Home Arrow Icon Knowledge base Arrow Icon Global Arrow Icon How do I configure the authorization policy in Azure Logic Apps


How do I configure the authorization policy in Azure Logic Apps


Configuring an authorization policy in Azure Logic Apps involves several steps, depending on whether you are using Consumption or Standard Logic Apps. Here's how you can do it:

For Consumption Logic Apps

1. Access the Azure Portal: Navigate to your Consumption Logic App in the Azure portal.
2. Open the Logic App Menu: Under the Logic App menu, select Settings.
3. Select Authorization: Click on the Authorization tab.
4. Add a Policy: Click on Add policy to create a new authorization policy.
5. Configure the Policy:
- Policy Name: Give your policy a name.
- Policy Type: Choose AAD for Azure Active Directory.
- Claims: Add necessary claims such as:
- Issuer: `https://sts.windows.net/YOUR_TENANT_ID/` (for single-tenant apps) or `https://login.microsoftonline.com/YOUR_TENANT_ID/` (for multi-tenant apps).
- Audience: Typically `https://management.core.windows.net/` for Azure management resources.
- Custom Claims: You can add additional claims as needed, such as the client ID of an app registration.

6. Save the Policy: Once configured, save the policy to apply it to your Logic App.

For Standard Logic Apps

Standard Logic Apps do not have a direct Authorization tab like Consumption Logic Apps. Instead, you can use Access Control (IAM) or API Management for authorization:

1. Access Control (IAM):
- Navigate to your Standard Logic App.
- Select Access Control (IAM).
- Assign roles to users or groups to control access.

2. API Management:
- Use API Management to restrict access or control your Logic App.

3. Managed Identity:
- Enable a managed identity for your Logic App.
- Configure authorization policies in the application using the managed identity.

Additional Considerations

- Managed Identities: You can use managed identities to authenticate access to resources. This involves creating an access policy for the target resource and assigning the appropriate permissions to the managed identity[6].
- EasyAuth: For Standard Logic Apps, consider using EasyAuth for authentication[2].

By following these steps, you can effectively configure authorization policies for your Azure Logic Apps.

Citations:
[1] https://www.cloudshift.nl/blog/2022/10/securing-your-azure-logic-apps-with-azure-ad-oauth
[2] https://stackoverflow.com/questions/75663220/how-to-add-access-policy-to-azure-logic-app-standard
[3] https://hybridbrothers.com/using-managed-identities-in-logic-app-http-triggers/
[4] https://www.youtube.com/watch?v=xVFmpszXmC0
[5] https://demiliani.com/2023/12/28/azure-logic-apps-securing-http-triggers-with-microsoft-entra-id-authentication/
[6] https://docs.azure.cn/en-us/logic-apps/authenticate-with-managed-identity
[7] https://stackoverflow.com/questions/79124265/azure-logic-app-authorization-policy-set-via-bicep
[8] https://turbo360.com/blog/logic-app-best-practices-secure-your-azure-logic-apps
[9] https://gotoguy.blog/2020/12/31/protect-logic-apps-with-azure-ad-oauth-part-1-management-access/
[10] https://learn.microsoft.com/en-us/answers/questions/32600/how-to-setup-logicapp-authorization-policy
[11] https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app