Trends

Azure D365 F&SCM MHAX

AZ302 – Securing HTTP Triggers with Azure AD (Logic app, Power Automate)

Note – I am using Azure logic app in this article

image-856 AZ302 – Securing HTTP Triggers with Azure AD (Logic app, Power Automate)

Table of Contents

Introduction

By default, Azure Logic Apps using HTTP triggers are secured with a Shared Access Signature (SAS) token. While SAS tokens provide basic security, they also have risks. A more secure approach is to use Azure Active Directory (Azure AD) authentication. This article explains why and how to configure an Azure Consumption-based Logic App to require bearer token authentication via Azure AD.

Why Move from SAS Tokens to Azure AD Authentication?

Understanding SAS Tokens

image-857 AZ302 – Securing HTTP Triggers with Azure AD (Logic app, Power Automate)
  • SAS tokens are included in the URL of an HTTP-triggered Logic App request. They grant access to the Logic App without requiring authentication.

Breakdown of above SAS URL

ComponentValue
Schemehttps
Netlocprod-23.northcentralus.logic.azure.com:443
Path/workflows/75268a02bfc34d008f62e2403cec5ff0/triggers/When_a_HTTP_request_is_received/paths/invoke
Query Parameters
api-version2016-10-01
sp/triggers/When_a_HTTP_request_is_received/run
sv1.0
sigheDicGBqdJzY0lBGeK3NjoZCj6aPQ10NtlC2M_ryeGw

Security Risks of SAS Tokens

  1. Exposed in URLs: If someone gains access to the URL, they can trigger the Logic App.
  2. No Expiry by Default: SAS tokens do not expire unless specifically regenerated.
  3. Lack of Governance Controls: Unlike Azure AD, SAS tokens do not support Conditional Access, MFA, or Role-Based Access Control (RBAC).

By integrating Azure AD authentication, we enhance security with token expiration, role-based access control, and conditional access policies.

Step-by-Step: Configuring Azure AD Authentication for Logic App

Step 1: Test the Logic App with a SAS Token

πŸ’‘ Why? This ensures that the Logic App is functioning before implementing Azure AD authentication.

Before making any changes, confirm that the Logic App is accessible via SAS authentication:

  1. Add Response action in Logic app
image-858 AZ302 – Securing HTTP Triggers with Azure AD (Logic app, Power Automate)
  1. Open Postman.
  2. Send a POST request to the Logic App’s HTTP trigger URL (including the SAS token).
image-859 AZ302 – Securing HTTP Triggers with Azure AD (Logic app, Power Automate)
  1. If a response is received, SAS authentication is working.
image-860 AZ302 – Securing HTTP Triggers with Azure AD (Logic app, Power Automate)

Step 2: Set Up Azure AD Authorization

To use Azure AD authentication, we need to create two Azure AD applications:

  1. Client App – Represents the system calling the Logic App.
  2. Service App – Represents the Logic App itself.
image-861 AZ302 – Securing HTTP Triggers with Azure AD (Logic app, Power Automate)

1. Register Azure AD App – Client

This application will request a bearer token to trigger the Logic App.

  • In Azure AD, create a new app registration (Client App).
  • Note Client ID and Tenant ID.
  • Generate a Client Secret (this will be used to authenticate requests).
image-862 AZ302 – Securing HTTP Triggers with Azure AD (Logic app, Power Automate)

2. Register Azure AD App – Service

This application acts as the protected API (Logic App).

  • Create a new app registration (Service App).
  • Add an App ID URI (e.g., api://mylogicapp).
  • Define API Scope:
    • Example: api://mylogicapp/.default
image-863 AZ302 – Securing HTTP Triggers with Azure AD (Logic app, Power Automate)
  • Create an App Role:
    • Assign an “Application” member type role.

image-864 AZ302 – Securing HTTP Triggers with Azure AD (Logic app, Power Automate)

3. Grant Permissions

  • In the Client App, grant permission to the Service App’s API scope.
  • Grant Admin Consent for these permissions.

πŸ’‘ Why? Without proper permissions, the Client App cannot obtain a valid access token.

image-865 AZ302 – Securing HTTP Triggers with Azure AD (Logic app, Power Automate)

4. Modify Azure AD App Service Manifest

  • Open the Service App’s manifest file in Azure AD.
  • Change requestedAccessTokenVersion from null to 2.

πŸ’‘ Why? This enables token-based authentication in the Logic App.

image-866 AZ302 – Securing HTTP Triggers with Azure AD (Logic app, Power Automate)

Step 3: Configure Authorization Policy in Logic App

  1. Open the Logic App in Azure.
  2. Navigate to Authorization Policy and create a new policy:
    • Issuer: https://login.microsoftonline.com/{tenantid}/v2.0
    • Audience: Client ID of the Service App.
  3. Save the policy.

πŸ’‘ Why? This policy enforces that only Azure AD-authenticated requests are allowed.

image-867 AZ302 – Securing HTTP Triggers with Azure AD (Logic app, Power Automate)

Step 4: Modify Logic App Code

  1. Open the Logic App’s code view.
  2. Add the following property:
"operationOptions": "IncludeAuthorizationHeadersInOutputs"

πŸ’‘ Why? This ensures the authorization headers are included in the Logic App execution logs.

image-868 AZ302 – Securing HTTP Triggers with Azure AD (Logic app, Power Automate)

Step 5: Test with Bearer Token

1. Get a Bearer Token via Postman

  • Make a POST request to:
https://login.microsoftonline.com/{tenantid}/oauth2/token
  • Set Body parameters (x-www-form-urlencoded):
    • client_id: Client ID of Azure AD Client App
    • client_secret: Secret of Azure AD Client App
    • grant_type: client_credentials
    • resource: App ID URI of Azure AD Service App
  • Copy the access token from the response.

πŸ’‘ Why? This step verifies that the Client App can authenticate with Azure AD.

image-869 AZ302 – Securing HTTP Triggers with Azure AD (Logic app, Power Automate)

2. Trigger Logic App Using Bearer Token

  • In Postman, send a POST request to the Logic App URL without the SAS token.
  • Under Authorization, choose Bearer Token and paste the token.
  • Click Send.

πŸ’‘ Why? If the request succeeds, Azure AD authentication is working!

image-870 AZ302 – Securing HTTP Triggers with Azure AD (Logic app, Power Automate)

Confirmation of Logic app trigger

image-871 AZ302 – Securing HTTP Triggers with Azure AD (Logic app, Power Automate)

Step 6: Restrict Logic App to Require Bearer Token

Note – at this stage, the SAS token is still capable of triggering the logic app. If you rerun step 1, the logic app will be activated.

To block SAS token requests, add a trigger condition:

@startsWith(triggerOutputs()?['headers']?['Authorization'], 'Bearer')

πŸ’‘ Why? This ensures the Logic App only accepts bearer token authentication and blocks unauthorized access.

image-872 AZ302 – Securing HTTP Triggers with Azure AD (Logic app, Power Automate)

Step 7: Test SAS Token

  • SAS Token failed due to SAS token are acceptable by logic app
image-873 AZ302 – Securing HTTP Triggers with Azure AD (Logic app, Power Automate)

Note – The logic app does not retain history because there is no trigger.

image-874 AZ302 – Securing HTTP Triggers with Azure AD (Logic app, Power Automate)

Step 8: Capture Bearer Token in Logic App Execution (Error Handling)

  • At this stage, the logic app only accepts triggers with a Bearer token header. The logic app validates the Bearer token upon triggering
  • Add a Parse JSON action to extract the bearer token from request headers.

πŸ’‘ Why? This allows logging and further validation of incoming requests.

image-875 AZ302 – Securing HTTP Triggers with Azure AD (Logic app, Power Automate)

Test

  1. Send Request using Bearer token (Correct Bearer Token)
image-876 AZ302 – Securing HTTP Triggers with Azure AD (Logic app, Power Automate)
  • The Bearer token was captured, and since it was a valid token, the logic app run was successful.
image-877 AZ302 – Securing HTTP Triggers with Azure AD (Logic app, Power Automate)
  • Send Request using Bearer token (InCorrect Bearer Token)
image-878 AZ302 – Securing HTTP Triggers with Azure AD (Logic app, Power Automate)

Logic app also not triggered

image-879 AZ302 – Securing HTTP Triggers with Azure AD (Logic app, Power Automate)

Logic app is now secured and cannot be triggered without legit Bearer token 😊

Final Thoughts

By following these steps, we:
βœ… Removed reliance on SAS tokens, eliminating URL-based security risks.
βœ… Implemented Azure AD authentication, enabling token expiration, role-based access, and governance controls.
βœ… Ensured only valid bearer tokens can trigger the Logic App, enhancing security.

This setup significantly improves the security posture of Azure Logic Apps while integrating seamlessly with Azure AD’s identity and access management capabilities. πŸš€

Expand Your Knowledge: See More Azure Blogs

Share this content:

Tag
Yogeshkumar Patel

I am Yogeshkumar Patel, a Microsoft Certified Solution Architect and ERP Systems Manager with expertise in Dynamics 365 Finance & Supply Chain, Power Platform, AI, and Azure solutions. With over six years of experience, I have successfully led enterprise-level ERP implementations, AI-driven automation projects, and cloud migrations to optimise business operations. Holding a Master’s degree from the University of Bedfordshire, I specialise in integrating AI with business processes, streamlining supply chains, and enhancing decision-making with Power BI and automation workflows. Passionate about knowledge sharing and innovation, I created AI-Powered365 to provide practical insights and solutions for businesses and professionals navigating digital transformation. πŸ“© Let’s Connect: LinkedIn | Email πŸš€

view all posts

Related Posts

Post Comment

You May Have Missed

Cookies
We serve cookies. If you think that's OK, just click "Accept all". You can also choose what kind of cookies you want by clicking "Settings".
Settings Accept all
Cookies
Choose what kind of cookies to accept. Your choice will be saved for one year.
Save Accept all

Table of Contents

Table of Content