Failure of office365 API connection authentication/authorization due to cross api connection in logic apps

Question

Hi Team,

I am facing issue of re-authentication and authorization issue into logic app deployment using ARM template. I have found several solutions but none of them worked for me. Actually my requirement is slightly different, which I am writing below.

Introduction
We are working for our client and our client do not have office365 complete subscription. We had introduced solution to my client with logic apps.
We have several logic apps in that we are using office365 connectors for notification and upload data on SharePoint, these connector are authenticated with my organization's credentials while this entire logic app is deployed at my client's Azure Cloud. In brief, these logic apps are hybrid logic apps which means logic apps have office365 connector of my company and this logic app deployed in client's Azure cloud environment.
Issue
We are facing issue whenever we deploy logic app's arm template, logic apps ask for the authentication for office365 steps.
I followed following documentations and solutions but didn't worked for me due to hybrid solution.

• https://www.bruttin.com/2017/06/13/deploy-logic-app-with-arm.html
• https://social.msdn.microsoft.com/Forums/en-US/7a9e8ebe-3438-4916-8041-2058fcdc1e31/arm-resource-manager-template-connection-parameters-for-oauth-googlesheet-managed-api?forum=azurelogicapps
• https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-azure-resource-manager-templates-overview#authenticate-connections
• https://stackoverflow.com/questions/60230373/azure-logic-app-with-sharepoint-connection
• https://stackoverflow.com/questions/49733941/arm-template-office-365-connection-for-logic-apps
• https://blogs.msdn.microsoft.com/logicapps/2016/02/23/deploying-in-the-logic-apps-preview-refresh/
• http://blog.davidebbo.com/2015/01/azure-resource-manager-client.html
• https://stackoverflow.com/questions/51713476/azure-logic-app-office365-connection-creation-by-arm-template
• https://github.com/logicappsio/LogicAppConnectionAuth (For authorize to a connection, but it authorize if and only if it is internal or external cloud)
• https://stackoverflow.com/questions/60703570/how-to-deploy-logic-app-with-o365-connector-within-arm-template

After hit and try above solutions, I come to know all solutions are correct but it wouldn't work in my case because I am using hybrid connection in a logic app.

Please let me know if anyone has a solution of this issue.

Answer 1

@Ashish Jain Thank you for sharing the details offline. From the details it seems the execution is failing for the share point online connector. I have discussed this internally and figured that in PowerAutomate or LogicApps scenario, connection is created before it is possible to know what tenant user is going to access so the only option defaults to the user’s home tenant as today. By default, the token generated for authentication will correspond to user’s root site – both audience and tenantId. Later, connector can exchange the token for different audience (for X-Geo scenarios) but tenantId will remain same. That is how it works today and there is no workaround. As of now, there is no way to access non-home tenants from PowerAutomate/LogicApps. We are currently taking this up with the concerned team to check we can get this added in the document.

Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.