DEV Community

Daniel Jonathan
Daniel Jonathan

Posted on

πŸ” Enabling Easy Auth for Azure Logic Apps (Standard)

#logicapps #easyauth #azure #microsoft

πŸ” Enabling Easy Auth for Azure Logic Apps (Standard)

When you expose a Logic App workflow through an HTTP trigger, you usually secure it with a Shared Access Signature (SAS) key (sig=...). While that works, it’s not ideal β€” anyone with the URL can call your workflow.

A better option is to enable App Service Authentication/Authorization (also known as Easy Auth) in front of your Logic App. This way, only callers with a valid Microsoft Entra ID (Azure AD) token can invoke your workflows.

In this guide, I’ll show you how to enable Easy Auth for Logic Apps Standard (single-tenant).

🚦 Prerequisites

  • A Logic App (Standard) deployed in Azure
  • An App Registration in Microsoft Entra ID (Azure AD)
  • Owner or Contributor rights on the Logic App resource

⚠️ Note: Easy Auth is not available for Logic Apps (Consumption). For Consumption, you’ll need API Management or IP restrictions.

πŸ”§ Step 1: Enable, Configure, and Enforce Authentication

  1. Go to your Logic App in the Azure Portal.
  2. Under Settings, select Authentication.
  3. Click Add identity provider β†’ choose Microsoft.
  4. Select your existing App Registration (or create a new one) and Save.

  5. After adding, click Edit on the Microsoft provider and configure:

    • Issuer URL Use the v2.0 endpoint for your tenant: 
     https://login.microsoftonline.com/<tenantId>/v2.0
  • Allowed token audiences
    • api://<your-client-id>
    • <your-client-id> (the raw GUID)
  • Additional checks
    • Client application requirement
      • Allow requests from specific client applications (recommended, list trusted client IDs)
      • or Allow requests from any application (for testing)
    • Identity requirement
      • Allow requests from any identity (default)
      • or Allow requests from specific identities (restrict to chosen users/groups)
    • Tenant requirement
      • Only from this tenant (recommended for single-tenant)
      • or Allow requests from any Microsoft Entra tenant (multi-tenant)
  1. Open Authentication β†’ Settings and review:
    • App Service authentication β†’ Enabled
    • Restrict access β†’ Require authentication (blocks unauthenticated requests)
  2. Save your changes.
  1. Acquire a token for your Logic App (using Postman, Azure CLI, or your app).
    • Example: in Postman, use grant_type=client_credentials with your client_id, client_secret, and scope.
    • The response will include an access_token.
    Generate token in Postman
  2. Decode the token at https://jwt.ms.
    • Paste the access_token into the decoder.
    • Look for the claim "oid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" in the payload.
    • This value is the Object ID (OID) of the user or service principal.
    Decoded JWT showing OID
  3. Configure Identity Requirement in your Logic App.
    • Go to Authentication β†’ Microsoft provider β†’ Identity requirement.
    • Select Allow requests from specific identities.
    • Paste the OID(s) you collected into the allowed list.

βœ… Validation & Testing

Here’s how the Logic App behaves with different authentication methods:

SAS and Easy Auth

  1. Using SAS Key (default) β†’ works, but less secure β€” anyone with the URL + sig can call it.
  2. Using Easy Auth (Bearer Token) β†’ works βœ… β€” only valid Entra ID tokens are accepted.
  3. Missing Bearer Prefix β†’ fails with 401 Unauthorized.

⚑ Wrapping Up

With Easy Auth enabled and Identity requirement restricted to specific OIDs:

  • Your Logic App endpoints are protected by Microsoft Entra ID.
  • Only specific client apps, tenants, and identities can access them.
  • This brings your Logic App in line with enterprise-grade API security practices.

Top comments (0)