When configuring authorization policies for managed identities in Azure Logic Apps, several common issues may arise:
1. Token Validation Limitations: Logic Apps do not validate the signature of OAuth tokens, which means miscreated tokens might pass authorization checks. For mission-critical applications, using a Function App with libraries that validate tokens is recommended[1].
2. Authorization Policy Configuration: Ensuring that the correct claims are checked in the authorization policies is crucial. Typically, the Issuer Claim and Audience Claim need to be validated to ensure that only tokens from the intended tenant and for the correct application are accepted[1].
3. Multiple Identities Management: If multiple managed identities need to access the same Logic App trigger, configuring multiple authorization policies or using a single user-assigned managed identity across applications can be challenging. Each policy must be carefully set up to allow access based on specific identity claims[1].
4. Role-Based Authorization: Logic Apps do not support role-based authorization directly through managed identities. Instead, using app roles in Microsoft Entra ID can help manage permissions for managed identities[2].
5. Permission Setup: Ensuring that the managed identity has the correct permissions on the target Azure resource is essential. This includes granting access not just to the resource but also to the resource group or subscription if necessary[3].
6. Choosing Between System and User-Assigned Identities: Deciding whether to use system-assigned or user-assigned managed identities depends on the scenario. System-assigned identities are tied to the lifecycle of the Logic App, while user-assigned identities can be reused across multiple Logic Apps, making them more suitable for environments with multiple apps[5].
Citations:
[1] https://hybridbrothers.com/using-managed-identities-in-logic-app-http-triggers/
[2] https://docs.azure.cn/en-us/entra/identity/managed-identities-azure-resources/managed-identity-best-practice-recommendations
[3] https://learn.microsoft.com/en-us/azure/logic-apps/authenticate-with-managed-identity
[4] https://azurealan.ie/2021/12/21/dont-use-user-accounts-for-your-logic-app-connections/
[5] https://www.red-gate.com/simple-talk/cloud/azure/how-to-use-managed-identities-in-your-azure-logic-apps/
[6] https://turbo360.com/blog/azure-managed-service-identity-for-logic-apps
[7] https://docs.azure.cn/en-us/logic-apps/logic-apps-securing-a-logic-app
[8] https://learn.microsoft.com/en-us/answers/questions/1250617/unable-to-configure-managed-identity-in-logic-app