Logic Apps Standard Managed Identity for API Connection using Access Policy With Azure Bicep

Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. There are 2 types of managed Identities, System assigned and User Assigned. This article will only focus on System Assigned one.

System Managed Identity

• Created as part of an Azure resource (for example, Azure Virtual Machines or Azure App Service).
• Shared life cycle with the Azure resource that the managed identity is created with. When the parent resource is deleted, the managed identity is deleted as well.
• Can’t be shared. It can only be associated with a single Azure resource.

Steps

1. Enable System Identity when creating Logic Apps
2. Give identity access to API connection using an Access Policy

Enable System Identity when creating Logic Apps

This article will not show how to create a Logic Apps Standard using Bicep; You can check this great Demo from Samuel Kastberg.

When creating your Logic Apps, add the Identity object to your Bicep code :

identity:{
    type:'SystemAssigned'
  }

if deployment has successfully created LA, on Azure portal the system identity must be enabled:

Give identity access to API connection using an Access Policy

resource MyLAAccessPolicy 'Microsoft.Web/connections/accessPolicies@2016-06-01' = {
  name: '${MyConnection.name}/${MyLA.name}'
  location: resourceGroup().location
  properties: {
    principal: {
      type: 'ActiveDirectory'
      identity: {
        tenantId: subscription().tenantId
        objectId: MyLA.identity.principalId
      }
    }
  }
}

Important :

The access policy name must have the fomat : Connection name + / + Logic Apps name or ID

Recommended reading

Authenticate access to Azure resources with managed identities in Azure Logic Apps