Authenticate access and connections with managed identities - Azure Logic Apps (2024)

  • Article

Applies to: Azure Logic Apps (Consumption + Standard)

When you use a managed identity to authenticate access or connections to Microsoft Entra protected resources from your logic app workflow, you don't have to provide credentials, secrets, or Microsoft Entra tokens. In Azure Logic Apps, some connector operations support using a managed identity when you have to authenticate access to resources protected by Microsoft Entra ID. Azure manages this identity and helps keep authentication information secure because you don't have to manage this sensitive information. For more information, see What are managed identities for Azure resources?.

Azure Logic Apps supports the system-assigned managed identity and the user-assigned managed identity. The following list describes some differences between these managed identity types:

  • A logic app resource can enable and use only one unique system-assigned identity.

  • A logic app resource can share the same user-assigned identity across a group of other logic app resources.

This guide shows how to complete the following tasks:

  • Enable and set up the system-assigned managed identity for your logic app resource. This guide provides an example that shows how to use the identity for authentication.

  • Create and set up a user-assigned identity. This guide shows how to create a user-assigned identity using the Azure portal and Azure Resource Manager template (ARM template) and how to use the identity for authentication. For Azure PowerShell, Azure CLI, and Azure REST API, see the following documentation:

Azure PowerShellCreate user-assigned identity
Azure CLICreate user-assigned identity
Azure REST APICreate user-assigned identity

Consumption versus Standard logic apps

Based on your logic app resource type, you can enable either the system-assigned identity, user-assigned identity, or both at the same time:

Logic appEnvironmentManaged identity support
Consumption- Multitenant Azure Logic Apps

- Integration service environment (ISE)

- Your logic app can enable either the system-assigned identity or the user-assigned identity.

- You can use the managed identity at the logic app resource level and connection level.

- If you enable the user-assigned identity, your logic app can have only one user-assigned identity at a time.

Standard- Single-tenant Azure Logic Apps

- App Service Environment v3 (ASEv3)

- Azure Arc enabled Logic Apps

- You can enable both the system-assigned identity, which is enabled by default, and the user-assigned identity at the same time.

- You can use the managed identity at the logic app resource level and connection level.

- If you enable the user-assigned identity, your logic app resource can have multiple user-assigned identities at the same time.

For information about managed identity limits in Azure Logic Apps, see Limits on managed identities for logic apps. For more information about the Consumption and Standard logic app resource types and environments, see the following documentation:

  • Resource environment differences
  • Azure Arc enabled Logic Apps

Where you can use a managed identity

In Azure Logic Apps, only specific built-in and managed connector operations that support OAuth with Microsoft Entra ID can use a managed identity for authentication. The following tables provide only a sample selection. For a more complete list, see Authentication types for triggers and actions that support authentication and Azure services that support Microsoft Entra authentication with managed identities.

  • Consumption
  • Standard

For a Consumption logic app workflow, the following table lists the connectors that support managed identity authentication:

Connector typeSupported connectors
Built-in- Azure API Management
- Azure App Services
- Azure Functions
- HTTP + Webhook

Note: HTTP operations can authenticate connections to Azure Storage accounts behind Azure firewalls with the system-assigned identity. However, they don't support the user-assigned managed identity for authenticating the same connections.

Managed- Azure App Service
- Azure Automation
- Azure Blob Storage
- Azure Container Instance
- Azure Cosmos DB
- Azure Data Explorer
- Azure Data Factory
- Azure Data Lake
- Azure Event Grid
- Azure Event Hubs
- Azure IoT Central V2
- Azure IoT Central V3
- Azure Key Vault
- Azure Log Analytics
- Azure Queues
- Azure Resource Manager
- Azure Service Bus
- Azure Sentinel
- Azure Table Storage
- Azure VM
- HTTP with Microsoft Entra ID
- SQL Server


  • An Azure account and subscription. If you don't have a subscription, sign up for a free Azure account. Both the managed identity and the target Azure resource where you need access must use the same Azure subscription.

  • The target Azure resource that you want to access. On this resource, you'll add the necessary role for the managed identity to access that resource on your logic app's or connection's behalf. To add a role to a managed identity, you need Microsoft Entra administrator permissions that can assign roles to identities in the corresponding Microsoft Entra tenant.

  • The logic app resource and workflow where you want to use the trigger or actions that support managed identities.

Enable system-assigned identity in the Azure portal

  • Consumption
  • Standard
  1. In the Azure portal, open your logic app resource.

  2. On the logic app menu, under Settings, select Identity.

  3. On the Identity page, under System assigned, select On > Save. When Azure prompts you to confirm, select Yes.

    Authenticate access and connections with managed identities - Azure Logic Apps (1)


    If you get an error that you can have only a single managed identity, your logic app resource isalready associated with the user-assigned identity. Before you can add the system-assigned identity,you must first remove the user-assigned identity from your logic app resource.

    Your logic app resource can now use the system-assigned identity. This identity is registered with Microsoft Entra ID and is represented by an object ID.

    Authenticate access and connections with managed identities - Azure Logic Apps (2)

    Object (principal) ID<identity-resource-ID>A Globally Unique Identifier (GUID) that represents the system-assigned identity for your logic app in a Microsoft Entra tenant.
  4. Now follow the steps that give that identity access to the resource later in this guide.

Enable system-assigned identity in an ARM template

To automate creating and deploying logic app resources, you can use an ARM template. To enable the system-assigned identity for your logic app resource in the template, add the identity object and the type child property to the logic app's resource definition in the template, for example:

  • Consumption
  • Standard
{ "apiVersion": "2016-06-01", "type": "Microsoft.logic/workflows", "name": "[variables('logicappName')]", "location": "[resourceGroup().location]", "identity": { "type": "SystemAssigned" }, "properties": {}, <...>}

When Azure creates your logic app resource definition, the identity object gets these other properties:

"identity": { "type": "SystemAssigned", "principalId": "<principal-ID>", "tenantId": "<Azure-AD-tenant-ID>"}
Property (JSON)ValueDescription
principalId<principal-ID>The Globally Unique Identifier (GUID) of the service principal object for the managed identity that represents your logic app in the Microsoft Entra tenant. This GUID sometimes appears as an "object ID" or objectID.
tenantId<Azure-AD-tenant-ID>The Globally Unique Identifier (GUID) that represents the Microsoft Entra tenant where the logic app is now a member. Inside the Microsoft Entra tenant, the service principal has the same name as the logic app instance.

Create user-assigned identity in the Azure portal

Before you can enable the user-assigned identity on your Consumption logic app resource or Standard logic app resource, you must create that identity as a separate Azure resource.

  1. In the Azure portal search box, enter managed identities, and select Managed Identities.

    Authenticate access and connections with managed identities - Azure Logic Apps (3)

  2. On the Managed Identities page, select Create.

    Authenticate access and connections with managed identities - Azure Logic Apps (4)

  3. Provide information about your managed identity, and select Review + Create, for example:

    Authenticate access and connections with managed identities - Azure Logic Apps (5)

    SubscriptionYes<Azure-subscription-name>The Azure subscription name
    Resource groupYes<Azure-resource-group-name>The Azure resource group name. Create a new group, or select an existing group. This example creates a new group named fabrikam-managed-identities-RG.
    RegionYes<Azure-region>The Azure region where to store information about your resource. This example uses West US.
    NameYes<user-assigned-identity-name>The name to give your user-assigned identity. This example uses Fabrikam-user-assigned-identity.

    After Azure validates the information, Azure creates your managed identity. Now you can add the user-assigned identity to your logic app resource.

Add user-assigned identity to logic app in the Azure portal

  • Consumption
  • Standard
  1. In the Azure portal, open your logic app resource.

  2. On the logic app menu, under Settings, select Identity.

  3. On the Identity page, select User assigned > Add.

    Authenticate access and connections with managed identities - Azure Logic Apps (6)

  4. On the Add user assigned managed identity pane, follow these steps:

    1. From the Subscription list, select your Azure subscription.

    2. From the list that has all the managed identities in your subscription, select the user-assigned identity that you want. To filter the list, in the User assigned managed identities search box, enter the name for the identity or resource group.

      Authenticate access and connections with managed identities - Azure Logic Apps (7)

    3. When you're done, select Add.


      If you get an error that you can have only a single managed identity, your logic appis already associated with the system-assigned identity. Before you can add theuser-assigned identity, you have to first disable the system-assigned identity.

    Your logic app is now associated with the user-assigned managed identity.

    Authenticate access and connections with managed identities - Azure Logic Apps (8)

  5. Now follow the steps that give that identity access to the resource later in this guide.

Create user-assigned identity in an ARM template

To automate creating and deploying logic app resources, you can use an ARM template. These templates support user-assigned identities for authentication.

In your template's resources section, your logic app's resource definition requires these items:

  • An identity object with the type property set to UserAssigned

  • A child userAssignedIdentities object that specifies the user-assigned resource and name

  • Consumption
  • Standard

This example shows a Consumption logic app resource and workflow definition for an HTTP PUT request with a non-parameterized identity object. The response to the PUT request and subsequent GET operation also includes this identity object:

{ "$schema": "", "contentVersion": "", "parameters": {<template-parameters>}, "resources": [ { "apiVersion": "2016-06-01", "type": "Microsoft.logic/workflows", "name": "[variables('logicappName')]", "location": "[resourceGroup().location]", "identity": { "type": "UserAssigned", "userAssignedIdentities": { "/subscriptions/<Azure-subscription-ID>/resourceGroups/<Azure-resource-group-name>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<user-assigned-identity-name>": {} } }, "properties": { "definition": {<logic-app-workflow-definition>} }, "parameters": {}, "dependsOn": [] }, ], "outputs": {}}

If your template also includes the managed identity's resource definition, you can parameterize the identity object. The following example shows how the child userAssignedIdentities object references a userAssignedIdentityName variable that you define in your template's variables section. This variable references the resource ID for your user-assigned identity.

{ "$schema": "", "contentVersion": "", "parameters": { "Template_LogicAppName": { "type": "string" }, "Template_UserAssignedIdentityName": { "type": "securestring" } }, "variables": { "logicAppName": "[parameters(`Template_LogicAppName')]", "userAssignedIdentityName": "[parameters('Template_UserAssignedIdentityName')]" }, "resources": [ { "apiVersion": "2016-06-01", "type": "Microsoft.logic/workflows", "name": "[variables('logicAppName')]", "location": "[resourceGroup().location]", "identity": { "type": "UserAssigned", "userAssignedIdentities": { "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('userAssignedIdentityName'))]": {} } }, "properties": { "definition": {<logic-app-workflow-definition>} }, "parameters": {}, "dependsOn": [ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('userAssignedIdentityName'))]" ] }, { "apiVersion": "2018-11-30", "type": "Microsoft.ManagedIdentity/userAssignedIdentities", "name": "[parameters('Template_UserAssignedIdentityName')]", "location": "[resourceGroup().location]", "properties": {} } ]}

Give identity access to resources

Before you can use your logic app's managed identity for authentication, you have to set up access for the identity on the Azure resource where you want to use the identity. The way you set up access varies based on the resource that you want the identity to access.


When a managed identity has access to an Azure resource in the same subscription, the identity canaccess only that resource. However, in some triggers and actions that support managed identities,you have to first select the Azure resource group that contains the target resource. If the identitydoesn't have access at the resource group level, no resources in that group are listed, despite havingaccess to the target resource.

To handle this behavior, you must also give the identity access to the resource group, not justthe resource. Likewise, if you have to select your subscription before you can select thetarget resource, you must give the identity access to the subscription.

In some cases, you might need the identity to get access to the associated resource. For example,suppose you have a managed identity for a logic app that needs access to update the applicationsettings for that same logic app from a workflow. You must give that identity access to the associated logic app.

For example, to access an Azure Blob storage account with your managed identity, you have to set up access by using Azure role-based access control (Azure RBAC) and assign the appropriate role for that identity to the storage account. The steps in this section describe how to complete this task by using the Azure portal and Azure Resource Manager template (ARM template). For Azure PowerShell, Azure CLI, and Azure REST API, see the following documentation:

Azure PowerShellAdd role assignment
Azure CLIAdd role assignment
Azure REST APIAdd role assignment

However, to access an Azure key vault with your managed identity, you have to create an access policy for that identity on your key vault and assign the appropriate permissions for that identity on that key vault. The later steps in this section describe how to complete this task by using the Azure portal. For Resource Manager templates, PowerShell, and Azure CLI, see the following documentation:

Azure Resource Manager template (ARM template)Key Vault access policy resource definition
Azure PowerShellAssign a Key Vault access policy
Azure CLIAssign a Key Vault access policy

Assign managed identity role-based access in the Azure portal

To use a managed identity for authentication, some Azure resources, such as Azure storage accounts, require that you assign that identity to a role that has the appropriate permissions on the target resource. Other Azure resources, such as Azure key vaults, require that you create an access policy that has the appropriate permissions on the target resource for that identity.

  1. In the Azure portal, open the resource where you want to use the identity.

  2. On the resource menu, select Access control (IAM) > Add > Add role assignment.


    If the Add role assignment option is disabled, you don't have permissions to assign roles.For more information, see Microsoft Entra built-in roles.

  3. Now, assign the necessary role to your managed identity. On the Role tab, assign a role that gives your identity the required access to the current resource.

    For this example, assign the role that's named Storage Blob Data Contributor, which includes write access for blobs in an Azure Storage container. For more information about specific storage container roles, see Roles that can access blobs in an Azure Storage container.

  4. Next, choose the managed identity where you want to assign the role. Under Assign access to, select Managed identity > Add members.

  5. Based on your managed identity's type, select or provide the following values:

    TypeAzure service instanceSubscriptionMember
    System-assignedLogic App<Azure-subscription-name><your-logic-app-name>
    User-assignedNot applicable<Azure-subscription-name><your-user-assigned-identity-name>

    For more information about assigning roles, see Assign roles using the Azure portal.

  6. After you finish, you can use the identity to authenticate access for triggers and actions that support managed identities.

For more general information about this task, see Assign a managed identity access to another resource using Azure RBAC.

Create access policy in the Azure portal

To use a managed identity for authentication, some Azure resources, such as Azure key vaults, require that you create an access policy that has the appropriate permissions on the target resource for that identity. Other Azure resources, such as Azure storage accounts, require that you assign that identity to a role that has the appropriate permissions on the target resource.

  1. In the Azure portal, open the target resource where you want to use the identity. This example uses an Azure key vault as the target resource.

  2. On the resource's menu, select Access policies > Create, which opens the Create an access policy pane.


    If the resource doesn't have the Access policies option, try assigning a role assignment instead.

    Authenticate access and connections with managed identities - Azure Logic Apps (9)

  3. On the Permissions tab, select the required permissions that the identity needs to access the target resource.

    For example, to use the identity with the managed Azure Key Vault connector's List secrets operation, the identity needs List permissions. So, in the Secret permissions column, select List.

    Authenticate access and connections with managed identities - Azure Logic Apps (10)

  4. When you're ready, select Next. On the Principal tab, find and select the managed identity, which is a user-assigned identity in this example.

  5. Skip the optional Application step, select Next, and finish creating the access policy.

The next section discusses using a managed identity to authenticate access for a trigger or action. The example continues with the steps from an earlier section where you set up access for a managed identity using RBAC and doesn't use Azure Key Vault as the example. However, the general steps to use a managed identity for authentication are the same.

Authenticate access with managed identity

After you enable the managed identity for your logic app resource and give that identity access to the target resource or entity, you can use that identity in triggers and actions that support managed identities.


If you have an Azure function where you want to use the system-assigned identity,first enable authentication for Azure Functions.

These steps show how to use the managed identity with a trigger or action through the Azure portal. To specify the managed identity in a trigger or action's underlying JSON definition, see Managed identity authentication.

  • Consumption
  • Standard
  1. In the Azure portal, open your logic app resource.

  2. If you haven't done so yet, add the trigger or action that supports managed identities.


    Not all connector operations support letting you add an authentication type. For more information, seeAuthentication types for triggers and actions that support authentication.

  3. On the trigger or action that you added, follow these steps:

    • Built-in connector operations that support managed identity authentication

      1. From the Add new parameter list, add the Authentication property if the property doesn't already appear.

        Authenticate access and connections with managed identities - Azure Logic Apps (11)

      2. From the Authentication type list, select Managed identity.

        Authenticate access and connections with managed identities - Azure Logic Apps (12)

      For more information, see Example: Authenticate built-in trigger or action with a managed identity.

    • Managed connector operations that support managed identity authentication

      1. On the tenant selection page, select Connect with managed identity, for example:

        Authenticate access and connections with managed identities - Azure Logic Apps (13)

      2. On the next page, for Connection name, provide a name to use for the connection.

      3. For the authentication type, choose one of the following options based on your managed connector:

        • Single-authentication: These connectors support only one authentication type. From the Managed identity list, select the currently enabled managed identity, if not already selected, and then select Create, for example:

          Authenticate access and connections with managed identities - Azure Logic Apps (14)

        • Multi-authentication: These connectors show multiple authentication types, but you still can select only one type. From the Authentication type list, select Logic Apps Managed Identity > Create, for example:

          Authenticate access and connections with managed identities - Azure Logic Apps (15)

        For more information, see Example: Authenticate managed connector trigger or action with a managed identity.

Example: Authenticate built-in trigger or action with a managed identity

The built-in HTTP trigger or action can use the system-assigned identity that you enable on your logic app resource. In general, the HTTP trigger or action uses the following properties to specify the resource or entity that you want to access:

MethodYesThe HTTP method that's used by the operation that you want to run
URIYesThe endpoint URL for accessing the target Azure resource or entity. The URI syntax usually includes the resource ID for the Azure resource or service.
HeadersNoAny header values that you need or want to include in the outgoing request, such as the content type
QueriesNoAny query parameters that you need or want to include in the request. For example, query parameters for a specific operation or for the API version of the operation that you want to run.
AuthenticationYesThe authentication type to use for authenticating access to the target resource or entity

As a specific example, suppose that you want to run the Snapshot Blob operation on a blob in the Azure Storage account where you previously set up access for your identity. However, the Azure Blob Storage connector doesn't currently offer this operation. Instead, you can run this operation by using the HTTP action or another Blob Service REST API operation.


To access Azure storage accounts behind firewalls by using the Azure Blob connector and managed identities,make sure that you also set up your storage account with the exception that allows access by trusted Microsoft services.

To run the Snapshot Blob operation, the HTTP action specifies these properties:

PropertyRequiredExample valueDescription
MethodYesPUTThe HTTP method that the Snapshot Blob operation uses
URIYeshttps://<storage-account-name>/<folder-name>/{name}The resource ID for an Azure Blob Storage file in the Azure Global (public) environment, which uses this syntax
HeadersFor Azure Storagex-ms-blob-type = BlockBlob

x-ms-version = 2019-02-02

x-ms-date = @{formatDateTime(utcNow(),'r')}

The x-ms-blob-type, x-ms-version, and x-ms-date header values are required for Azure Storage operations.

Important: In outgoing HTTP trigger and action requests for Azure Storage, the header requires the x-ms-version property and the API version for the operation that you want to run. The x-ms-date must be the current date. Otherwise, your workflow fails with a 403 FORBIDDEN error. To get the current date in the required format, you can use the expression in the example value.

For more information, see the following documentation:

- Request headers - Snapshot Blob
- Versioning for Azure Storage services

QueriesOnly for the Snapshot Blob operationcomp = snapshotThe query parameter name and value for the operation.
  • Consumption
  • Standard

The following example shows a sample HTTP action with all the previously described property values to use for the Snapshot Blob operation:

Authenticate access and connections with managed identities - Azure Logic Apps (16)

  1. After you add the HTTP action, add the Authentication property to the HTTP action. From the Add new parameter list, select Authentication.

    Authenticate access and connections with managed identities - Azure Logic Apps (17)


    Not all triggers and actions support letting you add an authentication type. For more information, seeAuthentication types for triggers and actions that support authentication.

  2. From the Authentication type list, select Managed identity.

    Authenticate access and connections with managed identities - Azure Logic Apps (18)

  3. From the managed identity list, select from the available options based on your scenario.

    • If you set up the system-assigned identity, select System-assigned managed identity if not already selected.

      Authenticate access and connections with managed identities - Azure Logic Apps (19)

    • If you set up a user-assigned identity, select that identity if not already selected.

      Authenticate access and connections with managed identities - Azure Logic Apps (20)

    This example continues with the System-assigned managed identity.

  4. On some triggers and actions, the Audience property also appears for you to set the target resource ID. Set the Audience property to the resource ID for the target resource or service. Otherwise, by default, the Audience property uses the resource ID, which is the resource ID for Azure Resource Manager.

    For example, if you want to authenticate access to a Key Vault resource in the global Azure cloud, you must set the Audience property to exactly the following resource ID: This specific resource ID doesn't have any trailing slashes. In fact, including a trailing slash might produce either a 400 Bad Request error or a 401 Unauthorized error.


    Make sure that the target resource ID exactly matches the value that Microsoft Entra ID expects,including any required trailing slashes. For example, the resource ID for all Azure Blob Storage accounts requiresa trailing slash. However, the resource ID for a specific storage account doesn't require a trailing slash. Check theresource IDs for the Azure services that support Microsoft Entra ID.

    This example sets the Audience property to so that the access tokens used for authentication are valid for all storage accounts. However, you can also specify the root service URL, https://<your-storage-account>, for a specific storage account.

    Authenticate access and connections with managed identities - Azure Logic Apps (21)

    For more information about authorizing access with Microsoft Entra ID for Azure Storage, see the following documentation:

    • Authorize access to Azure blobs and queues by using Microsoft Entra ID

    • Authorize access to Azure Storage with Microsoft Entra ID

  5. Continue building the workflow the way that you want.

Example: Authenticate managed connector trigger or action with a managed identity

The Azure Resource Manager managed connector has an action named Read a resource, which can use the managed identity that you enable on your logic app resource. This example shows how to use the system-assigned managed identity.

  • Consumption
  • Standard
  1. After you add the action to your workflow and select your Microsoft Entra tenant, select Connect with managed identity.

    Authenticate access and connections with managed identities - Azure Logic Apps (22)

  2. On the connection name page, provide a name for the connection, and select the managed identity that you want to use.

    The Azure Resource Manager action is a single-authentication action, so the connection information box shows a Managed identity list that automatically selects the managed identity that's currently enabled on the logic app resource. If you enabled a system-assigned managed identity, the Managed identity list selects System-assigned managed identity. If you had enabled a user-assigned managed identity instead, the list selects that identity instead.

    If you're using a multi-authentication trigger or action, such as Azure Blob Storage, the connection information box shows an Authentication type list that includes the Logic Apps Managed Identity option among other authentication types.

    In this example, System-assigned managed identity is the only selection available.

    Authenticate access and connections with managed identities - Azure Logic Apps (23)


    If the managed identity isn't enabled when you try to create the connection, change the connection,or was removed while a managed identity-enabled connection still exists, you get an error appearsthat you must enable the identity and grant access to the target resource.

  3. When you're ready, select Create.

  4. After the designer successfully creates the connection, the designer can fetch any dynamic values, content, or schema by using managed identity authentication.

  5. Continue building the workflow the way that you want.

Logic app resource definition and connections that use a managed identity

A connection that enables and uses a managed identity are a special connection type that works only with a managed identity. At runtime, the connection uses the managed identity that's enabled on the logic app resource. At runtime, the Azure Logic Apps service checks whether any managed connector trigger and actions in the logic app workflow are set up to use the managed identity and that all the required permissions are set up to use the managed identity for accessing the target resources that are specified by the trigger and actions. If successful, Azure Logic Apps retrieves the Microsoft Entra token that's associated with the managed identity and uses that identity to authenticate access to the target resource and perform the configured operation in trigger and actions.

  • Consumption
  • Standard

In a Consumption logic app resource, the connection configuration is saved in the logic app resource definition's parameters object, which contains the $connections object that includes pointers to the connection's resource ID along with the identity's resource ID, if the user-assigned identity is enabled.

This example shows what the configuration looks like when the logic app enables the system-assigned managed identity:

"parameters": { "$connections": { "value": { "<action-name>": { "connectionId": "/subscriptions/{Azure-subscription-ID}/resourceGroups/{resource-group-name}/providers/Microsoft.Web/connections/{connection-name}", "connectionName": "{connection-name}", "connectionProperties": { "authentication": { "type": "ManagedServiceIdentity" } }, "id": "/subscriptions/{Azure-subscription-ID}/providers/Microsoft.Web/locations/{Azure-region}/managedApis/{managed-connector-type}" } } }}

This example shows what the configuration looks like when the logic app enables a user-assigned managed identity:

"parameters": { "$connections": { "value": { "<action-name>": { "connectionId": "/subscriptions/{Azure-subscription-ID}/resourceGroups/{resource-group-name}/providers/Microsoft.Web/connections/{connection-name}", "connectionName": "{connection-name}", "connectionProperties": { "authentication": { "type": "ManagedServiceIdentity", "identity": "/subscriptions/{Azure-subscription-ID}/resourceGroups/{resourceGroupName}/providers/microsoft.managedidentity/userassignedidentities/{managed-identity-name}" } }, "id": "/subscriptions/{Azure-subscription-ID}/providers/Microsoft.Web/locations/{Azure-region}/managedApis/{managed-connector-type}" } } }}

ARM template for API connections and managed identities

If you use an ARM template to automate deployment, and your workflow includes an API connection, which is created by a managed connector such as Office 365 Outlook, Azure Key Vault, and so on that uses a managed identity, you have an extra step to take.

In an ARM template, the underlying connector resource definition differs based on whether you have a Consumption or Standard logic app and whether the connector shows single-authentication or multi-authentication options.

  • Consumption
  • Standard

The following examples apply to Consumption logic app resources and show how the underlying connector resource definition differs between a single-authentication connector, such as Azure Automation, and a multi-authentication connector, such as Azure Blob Storage.


This example shows the underlying connection resource definition for an Azure Automation action in a Consumption logic app that uses a managed identity where the definition includes the attributes:

  • The kind property is set to V1 for a Consumption logic app.
  • The parameterValueType property is set to Alternative.
{ "type": "Microsoft.Web/connections", "apiVersion": "[providers('Microsoft.Web','connections').apiVersions[0]]", "name": "[variables('connections_azureautomation_name')]", "location": "[parameters('location')]", "kind": "V1", "properties": { "alternativeParameterValues": {}, "api": { "id": "[subscriptionResourceId('Microsoft.Web/locations/managedApis', parameters('location'), 'azureautomation')]" }, "authenticatedUser": {}, "connectionState": "Enabled", "customParameterValues": {}, "displayName": "[variables('connections_azureautomation_name')]", "parameterValueSet": {}, "parameterValueType": "Alternative" }},


This example shows the underlying connection resource definition for an Azure Blob Storage action in a Consumption logic app that uses a managed identity where the definition includes the following attributes:

  • The kind property is set to V1 for a Consumption logic app.
  • The parameterValueSet object includes a name property that's set to managedIdentityAuth and a values property that's set to an empty object.
{ "type": "Microsoft.Web/connections", "apiVersion": "[providers('Microsoft.Web','connections').apiVersions[0]]", "name": "[variables('connections_azureblob_name')]", "location": "[parameters('location')]", "kind": "V1", "properties": { "alternativeParameterValues":{}, "api": { "id": "[subscriptionResourceId('Microsoft.Web/locations/managedApis', parameters('location'), 'azureblob')]" }, "authenticatedUser": {}, "connectionState": "Enabled", "customParameterValues": {}, "displayName": "[variables('connections_azureblob_name')]", "parameterValueSet":{ "name": "managedIdentityAuth", "values": {} }, "parameterValueType": "Alternative" }}

Set up advanced control over API connection authentication

When your workflow uses an API connection, which is created by a managed connector such as Office 365 Outlook, Azure Key Vault, and so on, the Azure Logic Apps service communicates with the target resource, such as your email account, key vault, and so on, using two connections:

Authenticate access and connections with managed identities - Azure Logic Apps (24)

  • Connection #1 is set up with authentication for the internal token store.

  • Connection #2 is set up with authentication for the target resource.

In a Consumption logic app resource, connection #1 is abstracted from you without any configuration options. In the Standard logic app resource type, you have more control over your logic app. By default, connection #1 is automatically set up to use the system-assigned identity.

However, if your scenario requires finer control over authenticating API connections, you can optionally change the authentication for connection #1 from the default system-assigned identity to any user-assigned identity that you've added to your logic app. This authentication applies to each API connection, so you can mix system-assigned and user-assigned identities across different connections to the same target resource.

In your Standard logic app connections.json file, which stores information about each API connection, each connection definition has two authentication sections, for example:

"keyvault": { "api": { "id": "/subscriptions/{Azure-subscription-ID}/providers/Microsoft.Web/locations/{region}/managedApis/keyvault" }, "authentication": { "type": "ManagedServiceIdentity", }, "connection": { "id": "/subscriptions/{Azure-subscription-ID}/resourceGroups/{resource-group-name}/providers/Microsoft.Web/connections/<connection-name>" }, "connectionProperties": { "authentication": { "audience": "", "type": "ManagedServiceIdentity" } }, "connectionRuntimeUrl": "<connection-runtime-URL>"}
  • The first authentication section maps to connection #1. This section describes the authentication used for communicating with the internal token store. In the past, this section was always set to ManagedServiceIdentity for an app that deploys to Azure and had no configurable options.

  • The second authentication section maps to connection #2. This section describes the authentication used for communicating with the target resource can vary, based on the authentication type that you select for that connection.

Why change the authentication for the token store?

In some scenarios, you might want to share and use the same API connection across multiple logic apps, but not add the system-assigned identity for each logic app to the target resource's access policy.

In other scenarios, you might not want to have the system-assigned identity set up on your logic app entirely, so you can change the authentication to a user-assigned identity and disable the system-assigned identity completely.

Change the authentication for the token store

  1. In the Azure portal, open your Standard logic app resource.

  2. On the resource menu, under Workflows, select Connections.

  3. On the Connections pane, select JSON View.

    Authenticate access and connections with managed identities - Azure Logic Apps (25)

  4. In the JSON editor, find the managedApiConnections section, which contains the API connections across all workflows in your logic app resource.

  5. Find the connection where you want to add a user-assigned managed identity. For example, suppose your workflow has an Azure Key Vault connection:

    "keyvault": { "api": { "id": "/subscriptions/{Azure-subscription-ID}/providers/Microsoft.Web/locations/{region}/managedApis/keyvault" }, "authentication": { "type": "ManagedServiceIdentity" }, "connection": { "id": "/subscriptions/{Azure-subscription-ID}/resourceGroups/{resource-group-name}/providers/Microsoft.Web/connections/<connection-name>" }, "connectionProperties": { "authentication": { "audience": "", "type": "ManagedServiceIdentity" } }, "connectionRuntimeUrl": "<connection-runtime-URL>"}
  6. In the connection definition, complete the following steps:

    1. Find the first authentication section. If no identity property already exists in this authentication section, the logic app implicitly uses the system-assigned identity.

    2. Add an identity property by using the example in this step.

    3. Set the property value to the resource ID for the user-assigned identity.

    "keyvault": { "api": { "id": "/subscriptions/{Azure-subscription-ID}/providers/Microsoft.Web/locations/{region}/managedApis/keyvault" }, "authentication": { "type": "ManagedServiceIdentity", // Add "identity" property here "identity": "/subscriptions/{Azure-subscription-ID}/resourcegroups/{resource-group-name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identity-resource-ID}" }, "connection": { "id": "/subscriptions/{Azure-subscription-ID}/resourceGroups/{resource-group-name}/providers/Microsoft.Web/connections/<connection-name>" }, "connectionProperties": { "authentication": { "audience": "", "type": "ManagedServiceIdentity" } }, "connectionRuntimeUrl": "<connection-runtime-URL>"}
  7. In the Azure portal, go to the target resource, and give access to the user-assigned managed identity, based on the target resource's needs.

    For example, for Azure Key Vault, add the identity to the key vault's access policies. For Azure Blob Storage, assign the necessary role for the identity to the storage account.

Disable managed identity

To stop using the managed identity for authentication, first remove the identity's access to the target resource. Next, on your logic app resource, turn off the system-assigned identity or remove the user-assigned identity.

When you disable the managed identity on your logic app resource, you remove the capability for that identity to request access for Azure resources where the identity had access.


If you disable the system-assigned identity, any and all connections used by workflows in thatlogic app's workflow won't work at runtime, even if you immediately enable the identity again.This behavior happens because disabling the identity deletes the object ID. Each time that youenable the identity, Azure generates the identity with a different and unique object ID. To resolvethis problem, you need to recreate the connections so that they use the current object ID for thecurrent system-assigned identity.

Try to avoid disabling the system-assigned identity as much as possible. If you want to removethe identity's access to Azure resources, remove the identity's role assignment from the targetresource. If you delete your logic app resource, Azure automatically removes the managed identityfrom Microsoft Entra ID.

The steps in this section cover using the Azure portal and Azure Resource Manager template (ARM template). For Azure PowerShell, Azure CLI, and Azure REST API, see the following documentation:

Azure PowerShell1. Remove role assignment.
2. Delete user-assigned identity.
Azure CLI1. Remove role assignment.
2. Delete user-assigned identity.
Azure REST API1. Remove role assignment.
2. Delete user-assigned identity.

Disable managed identity in the Azure portal

To remove access for the managed identity, remove the identity's role assignment from the target resource, and then disable the managed identity.

Remove role assignment

The following steps remove access to the target resource from the managed identity:

  1. In the Azure portal, go to the target Azure resource where you want to remove access for the managed identity.

  2. From the target resource's menu, select Access control (IAM). Under the toolbar, select Role assignments.

  3. In the roles list, select the managed identities that you want to remove. On the toolbar, select Remove.


    If the Remove option is disabled, you most likely don't have permissions.For more information about the permissions that let you manage roles for resources, seeAdministrator role permissions in Microsoft Entra ID.

Disable managed identity on logic app resource

  1. In the Azure portal, open your logic app resource.

  2. On the logic app navigation menu, under Settings, select Identity, and then follow the steps for your identity:

    • Select System assigned > On > Save. When Azure prompts you to confirm, select Yes.

    • Select User assigned and the managed identity, and then select Remove. When Azure prompts you to confirm, select Yes.

Disable managed identity in an ARM template

If you created the logic app's managed identity by using an ARM template, set the identity object's type child property to None.

"identity": { "type": "None"}

Next steps

  • Secure access and data in Azure Logic Apps
Authenticate access and connections with managed identities - Azure Logic Apps (2024)


How do I use managed identity in Azure logic app? ›

Step 1: Enable Managed Identity
  1. Go to the Azure portal and navigate to your Logic App.
  2. In the left panel, select “Identity” under “Settings.”
  3. In the “System assigned” section, enable the status by choosing “On” and confirm by clicking “Save.”
Dec 11, 2023

What type of authentication is used by Azure AD managed identities? ›

Managed identities for Azure resources can be used to authenticate to services that support Microsoft Entra authentication. For a list of supported Azure services, see services that support managed identities for Azure resources.

How do I authenticate Azure logic apps? ›

In the Azure portal, find and select your web app or API app. Under Settings, select Authentication > Add identity provider. After the Add an identity provider pane opens, on the Basics tab, from the Identity provider list, select Microsoft to use Microsoft Entra identities, and then select Add.

How to authorize the managed identity to have access to the target service? ›

Enable system-assigned identity in the Azure portal
  1. In the Azure portal, open your logic app resource.
  2. On the logic app menu, under Settings, select Identity.
  3. On the Identity page, under System assigned, select On > Save. ...
  4. Now follow the steps that give that identity access to the resource later in this guide.
Dec 7, 2023

How does using managed identities for Azure resources change the way an app authenticates to Azure key vault? ›

With a managed identity, your code can use the service principal created for the Azure service it runs on. You use a managed identity instead of a separate credential stored in Azure Key Vault or a local connection string. Azure App Configuration and its . NET, .

How do I secure my managed identity in Azure? ›

Here are some strategies to mitigate these risks:
  1. Limit Permissions: Each Managed Identity should only have the permissions necessary for its function. ...
  2. Regular Review: Regularly review the permissions assigned to each Managed Identity. ...
  3. Careful Role Assignment: Be cautious when assigning roles to Managed Identities.

How do managed identities authenticate? ›

Managed Identities solve this problem by creating an identity for the Azure resource itself (such as a Virtual Machine or an Azure Function). This identity is then used to authenticate and obtain access tokens to interact with other Azure services that support Azure Active Directory (Azure AD) authentication.

How to authenticate access to account by using Azure AD identities? ›

Authenticate as a user
  1. Create an app registration; this essentially tells Azure that the AzureStor package is allowed to access storage in your tenant.
  2. Give the app the “user_impersonation” delegated permission for storage.
  3. Assign your users the appropriate roles in the storage account.

How does managed identity authentication work? ›

How do managed identities work? Through managed identities, you can request access tokens for the resources that support Azure AD authentication. Access tokens are received based on the RBAC assigned to them on the resource. Once the resource receives the access token, it can be accessed..

What is the difference between service principal and managed identity? ›

Managed identities are often the preferred choice for Azure resources because they eliminate many of the security risks associated with manually managing credentials. However, service principals offer more flexibility and can be used securely when configured and managed properly.

What is the difference between logic apps and Azure functions? ›

Compare Azure Functions and Azure Logic Apps

Functions and Logic Apps are Azure services that enable serverless workloads. Azure Functions is a serverless compute service, whereas Azure Logic Apps is a serverless workflow integration platform. Both can create complex orchestrations.

Does Azure managed identity requires a secret password to set connection in Azure? ›

Managed Identities are specifically designed to take away the burden to have any secret at all. The identities can only be used to enable Azure resources to communicate with services that support Azure AD authentication.

What is the difference between service principal authentication and managed identity authentication? ›

Service Principal is great for apps that need specific access and control. Whereas Managed Identity is good when you want Azure to handle the login details automatically. If you're trying to decide which to use, this article is here to help you compare Azure Service Principal vs. Managed Identity.

How to access the Azure AD Privileged Identity Management Service? ›

Open the Azure mobile app and sign in. Select the Privileged Identity Management card and select My Microsoft Entra roles to view your eligible and active role assignments.

What is managed identity in Azure key vault? ›

Managed identities are automatically managed by Azure. They enable you to authenticate to services that support Microsoft Entra authentication, without including authentication information in your code. You learn how to: Grant your VM access to a secret stored in a Key Vault.

How do I enable managed identity for function app? ›

Enable Managed Identity for App Service/Azure Function:

Go to the Azure portal ( and navigate to your App Service. In the left-hand menu, under the "Settings" section, click on "Identity." In the "System assigned" tab, switch the status to "On" and click "Save."

How do I access Azure key vault using managed identity? ›

Access policy
  1. Navigate to your Azure Key Vault. ...
  2. On the Permissions tab of the Create an access policy page, select List and Get under Secret permissions. ...
  3. On the Principal tab, paste the object (principal) ID if you're using a system managed identity or enter a name if you're using a user assigned manged identity.
Dec 13, 2023

Top Articles
Latest Posts
Article information

Author: Dr. Pierre Goyette

Last Updated:

Views: 5578

Rating: 5 / 5 (50 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Dr. Pierre Goyette

Birthday: 1998-01-29

Address: Apt. 611 3357 Yong Plain, West Audra, IL 70053

Phone: +5819954278378

Job: Construction Director

Hobby: Embroidery, Creative writing, Shopping, Driving, Stand-up comedy, Coffee roasting, Scrapbooking

Introduction: My name is Dr. Pierre Goyette, I am a enchanting, powerful, jolly, rich, graceful, colorful, zany person who loves writing and wants to share my knowledge and understanding with you.