Getting started with Logic Apps: Part 4 - Secure MS Graph queries with a system-assigned managed identity
In this post we will see how to secure your Graph API calls by using an system managed identity.
Welcome in the part 4 of my blog series about Logic Apps.
In the first part we have seen how to create your first Logic App.
Then we have seen how query MS Graph through an Azure app registration.
In the third part we have seen how to secure authentication by adding app registration info into a Key vault.
Now let's see how to add a better security to the Graph calls to our Logic apps by using a system-assigned managed identity.
Next post will be about user-assigned.
Managed identity
A bit of context
To automate things with Intune, Azure or also on-prem AD you need to authenticate.
As we don't want to set password in plain text in a script or solution we need another way to authenticate.
This is where the managed identity is essential.
But what is it in real life ?
What is it ?
A managed identity is an identity, account in Entra ID.
When you configure a resource to use a managed identity it will create an Azure Enterprise Application.
Your resource (Logic app, Azure Automation) will then authenticate through the managed identity without dealing with credentials.
To enabled a managed identity on a resource, you need to go the Identity part.
You will find there two kinds of managed identity.
Enabling a managed identity to a resource does not allow it to do actions on your tenant, Intune, Azure...
Indeed for this, you need to set permissions on the managed identity.
For instance, to list Intune devices, you need to set at least DeviceManagementManagedDevices.Read.All permission.
System-assigned
When you configure a system-assigned managed identity to a resource, it creates a new Azure enterprise application.
If you create multiple Logic Apps, for instance, it will create a specific enterprise application for each of them.
A system-assigned managed identity is associated to only one resource.
It also means you need to manage permissions for all of them.
If you have for instance a logic app to manage Intune devices, you need to set permissions for device on the managed identity.
If you have another logic app used to manage applications, you need to set permissions for applications on the managed identity.
When you remove a Logic app, the associated managed identity is removed too.
User-assigned
A user-assigned managed identity is an Azure identity that can be associated to multiple resources (Logic App, Azure Automation).
Whereas you can create an system-assigned managed identity by enabling a field on the resource (logic app), with user-assigned, you need to create the managed identity first.
In this post we will configure the logic app to use a system-assigned managed identity.
In my next post we will focus on the user-assigned.
Create the Logic App
1. Go to Logic Apps
2. Click on Add
3. Choose a subscription
4. Choose a resource group
5. Type a name
6. Choose a Region
7. Select Consumption
8. Click on Review + Create
Configure the managed identity
1. Go to Logic Apps
2. Go to Identity
3. Go to the System assigned tab
4. Go to Status
5. Select On
6. Click on Yes
Here we configured the logic app to use system-assigned managed identity.
If you go to Enterprise application, you will find an app with the same name than our Logic app.
The app has been created but if we run some Graph API calls with the logic app, it will fail.
That's because we need to add some permissions to the managed identity application.
Set permission
As mentioned above we need to add some permissions to the managed identity application.
It can not be done through the Azure portal but only through PowerShell.
You can find here below a PowerShell that can be used to do this:
You need to configure below variables:
In my case I want to add permission to list Intune devices.
See below the script to use:
We will then proceed as below:
1. Run the script with an account with global admin right
2. Go to the enterprise application
3. Go to Permissions
4. You will find permissions added
Logic App step by step
Step 1 - Schedule the app
The Recurrence step in Logic App allows you to schedule the execution of the Logic App.
1. Go to Logic App Designer
2. Click on recurrence
3. Choose your schedule
Step 2 - Query Graph using managed identity
Here we will query MS Graph through the managed identity.
For this, we need to add a new step to do a HTTP request.
In this example we will query devices from Intune with Graph. The appropriate Graph resource to use is: /deviceManagement/managedDevices
We will then proceed as below:
1. Click on New step
2. Choose HTTP
3. In Method select GET
4. In URI type the MS Graph resource URL
5. In our case it's https://graph.microsoft.com/beta/deviceManagement/managedDevices
6. Clic on Add new parameter
7. Check Authentication
8. Select Managed identity
9. Select System assigned managed identity
10. In Audience, type https://graph.microsoft.com
11. Save the app
12. Click on Run trigger > Run
Enregistrer un commentaire