Forum Discussion
What service principal is used to authenticate Logic Apps to Azure resources?
This question is a bit more academic than practical, but I'm just trying to enhance my knowledge of how Azure authentication works under the hood. The default way to authenticate managed Logic Apps ...
Hi Lain, this is not really correct. What you're describing is only true if you use managed identities to authenticate logic apps. While you can use managed identities in Logic apps (which as in the docs you linked, will create a Service Principal for each logic app) it is not required. My question is specifically about the scenarios where you do not use a managed identity for authentication, and instead use Oauth for authentication. Most Microsoft-built logic app connectors will let you choose between the two
For connectors using the Graph API, as I stated, I was able to find the Service Principal (which can be used by multiple logic apps) that was used to authenticate the connection. But I'm struggling to find a similar Service Principal for connectors that use the Azure Resource Management API
Hi jbfeldman,
I wouldn't mind knowing which part of what I outlined is incorrect.
I can't really add anything new for your first question around discovering which servicePrincipal is used for which app, while for you second, (covered under "additional information"), I can only reinforce that it's quite normal for permissions to not show on the screen you have in your original post since they're most commonly assigned via roles, not the individual API categories (Azure API rights are broken into many separate categories).
Expanding on Azure rights a little, if roles are what I see being used the most, then second on the list would be the direct assignment of rights to resources such as subscriptions and resource groups, which also doesn't surface on the API permissions screens.
Cheers,
Lain
