What service principal is used to authenticate Logic Apps to Azure resources?

Considering this:

• What Service Principal is used for the OAuth connection to the Azure Resource Management (ARM) API?
  • When Logic Apps connect to Azure resources, they often use Managed Identities (either system-assigned or user-assigned) for authentication. Managed Identities are essentially service principals managed by Azure, and they allow Logic Apps to authenticate to Azure Resource Management APIs without needing explicit credentials.
  • For connectors that require OAuth, the authentication process typically involves granting permissions to a service principal associated with the Logic App or the connector itself. This service principal acts on behalf of the Logic App to access the ARM API.
• How does the Azure Logic Apps service principal connect to the ARM API without explicit permissions?
  • The Azure Logic Apps service principal itself doesn’t inherently have permissions. Instead, Azure uses role-based access control (RBAC) to grant the necessary permissions to the Managed Identity of the Logic App. For example, you might assign the Logic App's Managed Identity a role like "Contributor" or "Reader" on the target resource group or subscription.
  • The "magic" here is that Azure handles the token issuance and validation process behind the scenes. When the Logic App makes a request to the ARM API, Azure validates the Managed Identity and ensures it has the appropriate RBAC permissions to perform the requested action.