Microsoft.Web/Connections | Access Policies

Posted by Andrew Wilson on Wednesday, April 10, 2024

Problem Space

I have recently been adding email alerting to some Logic App Standard workflows as part of the error handling flow. In doing so I made use of an existing Office 365 Outlook Connector in the Azure Subscription; the connector is not built in for Standard Logic Apps but is rather part of the Managed Api Connections.

Managed Api Connectors require more than just the connection details to be detailed in the Logic Apps connections.json configuration as shown below:

{
  "managedApiConnections": {
    "office365": {
      "api": {
        "id": "@appsetting('office365_apiId')"
      },
      "authentication": {
        "type": "ManagedServiceIdentity"
      },
      "connection": {
        "id": "@appsetting('office365_connectionId')"
      },
      "connectionRuntimeUrl": "@appsetting('office365_connectionRuntimeUrl')"
    }
  }
}

The Managed API Connector also requires that the Logic App has been granted access to the Connector through the use of Access Policies. This can be configured through the Azure Portal or through infrastructure deployments, in my case I have opted for infrastructure deployments with the use of Bicep templates.

It was at this point that I realised that the Access Policy resource which is a child resource to Microsoft.Web/connections has not been documented, obtainable through an Azure Portal template export, or through the Resource Explorer.

Solution

From digging around the Access Policy resource has the following ARM Template Schema:

{
   "type": "Microsoft.Web/connections/accessPolicies",
   "apiVersion": "2016-06-01",
   "name": "[concat('<connection-name>'),'/','<object-ID>')]",
   "location": "<location>",
   "dependsOn": [
      "[resourceId('Microsoft.Web/connections', parameters('connection_name'))]"
   ],
   "properties": {
      "principal": {
         "type": "ActiveDirectory",
         "identity": {
            "objectId": "<object-ID>",
            "tenantId": "<tenant-ID>"
         }
      }
   }
}

Resource Properties

Parameter Description
<connection-name> The name for your managed API connection, for example office365
<object-ID> The object ID for your Microsoft Entra identity, for example the system assigned managed identity of the logic app
<tenant-ID> The tenant ID for your Microsoft Entra identity

In Bicep this takes on the following form:

@description('Create the access policy for the Logic App to access the managed Api Connection ')
resource managedAPIConnectionAccessPolicy 'Microsoft.Web/connections/accessPolicies@2016-06-01' = {
  name: logicApp.name // Using the Logic App Name for readability
  parent: managedAPIConnector
  location: Location
  properties: {
    principal: {
      type: 'ActiveDirectory'
      identity: {
        tenantId: subscription().tenantId
        objectId: logicApp.identity.principalId // Using the System Assigned Managed Identity of the Logic App
      }
    }
  }
}

Note

The Bicep tooling will give you the following warning but will not hinder in both the transpilation into ARM or in the deployment of the resource:

Resource type "Microsoft.Web/connections/accessPolicies@2016-06-01" does not have types available.