- About this sample
- How to install the application
This sample show a way to secure your Logic App with Azure Active Directory and exposed using Azure Api Management. Another logic app will call the protected logic retrieving a JWT token from Azure AD.
An Azure policy will validate the JWT token inside APIM to be sure the audience is valid.
The protected logic app have an IP restriction that accept HTTP call only from the public IP of Api Management.
To have more security you could host APIM inside a Virtual Network.
The first step is to fork this repository in your github account
You will need to registers three applications in Azure Active Directory that represent the 3 logics app in this sample.
Go to your Azure Active Directory and in App Registrations blade. From there click the button + New registration and enter the information below.
Once the application is created click the App role | Preview button.
Enter the information below for the role
Now you need to expose the Application so other Apps can call it using app roles. We use client credentials flow in this example, for more information about this flow click here.
Now click in the left menu the Expose an API button.
Click at the top the Set hyperlink.
Last step is to update the manifest file of the application to use the v2 of the Azure AD endpoint. Click on the manifest button to the left menu and change the value to 2.
If you want to learn more about Azure Active Directory from a developer perspective Microsoft have good documentation here.
Now you need to create one more application in Azure AD
You need to create the application Logic-App-Workflow-A, repeat the step Create App Ad with the name Logic-App-Workflow-A.
Once is done you need to click in the menu Api Permission.
Click the button Add a permission
Select My APIS and select Logic-App-Workflow-B
Select the app role created before
The last step is to grant admin consent for the added permission by clicking the grant admin consent.
Now you need to create a client secret, just click the Certificates & secrets in the left menu.
Click the New client secret button and copy the value, you will need it later.
Last step is to update the manifest file like you did before for this application too.
Now to be able to run the github action that will create all the Azure Resources you will need to create Github Secrets.
| Secret | Value |
|---|---|
| AUDIENCE | ClientID of the Logic-App-Workflow-B in Azure AD |
| CLIENT_ID | ClientID of the Logic-App-Workflow-A in Azure AD |
| PUBLISHER_EMAIL | Your email to receive notification when APIM will be created |
| PUBLISHER_NAME | Your name |
| SECRET | Client Secret created from application Logic-App-Workflow-A |
| SP_AZURE_CREDENTIALS | Follow this link https://github.com/Azure/login to know which value to enter |
| SUBSCRIPTION_ID | The subscription Id where you want to deploy the resources |
| TENANT_ID | The Azure TenantId where you want to deploy the resources. |
Now click the Github action button at the top
Click the deploy infra button
Finally click on the run workflow button, this will take ~45 minutes.
Now you will need to add this APIM Policy on the Logic-App API created in APIM.
The policy need to go to the only operation present there. Replace the value with your tenantId and appId of the logic app b registered in Azure AD.
To understand more about Azure APIM Policy click (here)[https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-policies].
<policies>
<inbound>
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
<openid-config url="https://login.microsoftonline.com/{{tenantId}}/v2.0/.well-known/openid-configuration" />
<audiences>
<audience>{{appId logic app B Azure AD}}</audience>
</audiences>
</validate-jwt>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>