Muokkaa

Jaa


Add authentication when calling custom APIs from Azure Logic Apps

To improve security for calls to your APIs, you can set up Microsoft Entra authentication through the Azure portal so you don't have to update your code. Or, you can require and enforce authentication through your API's code.

You can add authentication in the following ways:

Authenticate calls to your API without changing code

Here are the general steps for this method:

  1. Create two Microsoft Entra application identities: one for your logic app resource and one for your web app (or API app).

  2. To authenticate calls to your API, use the credentials (client ID and secret) for the service principal that's associated with the Microsoft Entra application identity for your logic app.

  3. Include the application IDs in your logic app's workflow definition.

Part 1: Create a Microsoft Entra application identity for your logic app

Your logic app resource uses this Microsoft Entra application identity to authenticate against Microsoft Entra ID. You only have to set up this identity one time for your directory. For example, you can choose to use the same identity for all your logic apps, even though you can create unique identities for each logic app. You can set up these identities in the Azure portal or use PowerShell.

  1. In the Azure portal, select Microsoft Entra ID.

  2. Confirm that you're in the same directory as your web app or API app.

    Tip

    To switch directories, choose your profile and select another directory. Or, select Overview > Switch directory.

  3. On the directory menu, under Manage, select App registrations > New registration.

    The All registrations list shows all the app registrations in your directory. To view only your app registrations, select Owned applications.

    Screenshot showing Azure portal with Microsoft Entra instance, "App registration" pane, and "New application registration" selected.

  4. Provide a user-facing name for your logic app's application identity. Select the supported account types. For Redirect URI, select Web, provide a unique URL where to return the authentication response, and select Register.

    Screenshot showing "Register an application" pane with application identity name and URL where to send authentication response.

    The Owned applications list now includes your created application identity. If this identity doesn't appear, on the toolbar, select Refresh.

    Screenshot showing the application identity for your logic app.

  5. From the app registrations list, select your new application identity.

  6. From the application identity navigation menu, select Overview.

  7. On the Overview pane, under Essentials, copy and save the Application ID to use as the "client ID" for your logic app in Part 3.

    Screenshot showing the application (client) ID underlined.

  8. From the application identity navigation menu, select Certificates & secrets.

  9. On the Client secrets tab, select New client secret.

  10. For Description, provide a name for your secret. Under Expires, select a duration for your secret. When you're done, select Add.

    The secret that you create acts as the application identity's "secret" or password for your logic app.

    Screenshot showing secret creation for application identity.

    On the Certificates & secrets pane, under Client secrets, your secret now appears along with a secret value and secret ID.

    Screenshot showing secret value and secret ID with copy button for secret value selected.

  11. Copy the secret value for later use. When you configure your logic app in Part 3, you specify this value as the "secret" or password.

Part 2: Create a Microsoft Entra application identity for your web app or API app

If your web app or API app is already deployed, you can turn on authentication and create the application identity in the Azure portal. Otherwise, you can turn on authentication when you deploy with an Azure Resource Manager template.

Create the application identity for a deployed web app or API app in the Azure portal

  1. In the Azure portal, find and select your web app or API app.

  2. Under Settings, select Authentication > Add identity provider.

  3. After the Add an identity provider pane opens, on the Basics tab, from the Identity provider list, select Microsoft to use Microsoft Entra identities, and then select Add.

  4. Now, create an application identity for your web app or API app as follows:

    1. For App registration type, select Create new app registration.

    2. For Name, provide a name for your application identity.

    3. For Supported account types, select the account types appropriate for your scenario.

    4. For Restrict access, select Require authentication.

    5. For Unauthenticated requests, select the option based on your scenario.

    6. When you're done, select Add.

    The application identity that you just created for your web app or API app now appears in the Identity provider section:

    Screenshot showing newly created application identity for web app or API app.

    Tip

    If the application identity doesn't appear, on the toolbar, select Refresh.

Now you must find the application (client) ID and tenant ID for the application identity that you just created for your web app or API app. You use these IDs in Part 3. So, continue with the following steps for the Azure portal.

Find application identity's client ID and tenant ID for your web app or API app in the Azure portal

  1. On your web app's navigation menu, select Authentication.

  2. In the Identity provider section, find the application identity you previously created. Select the name for your application identity.

    Screenshot showing newly created application identity with 'Overview' pane open.

  3. After the application identity's Overview pane opens, find the values for Application (client) ID and Directory (tenant) ID. Copy and save the values for use in Part 3.

    Screenshot showing application identity's 'Overview' pane open with 'Application (client) ID' value and 'Directory (tenant) ID' value underlined.

    You can also use the tenant ID GUID in your web app or API app's deployment template, if necessary. This GUID is your specific tenant's GUID ("tenant ID") and should appear in this URL: https://sts.windows.net/{GUID}

Set up authentication when you deploy with an Azure Resource Manager template

If you're using an Azure Resource Manager template (ARM template), you still have to create a Microsoft Entra application identity for your web app or API app that differs from the app identity for your logic app. To create the application identity, and then find the client ID and tenant ID, follow the previous steps in Part 2 for the Azure portal. You'll use both the client ID and tenant ID in your app's deployment template and also for Part 3.

Important

When you create the Microsoft Entra application identity for your web app or API app, you must use the Azure portal, not PowerShell. The PowerShell commandlet doesn't set up the required permissions to sign users into a website.

After you get the client ID and tenant ID, include these IDs as a subresource of your web app or API app in your deployment template:

"resources": [
   {
      "apiVersion": "2015-08-01",
      "name": "web",
      "type": "config",
      "dependsOn": ["[concat('Microsoft.Web/sites/','parameters('webAppName'))]"],
      "properties": {
         "siteAuthEnabled": true,
         "siteAuthSettings": {
            "clientId": "<client-ID>",
            "issuer": "https://sts.windows.net/<tenant-ID>/"
         }
      }
   }
]

To automatically deploy a blank web app and a logic app together with Microsoft Entra authentication, view the complete template here, or select the following Deploy to Azure button:

Deploy to Azure

Part 3: Populate the Authorization section in your logic app

The previous template already has this authorization section set up, but if you are directly authoring your logic app definition, you must include the full authorization section.

  1. Open your logic app definition in code view.

  2. Go to the HTTP action definition, find the Authorization section, and include the following properties:

{
   "tenant": "<tenant-ID>",
   "audience": "<client-ID-from-Part-2-web-app-or-API app>",
   "clientId": "<client-ID-from-Part-1-logic-app>",
   "secret": "<secret-from-Part-1-logic-app>",
   "type": "ActiveDirectoryOAuth"
}
Property Required Description
tenant Yes The GUID for the Microsoft Entra tenant
audience Yes The GUID for the target resource that you want to access, which is the client ID from the application identity for your web app or API app
clientId Yes The GUID for the client requesting access, which is the client ID from the application identity for your logic app
secret Yes The secret or password from the application identity for the client that's requesting the access token
type Yes The authentication type. For ActiveDirectoryOAuth authentication, the value is ActiveDirectoryOAuth.

For example:

{
   "actions": {
      "HTTP": {
         "inputs": {
            "method": "POST",
            "uri": "https://your-api-azurewebsites.net/api/your-method",
            "authentication": {
               "tenant": "tenant-ID",
               "audience": "client-ID-from-azure-ad-app-for-web-app-or-api-app",
               "clientId": "client-ID-from-azure-ad-app-for-logic-app",
               "secret": "key-from-azure-ad-app-for-logic-app",
               "type": "ActiveDirectoryOAuth"
            }
         }
      }
   }
}

Secure API calls through code

Certificate authentication

To validate the incoming requests from your logic app workflow to your web app or API app, you can use client certificates. To set up your code, learn how to configure TLS mutual authentication.

Important

In production environments, always protect sensitive information and secrets, such as credentials, certificates, thumbprints, access keys, and connection strings. Make sure that you securely store such information by using Microsoft Entra ID and Azure Key Vault. Avoid hardcoding this information, sharing with other users, or saving in plain text anywhere that others can access. Rotate your secrets as soon as possible if you think this information might be compromised. For more information, see About Azure Key Vault.

In the Authorization section, include the following properties:

{
   "type": "ClientCertificate",
   "password": "<password>",
   "pfx": "<long-pfx-key>"
}
Property Required Description
type Yes The authentication type. For TLS/SSL client certificates, the value must be ClientCertificate.
password No The password for accessing the client certificate (PFX file)
pfx Yes The base64-encoded contents of the client certificate (PFX file)

Basic authentication

To validate incoming requests from your logic app to your web app or API app, you can use basic authentication, such as a username and password. Although basic authentication is a common pattern, and you can use this authentication in any language used to build your web app or API app, in production scenarios, use the best authentication level that's available.

Important

For optimal security, use Microsoft Entra ID with managed identities for authentication when possible. This method provides superior security without having to provide credentials. Azure manages this identity and helps keep authentication information secure so that you don't have to manage this sensitive information yourself. To set up a managed identity for Azure Logic Apps, see Authenticate access and connections to Azure resources with managed identities in Azure Logic Apps.

If you have to use a different authentication type, use the next highest level security option available. For example, suppose that you have to create a connection by using a connection string instead. A connection string includes the authorization information required for your app to access a specific resource, service, or system. The access key in the connection string is similar to a root password.

In production environments, always protect sensitive information and secrets, such as credentials, certificates, thumbprints, access keys, and connection strings. Make sure that you securely store such information by using Microsoft Entra ID and Azure Key Vault. Avoid hardcoding this information, sharing with other users, or saving in plain text anywhere that others can access. Rotate your secrets as soon as possible if you think this information might be compromised. For more information, see About Azure Key Vault.

In the Authorization section, include the following properties:

{
   "type": "Basic",
   "username": "<username>",
   "password": "<password>"
}
Property Required Description
type Yes The authentication type that you want to use. For basic authentication, the value must be Basic.
username Yes The username that you want to use for authentication
password Yes The password that you want to use for authentication

Microsoft Entra authentication through code

By default, the Microsoft Entra authentication that you turn on in the Azure portal doesn't provide fine-grained authorization. For example, this authentication locks your API to just a specific tenant, not to a specific user or app.

To restrict API access to your logic app through code, extract the header that has the JSON web token (JWT). Check the caller's identity, and reject requests that don't match.

Next steps