Restrict access to Logic App to Managed Identity - azure-web-app-service

I have an Azure App Service that uses HttpClient to call a Logic App with an HTTP trigger. The App Service has a system-assigned Managed Identity. I want to restrict access to the Logic App to only this Managed Identity so that only the App Service can call the Logic App. Is that possible?

Using Authorization parameter, you can restrict access to logic app with managed identity.
Have an azure webapp which is used to call logic app with Http client.
I have created logic app by taking HTTP tigger as shown below ,
In HTTP trigger, added Authorization parameter as shown below,
Selected authentication type as Managed Identity,
You can also restrict accessing logic app by adding app service IP range in logic app workflow settings
Logic app>>Workflow Settings
In this way, logic app can be accessible only from configured Ip addresses.
Reference link

Related

SSH into Azure Logic App using the Advanced Tools in the Logic App configuration

Is it possible to SSH into a Logic App using Kudu (now called Advanced Tools), in the Logic App configuration?
I have no access restrictions on the Logic App, as shown below
The above configuration has always allowed me to SSH into other types of App services, but when I try to do so for a Logic App, I am getting a 403 - Forbidden : The web app you have attempted to reach has blocked your access, as below.
This issue is happening because the storage account is not accessible on public endpoint. On Azure portal, this can be configured by selecting the Network blade in the storage account configuration, and by ticking the Selected Networks option. Even granting access from Azure trusted services, shown as well in the configuration below, will result in the initial error when SSHing into the Logic App.
It is thus necessary to either connect the Logic App to the storage account via service/private endpoint, or to create an Integration Service Environment, which will then enable the Logic App to access the storage account.

Securing access to trigger a azure logic app (HTTP Request Trigger)

I am having a azure logic app which is having a HTTP Request trigger. I am executing the logic app via a web application using Logic App URL.
I have noticed that the Logic App URL is accessible from anywhere. Therefore anyone has the URLcan call the logic app.
I want to know how to secure access to trigger a azure logic app
In Azure logic app, the URL generated for When a HTTP request is received has a shared access signature, it has been certified and protected, and this process is done automatically by the Azure logic app.
https://prod-07.westus.logic.azure.com:433/workflows/{logic-app-resource-ID}/triggers/manual/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig={shared-access-signature}
For more details, please refer to What about URL security?

Can you tell if an API request hasn't come through Azure API Management?

I have an API that runs on an Azure app service which is exposed through Azure API Management. Is there a way to tell if any requests are hitting the app service URL directly without going through the API Management service?
In my opinion, apim can't record those requests which hitting the app service url directly because these requests have no relationship with apim. If you want to record these requests, you need to modify the api in your code.
For example, you can add a parameter with a specific value in api management and when your code recieve this parameter, you can check the value to know if it comes from apim.
I assume that you want to prevent calling the app service url directly. So I suggest you adding White list on your server so that only apim request can visit your server.
For adding access restriction, if you're using azure app service, you can learn about this ms document.
I believe if you were to enabled Application Insights on both the API Management and APP Service you can view the requests on Application Insights for the APP Service to tell which ones were direct calls and which ones came from API Management.

Is it possible to have Azure App Registration in one tenant and App Services in another

Does anyone know if it's possible to create a App Registration in one tenant and then use that registration in another tenant within App Services?
Regards, Oskar
In general yes it is. If you create an app registration, you might define the URL of the App Service in its reply URLs.
Then you can define on the App Service that it should use authentication with a given AAD tenant.
After all you can use AAD authentication anywhere, on an app hosted in AWS, the Google cloud or an on-prem server.
Of course the Authentication/Authorization feature of App Service is only available there, but that doesn't stop you from configuring authentication within your app.
Managed Identity is a feature that only works within the tenant connected to the subscription though.

Can I use Service Principal to authenticate an application that is not hosted in Azure using role-based access control?

I've created an event hub that I want to call from an app hosted outside of Azure. Can I create a service principal in AAD and use it for authentication of the non-Azure hosted application?
Yes, it doesnt matter if the application is hosted in Azure or not, service principal is used to auth, it doesnt check where you are hosting the app.
But i dont think you can use service principal to talk to event hub, you will need to use connection string

Resources