Share via

401 Unauthorised error http action with user assigned managed identity in standard logic app workflow

Diksha Gaur 0 Reputation points
2025-05-13T06:18:47.3033333+00:00

I am using http action to call Microsoft Graph API, using user assigned managed identity as an authentication method. I have a Entra App registration with graph api permission grant with Site selected and sharepoint admin permission granted for said site. Its working fine when I use client secrets method but I am trying to avoid, using client secret so have added a federated credential with uami. As per this article https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation-config-app-trust-managed-identity?tabs=microsoft-entra-admin-center

Still I am getting 401 Unautorized, General exception when running the logic app workflow.

Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
3,534 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alex Burlachenko 9,565 Reputation points
    2025-05-13T12:29:31.4766667+00:00

    Hi Diksha,

    Thank you for posting your question on the Q&A portal and for providing all the details about your issue.

    First, it’s great that you’ve already set up a user-assigned managed identity and configured federated credentials for it. As you mentioned, the Microsoft documentation explains how to set this up for workload identity federation. Since you’re getting a 401 error, it usually means the authentication part isn’t working correctly, even though the setup seems right.

    One thing to double-check is whether the managed identity has the correct permissions assigned in Microsoft Entra ID. Just like with client secrets, the managed identity needs the same Graph API permissions (like Sites.Selected and SharePoint admin permissions) explicitly granted. You can find more details about assigning permissions to managed identities in the Microsoft documentation here: Assign permissions to a managed identity.

    Another common pitfall is the audience claim in the token. When using a managed identity to call Microsoft Graph, the token’s audience should be set to https://graph.microsoft.com. Sometimes, if the audience is incorrect or missing, you’ll get a 401 error.

    Also, make sure the logic app’s HTTP action is correctly configured to use the managed identity. In the authentication settings of the HTTP action, select “Managed Identity” as the type and choose your user-assigned managed identity. The resource field should be https://graph.microsoft.com. If this is misconfigured, the token won’t be issued for the right audience.

    If you’ve checked all these and still face issues, it might help to look at the logic app’s run history to see the exact error details. Sometimes, the 401 error includes more specifics in the response headers or body that can point you in the right direction.

    Let me know if any of this helps.

    Best regards,
Alex
P.S. If my answer help to you, please Accept my answer
PPS That is my Answer and not a Comment
https://ctrlaltdel.blog/
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.