By default, when an HTTP trigger is created, it will generate a URL and includes a SAS token as part of the sig query parameter. This value is required to call this HTTP trigger. For some customers, this is a concern as it allows the endpoint to be called from outside the network as that URL can be called anywhere over the internet. Should a developer leave an organization and continue to have access to this URL and SAS key, they could potentially do some bad things with it.

The ability to front logic apps with Azure APIM or through IP filtering does reduce this attack area and are good practices. However, there still isn’t a lot of comfort with the SAS key being copied and pasted.

Another option that we do have is by enabling Azure AD authentication for that logic app to ensure that only authenticated callers can call the logic app. I have put together a couple videos that go through this process in more detail. The first video relates to Consumption-based Logic Apps, whereas the second and third videos are applicable to Logic Apps (Standard).