Share via

Azure Logic app

Sengine007 1 Reputation point
2025-12-19T12:03:09.62+00:00

Hello I created an access package from Entra ID Governance to give access to user on some resources also to create an admin account for the user by triggering a custom extension which is Azure logic apps. Now here is the issue: I created a sample stand alone logic and this work like a charm but when i created the same via ID governance route, the logic does even fire at all but the user still get access to the resource but the admin account wont get create as a result of this.

Can someone help explain to me why the standalone logic work well and while the same logic wont fire from access packages (ID Governance)

Azure Logic Apps
Azure Logic Apps

An Azure service that automates the access and use of data across clouds without writing code.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pravallika KV 16,360 Reputation points Microsoft External Staff Moderator
    2025-12-31T00:06:58.5633333+00:00

    Hi @Sengine007 ,

    Thanks for reaching out to Microsoft Q&A.

    Access Package custom extensions have strict requirements; if any are misconfigured, the Logic App won't fire even though access is granted.

    Can someone help explain to me why the standalone logic work well and while the same logic wont fire from access packages (ID Governance)

    As @Vinodh247 mentioned in the answer, your Logic App works standalone because it's triggered directly (manual/HTTP) with no Entra ID Governance restrictions.

    • Access Packages only trigger Logic Apps as Custom Extensions and only via an HTTP trigger. Any other trigger or changes after registration will prevent it from firing.
    • The Logic App must be registered as a Custom Extension in Entra ID Governance and attached to the correct lifecycle stage commonly Assignment granted.
    • The Logic App needs a Managed Identity with proper Microsoft Graph permissions; Access Packages call it using Entra ID, not your user context.
    • Custom extensions are non-blocking: Access Packages do not report or block on custom extension failures, access is granted even if the extension fails or is never runs.
    • To detect issues, you must check the Logic App's run history and logs yourself, because Entra ID Governance provides no error visibility.

    If the resolution was helpful, kindly take a moment to click on image and click on Yes for was this answer helpful. And, if you have any further query do let us know.

    Was this answer helpful?

    0 comments
  2. Vinodh247-1375 42,776 Reputation points Volunteer Moderator
    2025-12-21T05:57:31.9366667+00:00

    Hi ,

     Thanks for reaching out to Microsoft Q&A.

     

    The standalone Logic App works because you trigger it directly with your own call and relaxed settings. When called from Entra ID Governance, the Logic App must be HTTP-triggered with the exact schema, supported region, and proper authentication (managed identity or OAuth). If any of these do not match, Entra ID silently skips the custom extension. Access assignment still succeeds because access packages do not fail when extensions fail, so the user gets resource access but the admin account is not created.

    Please 'Upvote'(Thumbs-up) and 'Accept' as answer if the reply was helpful. This will be benefitting other community members who face the same issue.

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.