Enabling Azure AD Authentication on HTTP Triggers


By default, when an HTTP trigger is created, it will generate a URL and includes a SAS token as part of the sig query parameter. This value is required to call this HTTP trigger. For some customers, this is a concern as it allows the endpoint to be called from outside the network as that URL can be called anywhere over the internet. Should a developer leave an organization and continue to have access to this URL and SAS key, they could potentially do some bad things with it.

The ability to front logic apps with Azure APIM or through IP filtering does reduce this attack area and are good practices. However, there still isn’t a lot of comfort with the SAS key being copied and pasted.

Another option that we do have is by enabling Azure AD authentication for that logic app to ensure that only authenticated callers can call the logic app. I have put together a couple videos that go through this process in more detail. The first video relates to Consumption-based Logic Apps, whereas the second and third videos are applicable to Logic Apps (Standard).

Logic Apps Consumption Video

Logic Apps (Standard) video
Using Managed Identities to call EasyAuth Enabled Logic Apps (Standard) Triggers

One thought on “Enabling Azure AD Authentication on HTTP Triggers

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s