Logic Apps: "Send approval email" action requires "Any IP" for inbound IP setting

Jeff 66 Reputation points
2021-12-21T17:15:37.067+00:00

During testing, users were unable to record an approve/reject response in emails that were sent by the "Send approval email" action (Office 365 Outlook connector). I think this is due to the Logic App "Allowed inbound IP addresses" setting in the "Workflow settings" blade. When I change that IP setting to "Any IP", users are able to record their response. When the setting is restricted to "Specific IP ranges", users are not able to record their response -- an error is displayed when they click a response option in the email; "An error occurred while recording your response."

Can this please be investigated? If the "Allowed inbound IP address" setting is indeed the cause, this presents a security vulnerability for Logic Apps that have an HTTP trigger and a "Send approval email" or "Send email with options" action. Users might prefer to secure the HTTP trigger by restricting it to only known IP addresses. If that's done, however, the "Send..." actions won't work.

At the very least, could this action limitation be added to the connector's documentation? https://learn.microsoft.com/en-us/connectors/office365/

Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
3,187 questions
0 comments No comments
{count} votes

Accepted answer
  1. MayankBargali-MSFT 70,511 Reputation points
    2021-12-22T08:19:41.217+00:00

    @Jeff When you restrict IP addresses to call Logic App endpoints and have webhook type of actions (like approval workflow), the subsequent call back requests are blocked unless you enable the Logic App connector outbound IP addresses in workflow settings or in ARM template. So you would need to enable the connector outgoing Ip addresses to receive user response for send approve email action either in Workflow settings IP ranges or update via ARM template for actions.

    You can refer to this document which lets you to restrict IP addresses for triggers as well actions from ARM template.

    "accessControl": {  
                   "triggers": {  
                      "allowedCallerIpAddresses": [  
                         {  
                            "addressRange": "192.168.12.0/23"  
                         }  
                      ]  
                   },  
                   "actions": {  
                      "allowedCallerIpAddresses": [  
                         {  
                            "addressRange": "192.168.12.0/23"  
                         }  
                      ]  
                   }  
                },  
    

    Let me know if you are still facing the issue once you have added the outgoing IP address as per the region where your logic app is deployed.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.