Forum Discussion
Azure SharePoint Logic App Connector Security
Using the SharePoint Logic App connector, how can the Azure Key Vault be leveraged in place of a hard-coding AD account?
Currently, we are using a dedicated AD account to authenticate with SharePoint, and our password policy requires we update the password every X months. As the usage of Azure and SPO grows, this model is quickly becoming unmanageable.
Hi nullorempty
Standard KeyVault connector also supports Service Principals. So you can register new App on Azure AD, create an access policy KeyVault for that principal and use principal's ClientId and Secret on the KeyVault connector.
I have been using System Managed identity to access KeyVault from Azure Logic Apps. The standard KeyVault connector is not supporting it, so I needed to used HTTP connector.
1. Enable System assigned identity to your Logic App
2. Create access policy to KeyVault for that identity with needed permissions
3. On your Logic App, URI for HTTP action is the identifier of your key/secret/certificate, which you get from KeyVault. Remember to add api-version to queries with value 2016-10-01. For authentication, pick Managed Identity and for audience add https://vault.azure.net
HTTP action returns an JSON object, where returned value is on value property.
