Connecting a Logic App to Microsoft Teams with Managed Identity

Question

Connecting a Logic App to Microsoft Teams with Managed Identity

Alexandre G 71

I'm currently creating a Logic App workflow to send a message to a Microsoft Teams canal when it is triggered by a HTTP request. I am using the "Post a message to a canal as the flow bot" action.

However, I'm currently using my personal account as a connection, which is a bad practice regarding long term maintainability.

I see that there is an option to connect with a Managed Identity. I successfully enabled the system-assigned Managed Identity for my Logic App by going to the Settings and then the Identity part. However, I do not know how to allow this Managed Identity access to a specific canal on Microsoft Teams to post messages to it. I could not find anything on the web.

Gerco Verweij 1 Reputation point

2021-05-27T09:27:30.787+00:00

Hi alexandreg,

Did you already get it working? I'm also struggling with managed identities. I've created a user-managed identity in a resource group and assigned some roles to it. But I really don't now which role I need to add to the identity.

If you have some information, I would love to hear it!

Regards,

Gerco
Alexandre G 71 Reputation points

2021-06-07T08:56:15.017+00:00

Hi! Unfortunately no, I was unsuccessful. I moved to the Incoming Webhook connector to send messages to Teams. I hope that Microsoft will improve this feature and create some docs around it, as it's clearly lacking ATM. They should not release something when it's not finished, it's frustrating for the end user.

Accepted answer

3 additional answers

Your answer

Gerco Verweij 1 Reputation point

2021-05-27T09:27:30.787+00:00

Hi alexandreg,

Did you already get it working? I'm also struggling with managed identities. I've created a user-managed identity in a resource group and assigned some roles to it. But I really don't now which role I need to add to the identity.

If you have some information, I would love to hear it!

Regards,

Gerco
Alexandre G 71 Reputation points

2021-06-07T08:56:15.017+00:00

Hi! Unfortunately no, I was unsuccessful. I moved to the Incoming Webhook connector to send messages to Teams. I hope that Microsoft will improve this feature and create some docs around it, as it's clearly lacking ATM. They should not release something when it's not finished, it's frustrating for the end user.

Answer 1

Sam Cogan 10,812 Microsoft Employee Volunteer Moderator

Your managed identity needs permissions to talk to the Teams API, in particular it needs to be able to access the Teams parts of the Graph API. A managed identity is just an AAD application behind the scenes so you can grant API rights to it. This article shows a script for granting access to Managed Identities to the Graph API. This page details the various Teams API's.

Alexandre G 71 Reputation points

2021-01-20T17:14:41.213+00:00

Thank you Sam, I'm going to try that!
Stian Johansen 1 Reputation point

2021-04-29T08:11:55.167+00:00

Did you figure out which Graph API permissions was needed to post messages as the Flow bot? I am struggling to find any information about posting as Flow bot in the Graph API Teams documentation.
HH 1 Reputation point

2021-04-29T16:42:20.173+00:00

So, what I can gather by following the Teams API page Sam-Cogan posted above, to here: https://learn.microsoft.com/en-us/graph/api/channel-post-messages?view=graph-rest-1.0&tabs=http, It looks like the Application:Teamwork.Migrate.All is the permission needed for a system-assigned identity to be able to send chatMessage in a Teams channel. I tried using the other article he mentioned for granting access to the Graph API to add that specific permission to my managed identity. I still receive an error trying to configure the connector, that it does not have permissions. I checked the audit log for my managed identity and it is successfully authenticating, so I believe that this is still an authorization issue somewhere. Can anybody detail the exact permissions to configure on the managed identity to be able to post a message to a Teams channel? Am I at least on the right track here and just missing some base level permission for accessing Teams in the first place?
Alexandre G 71 Reputation points

2021-06-07T08:58:22.253+00:00

hi! I suggest that you use the Incoming Webhook connector in your Teams canal instead. You can send messages easily through an HTTP POST request, with the following body (markdown supported):

{
"title": "My message title",
"text": "Hello everyone"
}
Marta de Lima Masson Guimarães 1 Reputation point Microsoft Employee

2022-04-15T12:30:00.567+00:00

It will not work. It is not supported yet. This permission is to migration purposes only :/
We will need to wait a little bit more or use delegated which requires someone´s credentials.

That´s what means migration: https://learn.microsoft.com/en-us/microsoftteams/platform/graph-api/import-messages/import-external-messages-to-teams

Answer 2

I think the OP was asking about the specific TEAMS tasks in Logic Apps using authentication methods other than an org account, which the answer on this thread doesn't really address. (just that there's an api out there and you can call that api with the right permissions with a service principal after doing all the oauth things to get the right token, how annoying).

Honestly, I don't know how these connectors get past any kind of internal review without enterprise level auth in mind, which using a traditional org account for automation purposes is definitely not.

Answer 3

OJA_AE 1

Assigned literally every API-permission to the managed identity. Doesn't work.
That said, the feature is still in preview.

Keshavi Patel 1 Reputation point

2021-12-14T20:49:53.347+00:00

Was anyone able to get this working? I have a similar requirement.

Answer 4

Kolundzija Nela (BSOT/PJ-AS-Bg) 0

did anyone succeded to login to teams from logic app without personal account with service principle of managed identy ? thank you much needed help since want to persist all via terraform and not use my personal user for this

Share via

Connecting a Logic App to Microsoft Teams with Managed Identity

3 additional answers

Your answer