1.0.0.0",  
    "parameters": {  
    "$connections": {  
    "defaultValue": {},  
    "type": "Object"  
    }  
    },  
    "triggers": {  
    "manual": {  
    "type": "Request",  
    "kind": "Http",  
    "inputs": {}  
    }  
    },  
    "actions": {  
    "Create_a_pipeline_run": {  
    "runAfter": {},  
    "type": "ApiConnection",  
    "inputs": {  
    "host": {  
    "connection": {  
    "name": "@parameters('$connections')['azuredatafactory_1']['connectionId']"  
    }  
    },  
    "method": "post",  
    "path": "/subscriptions/@{encodeURIComponent('<subscription id>')}/resourcegroups/@{encodeURIComponent('so1')}/providers/Microsoft.DataFactory/factories/@{encodeURIComponent('sodf1')}/pipelines/@{encodeURIComponent('sopipeline')}/CreateRun",  
    "queries": {  
    "x-ms-api-version": "2017-09-01-preview"  
    }  
    }  
    },  
    "Response": {  
    "runAfter": {  
    "Create_a_pipeline_run": [  
    "Succeeded"  
    ]  
    },  
    "type": "Response",  
    "kind": "Http",  
    "inputs": {  
    "statusCode": 200  
    }  
    }  
    },  
    "outputs": {}  
    },  
    "parameters": {  
    "$connections": {  
    "value": {  
    "azuredatafactory_1": {  
    "connectionId": "[parameters('connections_azuredatafactory_1_externalid')]",  
    "connectionName": "azuredatafactory-1",  
    "connectionProperties": {  
    "authentication": {  
    "type": "ManagedServiceIdentity"  
    }  
    },  
    "id": "/subscriptions/<subscription-id>/<Subscriotion id>providers/Microsoft.Web/locations/centralus/managedApis/azuredatafactory"  
    }  
    }  
    }  
    }  
    }  
    }  
    ],  
    "outputs": {}  
    }

Here is the reference image:

NOTE: I am using free subscription, so I don't have any restrictions but, in your case, maybe you have some restrictions that's why maybe your facing issue.

7. The second reasons may be your using system assigned access after creating logic app to give access to ADF & once check are you giving managed identity after creating ADF give access to logic app also. so maybe you are skipping one of managed identity that's why getting error in ARM template deployment. So, give access to both from ADF to logic app and logic app to ADF.

Here are some images for reference for logic app to ADF:

Go to "access control" of logic app.

Select owner as role.

Select managed identity as data factory.

Here are some images for reference for ADF to logic app:

Go to "access control" of data factory.

Select owner as role.

Select managed identity as logic app.

Answer 2

Did you try using "parameterValueType": "Alternative" instead of "parameterValueSet" ?

{
  "type": "Microsoft.Web/connections",
  "apiVersion": "2016-06-01",
  "name": "[parameters('connections_azuredatafactory_name')]",
  "location": "francecentral",
  "kind": "V1",
  "properties": {
    "displayName": "[parameters('connections_azuredatafactory_displayname')]",
    "customParameterValues": {},
    "parameterValueType": "Alternative"
    "api": {
      "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/francecentral/managedApis/azuredatafactory')]"
    }
  }
}