After deployment Logic app is unauthorized for servicebus

Michael Cronqvist 26 Reputation points
2024-02-13T09:11:03.9566667+00:00

We have a logic app with managed identity to communicate with a service bus.

After we have deployed the solution by ARM or Bicep, we manually give logic app access to service bus by adding the logic app to sender/receiver role.

Then we test the logic app to see if it has access to service bus.

Often, not always, we get this error: "40100: Unauthorized : Unauthorized access for 'Send' operation on endpoint 'sb://[sb-name].servicebus.windows.net/[queue-name]'

To fix this we make a new api connection to the service bus within the logic app. Then it works. It seems to me that the api connection deployed by ARM/Bicep somehow gets broken in the deployment process.

Service bus

resource namespaces_servicebus 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' = {
  name: servicebus
  location: location
  sku: {
    name: 'Basic'
    tier: 'Basic'
  }
  properties: {
    premiumMessagingPartitions: 0
    minimumTlsVersion: '1.2'
    publicNetworkAccess: 'Enabled'
    disableLocalAuth: false
    zoneRedundant: false
  }
}

Api connection

resource connections_servicebus 'Microsoft.Web/connections@2018-07-01-preview' = {
  name: connections_servicebus
  location: location
  kind: 'V1'
  dependsOn: [
    namespaces_servicebus
  ]
  properties: {
    displayName: connections_servicebus_name
    api: {
      id: subscriptionResourceId('Microsoft.Web/locations/managedApis', location, 'servicebus')
    }
    parameterValueSet: {
      name: 'managedIdentityAuth'
      values: {
        namespaceEndpoint: {
          value: 'sb://${namespaces_servicebus}.servicebus.windows.net/'
        }
      }
    }
  }
}

Logic app

resource workflows_logicapp 'Microsoft.Logic/workflows@2019-05-01' = {
  name: workflows_name
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    state: 'Enabled'
    definition: {
      '$schema': 'https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#'
      contentVersion: '1.0.0.0'
      parameters: {
		[removed for brevity]
      }
      triggers: {
		[removed for brevity]
      }
      actions: {
		[removed for brevity]
      }
      outputs: {
		[removed for brevity]
	  }
    }
    parameters: {
      '$connections': {
        value: {
          servicebus: {
            id: subscriptionResourceId('Microsoft.Web/locations/managedApis', location, 'servicebus')
            connectionId: connections_servicebus.id
            connectionName: 'servicebus'
            connectionProperties: {
              authentication: {
                type: 'ManagedServiceIdentity'
              }
            }
            
          }
        }
      }
    }
  }
}
Azure Service Bus
Azure Service Bus
An Azure service that provides cloud messaging as a service and hybrid integration.
657 questions
Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
3,299 questions
0 comments No comments
{count} vote

2 answers

Sort by: Most helpful
  1. Mike Urnun 9,831 Reputation points Microsoft Employee
    2024-02-15T04:30:48.5+00:00

    Hello @Michael Cronqvist - Thanks for reaching out, and engaging the MS Q&A community.

    It sounds like the issue is intermittent, so it's likely that you're hitting a known limitation in Managed Identity where cached tokens expire, here's more on this: Are managed identities tokens cached?

    0 comments No comments

  2. Pak-Hun Chan 20 Reputation points
    2024-12-10T23:27:41.3733333+00:00

    I'm so glad I saw your post @Michael Cronqvist !

    I just ran into a near identical problem. I set up a Logic App last night to consume messages from my Service Bus topic subscription, and it was working just fine. Without changing anything with the Logic App, user-assigned managed identity, or Service Bus, I started getting this error today:
    "40100: Unauthorized : Unauthorized access for 'Receive' operation"

    Checked through everything, compared it with another similarly designed Logic App, rebuilt some of the Logic App actions, re-added the managed identity, but nothing helped

    Saw this post, created a new Service Bus connection within Logic App, and it immediately fixed the problem!

    Thanks Michael!

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.