After deployment Logic app is unauthorized for servicebus

Question

We have a logic app with managed identity to communicate with a service bus.

After we have deployed the solution by ARM or Bicep, we manually give logic app access to service bus by adding the logic app to sender/receiver role.

Then we test the logic app to see if it has access to service bus.

Often, not always, we get this error: "40100: Unauthorized : Unauthorized access for 'Send' operation on endpoint 'sb://[sb-name].servicebus.windows.net/[queue-name]'

To fix this we make a new api connection to the service bus within the logic app. Then it works. It seems to me that the api connection deployed by ARM/Bicep somehow gets broken in the deployment process.

Service bus

resource namespaces_servicebus 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' = {
  name: servicebus
  location: location
  sku: {
    name: 'Basic'
    tier: 'Basic'
  }
  properties: {
    premiumMessagingPartitions: 0
    minimumTlsVersion: '1.2'
    publicNetworkAccess: 'Enabled'
    disableLocalAuth: false
    zoneRedundant: false
  }
}

Api connection

resource connections_servicebus 'Microsoft.Web/connections@2018-07-01-preview' = {
  name: connections_servicebus
  location: location
  kind: 'V1'
  dependsOn: [
    namespaces_servicebus
  ]
  properties: {
    displayName: connections_servicebus_name
    api: {
      id: subscriptionResourceId('Microsoft.Web/locations/managedApis', location, 'servicebus')
    }
    parameterValueSet: {
      name: 'managedIdentityAuth'
      values: {
        namespaceEndpoint: {
          value: 'sb://${namespaces_servicebus}.servicebus.windows.net/'
        }
      }
    }
  }
}

Logic app

resource workflows_logicapp 'Microsoft.Logic/workflows@2019-05-01' = {
  name: workflows_name
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    state: 'Enabled'
    definition: {
      '$schema': 'https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#'
      contentVersion: '1.0.0.0'
      parameters: {
		[removed for brevity]
      }
      triggers: {
		[removed for brevity]
      }
      actions: {
		[removed for brevity]
      }
      outputs: {
		[removed for brevity]
	  }
    }
    parameters: {
      '$connections': {
        value: {
          servicebus: {
            id: subscriptionResourceId('Microsoft.Web/locations/managedApis', location, 'servicebus')
            connectionId: connections_servicebus.id
            connectionName: 'servicebus'
            connectionProperties: {
              authentication: {
                type: 'ManagedServiceIdentity'
              }
            }
            
          }
        }
      }
    }
  }
}

Answer 1

Hello @Michael Cronqvist - Thanks for reaching out, and engaging the MS Q&A community.

It sounds like the issue is intermittent, so it's likely that you're hitting a known limitation in Managed Identity where cached tokens expire, here's more on this: Are managed identities tokens cached?

• Similar issue: Service Bus Topic trigger with Managed Identity fails as Unauthorized for no good reason

Answer 2

I'm so glad I saw your post @Michael Cronqvist !

I just ran into a near identical problem. I set up a Logic App last night to consume messages from my Service Bus topic subscription, and it was working just fine. Without changing anything with the Logic App, user-assigned managed identity, or Service Bus, I started getting this error today:
"40100: Unauthorized : Unauthorized access for 'Receive' operation"

Checked through everything, compared it with another similarly designed Logic App, rebuilt some of the Logic App actions, re-added the managed identity, but nothing helped

Saw this post, created a new Service Bus connection within Logic App, and it immediately fixed the problem!

Thanks Michael!