Unable to configure managed identity in logic app

Question

I have created a logic app which is supposed to execute Azure data factory pipeline. Till now, I used my personal credentials to run the pipeline but now I want to use Managed identities. I have created one user managed identity and Granted it contributor permission on data factory but I am getting following error when I try to save my logic app. Failed to save logic app run-ADFpipeline-kpisTrigger. The workflow connection parameter 'azuredatafactory' is not valid. The API connection 'azuredatafactory' is configured to support managed identity but the connection parameter is either missing 'authentication' property in connection properties or authentication type is not 'ManagedServiceIdentity'. I tried to add "authentication" as parameter but still got the same error. Can anyone pls help to fix this issue?

Answer 1

Hi Dinesh Kumar Thank you for reaching out on Microsoft Q&A! I think the problem is not with your logic app, but with the connection file. I’seen it happen before that creating a connection file, and switching authentication later results into issues. What you could do is remove the connection file from the same resource group as the logic app, and recreate it from the UI of the logic app (on one of it’s actions), while selecting your correct authentication mechanism. Please click “Accept answer” if you found my response helpful. Feel free to drop additional comments below, if any!

Answer 2

This answer is not in depth, but I've done my best, @Guillermo Calderon-Meza .

I've used a Key Vault as my example, here, but you should be able to adapt this for an ADF connection, there's no reason why it should not work.

1. RBAC Permission

Firstly, you need to ensure that the account that is doing all of this has RBAC permissions on Azure which requires either the 'Owner' built in role, or a custom role containing the 'Assign User Assigned Identity' permission.

2. Logic App Managed Identity

Ensure that this is enabled, assigned, whatever.

I used a System Assigned ID.

3. External Resource Setup

(Azure Data Factory - My Example is Key Vault)

Here you need to ensure that there is access to the resource by the Logic App.

In my example (a Key Vault) this is done via access policies, here is a snippet of the accessPolicies value in the templace for that:

[
	{
		"tenantId": "TENANT_ID",
		"objectId": "MANAGED_IDENTITY_GUID",
		"permissions": {
			"certificates": [
				"get",
				"list",
				"getissuers",
				"listissuers"
			],
			"keys": [
				"decrypt",
				"unwrapkey",
				"verify",
				"get",
				"list"
			],
			"secrets": [
				"get",
				"list"
			]
		}
	}
]

4. Logic App JSON

I got this working by using (for a System Managed Identity) the following JSON in the API connection parameter.

Where: SUB_ID Subscription ID RG_NAME Name of the resource group that the API connection is in CON_NAME Name of the API connection being referenced API_NAME Name of the API being accessed

System Managed Identity

This should work for the

{
	"connectionId": "/subscriptions/SUB_ID/resourceGroups/RG_NAME/providers/Microsoft.Web/connections/CON_NAME",
	"connectionName": "CON_NAME",
	"connectionProperties": {
		"authentication": {
			"type": "ManagedServiceIdentity"
		}
	},
	"id": "/subscriptions/SUB_ID/providers/Microsoft.Web/locations/uksouth/managedApis/API_NAME"
}

User Managed Identity

I cannot confirm that this works, you might be fine with the same as System Managed Identity:

{
	"connectionId": "/subscriptions/SUB_ID/resourceGroups/RG_NAME/providers/Microsoft.Web/connections/CON_NAME",
	"connectionName": "CON_NAME",
	"connectionProperties": {
		"authentication": {
			"identity": "[parameters('systemManagedIdentity')]",
			"type": "ManagedServiceIdentity"
		}
	},
	"id": "/subscriptions/SUB_ID/providers/Microsoft.Web/locations/uksouth/managedApis/API_NAME"
}