To use managed identities in Azure Logic Apps, specific permissions are required, both for the managed identity itself and for accessing target Azure resources. Here are some key points regarding permissions:
1. Microsoft Entra Administrator Permissions: To assign roles to managed identities, you need Microsoft Entra administrator permissions. This is essential for managing access to resources protected by Microsoft Entra ID[2].
2. Role Assignments for Target Resources: Before a managed identity can access an Azure resource, it must be assigned the appropriate roles. For example, if your Logic App needs to interact with Azure Storage, you might assign the "Storage Blob Data Contributor" role to the managed identity. Similarly, for Azure Service Bus, roles like "Azure Service Bus Data Sender" or "Azure Service Bus Data Receiver" might be necessary[3].
3. Subscription and Resource Group Access: Managed identities need access not only to the specific resource but also to the resource group and subscription where the resource resides. This ensures that the Logic App can list and access resources within those scopes[2].
4. Checking Permissions: To verify that a managed identity has the correct permissions, you can check the enterprise application object in Microsoft Entra ID or use PowerShell commands like `Get-MgServicePrincipalAppRoleAssignment` to query assigned roles[5].
In summary, using managed identities in Logic Apps requires careful management of permissions to ensure secure and effective access to Azure resources.
Citations:
[1] https://www.red-gate.com/simple-talk/cloud/azure/how-to-use-managed-identities-in-your-azure-logic-apps/
[2] https://learn.microsoft.com/en-us/azure/logic-apps/authenticate-with-managed-identity
[3] https://www.middleway.eu/using-managed-identities-in-a-logic-app/
[4] https://www.youtube.com/watch?v=B69Pb9CKLRA
[5] https://www.reddit.com/r/AZURE/comments/1aruc8t/where_can_i_see_if_my_logic_app_with_managed/
[6] https://docs.azure.cn/en-us/logic-apps/create-single-tenant-workflows-azure-portal
[7] https://www.youtube.com/watch?v=bzHCqyishiE
[8] https://medienstudio.net/development-en/deploying-azure-logic-apps-managed-identity-with-bicep/
[9] https://gist.github.com/SvenAelterman/fe2d66ad4ceb8c1a220766e4898b88ba
[10] https://www.linkedin.com/pulse/managed-identities-logic-apps-azure-ad-automate-your-stuff-periwal