Details about security options with Logic Apps "export to PowerApps" option

Question

After reading about securing a Logic App (including options for Azure Active Directory authorization policies and API Management), how secure is the "export to PowerApps" option in Logic Apps? It creates a custom connector that appears to use "OpenAPIconnection" as they type, but I can't see any information about the authentication model it uses.

My use case requires that the Logic App can only be triggered by a call from a PowerApp (through Power Automate) to allow end-users to trigger the logic app through a friendly front-end. I'm concerned the logs or flow run history will contain the Logic App SAS value, API key or other confidential values.

I'm also concerned that if I lock down the Logic App using the AAD authorization policies, API Management, or restrict IP addresses, the "export to PowerApps" custom connection it creates will stop working.

Is there any information about the behind the scenes for this connector? Or have experience implementing it securely?

A lot of the information is about calling Logic Apps from Postman or other more 'codey' end-clients, but PowerApps/PowerAutomate is a bit more limited

Thanks in advance

Answer 1

Hi epress,

Thank you for reaching out on Microsoft Q&A!

When locking your Logic App down you can do this by re-using the user details logged on to PowerApps. In other words: you must match authentication in the Logic App to the same audience and such as is in the JWT token of the user logged on to PowerApps.

Then you can utilize OAuth instead of SAS tokens. However, it's not always watertight when exporting (even though you enable JWT checks the SAS is still usable). Best option is to hide your Logic App behind an Azure API Management instance, as is best practice by Microsoft. Then you have full control on how to regulate your traffic.

Please click “Accept answer” if you find this helpful. Feel free to drop additional queries in the comments below!

Kind regards,

Sonny