Getting started with Logic Apps: Part 3 - Secure MS Graph queries with a Key Vault
In this post we will see how to secure your Graph API connection by using Azure Key Vault and an Azure app registration.
Welcome in the part 3 of my blog series about Logic Apps.
In the first part we have seen how to create your first Logic App.
Then we have seen how query MS Graph through an Azure app registration.
We have configured directly authentication info in the Logic App:
- Tenant id
- Client id
- Secret
Now let's add all those info on a Key Vault and select them directly from the Key Vault.
The idea here is to create a Key Vault, add tenant id, app id and app secret into Key Vault secret. We will then create a key vault step in the flow and sign in with an account that has access.
Then in the next post we will use a managed identity.
Requirements
Azure App registration
We need to create or use an Azure Application.
This one will be used to authenticate and execute MS Graph query.
In this app we will add a secret.
All info from the App registration (tenant id, client id, secret) will be stored in the Key vault.
For that we will proceed as below:
1. Go to the Azure portal
2. Go to App registration
3. Click on New registration
4. Type a name
5. Let by default
6. Click on Register
7. Once created, go to Overview
8. Copy Application (client) ID
9. Go to Certificates & secrets
10. Go to Client secrets
11.Click on New client secret
12. Type a name
13. Choose a delay
14. Click on Add
15. Once created, copy the secret
Azure Key Vault
Now we need to create a Key Vault to store below values:
- Tenant id
- Client id
- Secret
First step is to create the Key Vault. For that proceed as below:
1. Go to Azure Key Vault
2. Click on Create
3. Choose subscription, resource group (or create new one)
4. Type a Key Vault name
5. Choose region and pricing tier
6. Click on Review+Create
7. Click on Create
We will then proceed as below to store values in the Key Vault:
1. Go to Azure Key Vault
2. Go to Secrets
3. Click on Generate/Import
4. In Name type TenantID
5. In Secret value type your tenant id
6. Click on Create
7. Click on Generate/Import
8. In Name type ClientID
9. In Secret value type the client id
10. Click on Create
11. Click on Generate/Import
12. In Name type AppSecret
13. In Secret value type your secret
14. Click on Create
If you're using another account to sign in on the Key vault step in Logic app proceed as below:
1. Go to your Key vault
2. Go to Access policies
3. Click on Create
4. Go to the Secret permissions part
5. Check Select all (or choose)
6. Click on Next
7. Type the account
8. Click on Next
Logic App step by step
The first step is to create the Logic App. For that, see my post here.
Step 1 - Recurrence
The Recurrence step in Logic App allows you to schedule the execution of the Logic App.
1. Go to Logic App Designer
2. Click on recurrence
3. Choose your schedule
Step 2 - Get tenant id from Key Vault
1. Click on New step
2. Choose Get secret
It's a component of Azure Key Vault
3. Rename the step Get TenantID
4. In Connection name, type a name
5. In Authentication type, choose Default Azure AD
6. In Tenant ID, type your tenant id
7. In Key vault name, type your key vault name
8. Click on Sign in
9. Sign in with an account
10. In Name, choose TenantID
Step 3 - Get client id from Key Vault
1. Click on New step
2. Choose Get secret
It's a component of Azure Key Vault
3. Rename the step Get Client ID
4. In Name, choose ClientID
Step 4 - Get secret from Key Vault
1. Click on New step
2. Choose Get secret
It's a component of Azure Key Vault
3. In Name, choose AppSecret
Step 5 - Query Graph using Key Vault
Here we will query MS Graph through our Azure app and our Key Vault.
For this, we need to add a new step to do a HTTP request. This step is called HTTP.
In this example we will query devices from Intune with Graph. The appropriate Graph resource to use is: /deviceManagement/managedDevices
We will then proceed as below:
1. Click on New step
2. Choose HTTP
3. In Method select GET
4. In URI type the MS Graph resource URL
5. In our case it's https://graph.microsoft.com/beta/deviceManagement/managedDevices
6. Clic on Add new parameter
7. Check Authentication
8. Select Active Directory OAuth
9. Go to Tenant > Dynamic content
10. Choose value from Get TenantID step
11. In Audience, type https://graph.microsoft.com
12. Go to Client ID and Dynamic content
13. Choose value from Get ClientID
14. In Credential choose Secret
15. Go to Secret and Dynamic content
16. Choose value from Get secret step
17. Save the app
18. Click on Run trigger > Run
Tadaaa, now you have executed a Graph query using an Azure app and Key Vault.
In the next post we will see how to use a system-assigned managed identity.
Enregistrer un commentaire