Getting started with Logic Apps: Part 3 - Secure MS Graph queries with a Key Vault

In this post we will see how to secure your Graph API connection by using Azure Key Vault and an Azure app registration.

Welcome in the part 3 of my blog series about Logic Apps.

In the first part we have seen how to create your first Logic App.

Then we have seen how query MS Graph through an Azure app registration.

We have configured directly authentication info in the Logic App:

- Tenant id

- Client id

- Secret

Now let's add all those info on a Key Vault and select them directly from the Key Vault.

The idea here is to create a Key Vault, add tenant id, app id and app secret into Key Vault secret. We will then create a key vault step in the flow and sign in with an account that has access.

Then in the next post we will use a managed identity.

Requirements

Azure App registration

We need to create or use an Azure Application.

This one will be used to authenticate and execute MS Graph query.

In this app we will add a secret.

All info from the App registration (tenant id, client id, secret) will be stored in the Key vault.

For that we will proceed as below:

1. Go to the Azure portal

2. Go to App registration

3. Click on New registration

4. Type a name

5. Let by default 

6. Click on Register

7. Once created, go to Overview

8. Copy Application (client) ID

9. Go to Certificates & secrets

10. Go to Client secrets

11.Click on New client secret

12. Type a name

13. Choose a delay

14. Click on Add

15. Once created, copy the secret

Azure Key Vault

Now we need to create a Key Vault to store below values:

- Tenant id

- Client id

- Secret

First step is to create the Key Vault. For that proceed as below:

1. Go to Azure Key Vault

2. Click on Create

3. Choose subscription, resource group (or create new one)

4. Type a Key Vault name

5. Choose region and pricing tier

6. Click on Review+Create

7. Click on Create

We will then proceed as below to store values in the Key Vault:

1. Go to Azure Key Vault

2. Go to Secrets

3. Click on Generate/Import

4. In Name type TenantID

5. In Secret value type your tenant id

6. Click on Create

7. Click on Generate/Import

8. In Name type ClientID

9. In Secret value type the client id

10. Click on Create

11. Click on Generate/Import

12. In Name type AppSecret

13. In Secret value type your secret

14. Click on Create

If you're using another account to sign in on the Key vault step in Logic app proceed as below:

1. Go to your Key vault

2. Go to Access policies

3. Click on Create

4. Go to the Secret permissions part

5. Check Select all (or choose)

6. Click on Next

7. Type the account

8. Click on Next

Logic App step by step

The first step is to create the Logic App. For that, see my post here.

Step 1 - Recurrence

The Recurrence step in Logic App allows you to schedule the execution of the Logic App.

1. Go to Logic App Designer

2. Click on recurrence

3. Choose your schedule

Step 2 - Get tenant id from Key Vault

1. Click on New step

2. Choose Get secret

It's a component of Azure Key Vault

3. Rename the step Get TenantID

4. In Connection name, type a name

5. In Authentication type, choose Default Azure AD

6. In Tenant ID, type your tenant id

7. In Key vault name, type your key vault name

8. Click on Sign in

9. Sign in with an account

10. In Name, choose TenantID

Step 3 - Get client id from Key Vault

1. Click on New step

2. Choose Get secret

It's a component of Azure Key Vault

3. Rename the step Get Client ID

4. In Name, choose ClientID

Step 4 - Get secret from Key Vault

1. Click on New step

2. Choose Get secret

It's a component of Azure Key Vault

3. In Name, choose AppSecret

Step 5 - Query Graph using Key Vault

Here we will query MS Graph through our Azure app and our Key Vault.

For this, we need to add a new step to do a HTTP request. This step is called HTTP.

In this example we will query devices from Intune with Graph. The appropriate Graph resource to use is: /deviceManagement/managedDevices

We will then proceed as below:

1. Click on New step

2. Choose HTTP

3. In Method select GET

4. In URI type the MS Graph resource URL

5. In our case it's https://graph.microsoft.com/beta/deviceManagement/managedDevices

6. Clic on Add new parameter

7. Check Authentication

8. Select Active Directory OAuth

9. Go to Tenant > Dynamic content

10. Choose value from Get TenantID step

11. In Audience, type https://graph.microsoft.com

12. Go to Client ID and Dynamic content

13. Choose value from Get ClientID

14. In Credential choose Secret

15. Go to Secret and Dynamic content

16. Choose value from Get secret step

17. Save the app

18. Click on Run trigger > Run

Tadaaa, now you have executed a Graph query using an Azure app and Key Vault.

In the next post we will see how to use a system-assigned managed identity.