Friday, January 17, 2020

Using Managed Identity in Logic Apps for Calling Active Directory Secured Function App

Introduction

In last posts we explored as to how AD authentication works -Understanding Azure Active Directory Authentication and Authorization using Oauth

But there was couple of challenges - creation and management of the AD app, it's credentials and credentials getting exposed/becoming part of the code. 

So we explored a better approach to call AD secured service using Managed Identity - Understanding Managed Identity and using it to Call Secured function App

In this post we will see how to use Managed Identity in Logic Apps for Calling Active Directory Secured Function App.


How to do it


1. Create Target Function app

Here we are going to call the same function app created in following post - Securing Function App with Azure Active Directory authentication

for that we would grab its url and AudienceID (client ID of AD app created to secure function App)
AD App client ID



2. Create Logic App and Enable Identity on it


Create Logic App instance and click on Identity and then switch on the Status. That's it, an identity for your logic app is created - behind the scene, an AD app gets created in AD with the same name as that of the logic app .

So whenever this logic app has to call any AD secured Azure service, the above created Identity would be leveraged.

Enable Identity on Logic Apps

3. Design Logic App

Create a simple http triggered logic app which will get triggered upon receiving http request and then calls the secured function app and sends back response . In response it will add whatever received from secured function app.

logic app to call secured function app

In second step note that we are using HTTP action rather than using Azure Functions action and it is because Azure Functions action does not support adding authentication details, whereas Http connector is flexible with it.
Logic App Managed Identity

After adding http action, Select POST as method and provide the url of secured function app. In Authentication select  Managed Identity and Click on Add new parameter
add new parameter

And  provide the Audience ID we grabbed in step 1 as shown below 
add audience ID


Now add http response action and against body - select the body returned from above step



That's it logic app is ready to use.


Testing


The target function expects input in following form 

{"name":"Input"}

and it returns result as "Reply from target app,+input it received"
test request


Use any rest client and make call to logic app and pass on input in expected format as above and below is the result
test response


How it works

If you noted, we haven't provided any credentials of Logic app and just provided the url of the function to call and Audience ID and still Logic app was able to get response back -- it is because under the hood logic app runtime uses the Identity created in step 2 to authenticate itself with Active directory and gets the access token to make a call. 

Thus with help of Managed Identity, overhead of managing AD app and credentials is removed.




No comments:

Post a Comment