Develop Reference

Authenticate system assigned identity to Event Grid API connection

Can anyone help me find the client secret for a system assigned identity in an ARM template, or suggest an alternative approach?
I've got an ARM template which creates a Logic App with system assigned identity, and now I want to set up an API connection to trigger from Event Grid (without using the portal UI or a separate powershell command).
I can't figure out how to get the client secret for the system assigned identity. This would allow me to follow the answers in these previous questions:
Create API Connection for Azure Data Factory with service principal authentication using ARM Template
How to authenticate an Azure EventGrid API Connection using a script?
Here's what I have so far:
"resources": [
{
"apiVersion": "2016-06-01",
"type": "Microsoft.logic/workflows",
"name": "[variables('logicName')]",
"location": "[resourceGroup().location]",
"identity": {
"type": "SystemAssigned"
},
"dependsOn": [
"[variables('connections_azuretables_name')]"
],
"properties": {
"state": "Enabled",
"definition": {
<<SNIP>>
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('azureEventGridConnectionAPIName')]",
"location": "[resourceGroup().location]",
"properties": {
"api": {
"id": "[concat('/subscriptions/subscriptionId', '/providers/Microsoft.Web/locations/', 'eastasia', '/managedApis/', 'azureeventgrid')]"
},
"parameterValues": {
"token:clientId": "[reference(variables('logicName'), '2016-06-01', 'Full').identity.principalId]",
"token:clientSecret": "########### STUCK HERE #################",
"token:TenantId": "[reference(variables('logicName'), '2016-06-01', 'Full').identity.tenantId]",
"token:grantType": "client_credentials"
},
"displayName": "[variables('azureEventGridConnectionAPIName')]"
},
"dependsOn": []
}
],

A managed identity has no client secret. It only has certificates, which you cannot access.
The template would have to execute within the logic app to get the access token, which I doubt it can do.

For anyone wondering, it is pretty straightforward to create a Service Principal manually and then feed it into the ARM template:
> az ad sp create-for-rbac --name MyPrincipal
{
"appId": "##############",
"displayName": "MyPrincipal",
"name": "http://MyPrincipal",
"password": "##############",
"tenant": "##############"
}
Now pass the appId (as clientId) password (as clientSecret) and tenant (as tenantId) into the parameterValues block in Microsoft.Web/connections. This will set up an Event Grid API connection for your logic app, but with implications for access policies and overhead of identity management outside of the ARM template.
The actual solution I've used is to create a webhook event subscription on Event Grid and then set up my logic app to have a web hook trigger. This works just fine.
Here's a sample solution:
{
"name": "[parameters('topicName')]",
"type": "Microsoft.EventGrid/topics",
"location": "[resourceGroup().location]",
"apiVersion": "2018-01-01",
"properties": { }
},
{
"name": "[concat(parameters('topicName'), '/Microsoft.EventGrid/', variables('topicSubscriptionName'))]",
"type": "Microsoft.EventGrid/topics/providers/eventSubscriptions",
"location": "[resourceGroup().location]",
"apiVersion": "2018-01-01",
"properties": {
"destination": {
"endpointType": "WebHook",
"properties": {
"endpointUrl": "[listCallbackURL(resourceId('Microsoft.Logic/workflows/triggers', parameters('logicName'), 'WorkaroundWebhookTrigger'), '2016-06-01').value]"
}
},
"filter": {
"includedEventTypes": [
"All"
]
}
},
"dependsOn": [
"[parameters('topicName')]",
"[parameters('logicName')]"
]
},
{
"apiVersion": "2016-06-01",
"type": "Microsoft.logic/workflows",
"name": "[parameters('logicName')]",
"location": "[resourceGroup().location]",
"identity": {
"type": "SystemAssigned"
},
"dependsOn": [],
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"WorkaroundWebhookTrigger": {
"type": "Request",
"kind": "Http",
"inputs": {
"schema": {
"properties": {
"data": {
"properties": {
"lorem": {
"type": "integer"
},
"ipsum": {
"type": "string"
}
},
"type": "object"
},
"dataVersion": {
"type": "string"
},
"eventTime": {
"type": "string"
},
"eventType": {
"type": "string"
},
"id": {
"type": "string"
},
"metadataVersion": {
"type": "string"
},
"subject": {
"type": "string"
},
"topic": {
"type": "string"
}
},
"type": "object"
}
}
}
},
<snip>

Deploying ARM templates from Azure Release Pipelines removes code

According to documentation "An ARM template is idempotent, which means it can be executed as many times as you wish, and the result will be the same every time". But I just learned that when I redeploy AppService (without any changes) it removes my application. Endpoints were not responding anymore and there was no application logs so I went to Azure portal console, ran DIR, and to my surprise the only file that is there is hostingstart.html! Is it documented somewhere? This changes completely how I need to handle ARM templates in my Release pipeline.
I'm using linked templates. In main template I have this resource:
{
"name": "myApp",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-10-01",
"dependsOn": [
"storage"
],
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[uri(variables('templateBaseUrl'), 'myApp.json')]"
},
"parameters": {
"env": {
"value": "[parameters('env')]"
},
"myAppAppServiceSku": {
"value": "[parameters('myAppAppServiceSku')]"
},
"storageAccountName": {
"value": "[variables('storageAccountName')]"
}
}
}
}
and the linked template
"resources": [
{
"name": "[variables('myAppServerFarmName')]",
"type": "Microsoft.Web/serverfarms",
"apiVersion": "2018-02-01",
"location": "[resourceGroup().location]",
"tags": {
"ENV": "[parameters('env')]"
},
"sku": {
"name": "[parameters('myAppAppServiceSku')]"
},
"properties": {
}
},
{
"name": "[variables('myAppWebSiteName')]",
"type": "Microsoft.Web/sites",
"apiVersion": "2018-11-01",
"dependsOn": [
"[variables('myAppServerFarmName')]"
],
"location": "[resourceGroup().location]",
"tags": {
"ENV": "[parameters('env')]"
},
"properties": {
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms/', variables('myAppServerFarmName'))]",
"siteConfig": {
"alwaysOn": true
}
},
"resources": [
{
"name": "appSettings",
"type": "config",
"apiVersion": "2018-11-01",
"dependsOn": [
"[variables('myAppWebSiteName')]"
],
"tags": {
"ENV": "[parameters('env')]"
},
"properties": {
"storageAccountName": "[parameters('storageAccountName')]",
"storageKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts/', parameters('storageAccountName')), '2019-04-01').keys[0].value]"
}
}
]
}
]
EDIT:
I have checked with deployment using Kudu ZIP Deploy. And after this deployment it redeployment of ARM templates does not remove code! So it works as expected. So deployment from Release Pipelines is different in some way.
After I execute both steps everything looks fine. But when I then just execute first step application code is removed.
This is how it looks right now.
And steps have one task each:

See Azure Functions ARM template redeployment deletes my published functions for more info. Essentially you need to add this to your template:
{ "name": "WEBSITE_RUN_FROM_PACKAGE", "value": "1" }

How to Set Up Application Insights from an Release Pipeline/ARM Templates

We have an Azure DevOps release pipeline, which sets up all of our Azure resources in a location. I can create everything successfully with ARM templates, but I'm struggling to link the App Service with the App Insights resource.
If I were doing it manually, I'd click a "Turn on site extension" button in the AppInsights blade of the App Service (under the heading "Enable Application Insights through site extension without redeploying your code").
I've tried adding an "Azure App Service Manage" step to my release pipeline, set to install the "Application Insights extension for Azure App Service" extension:
In addition, I've added an "Azure App Service Manage" step to my release pipeline, set to "Enable Continuous Monitoring":
But the result is still that AppInsights is connected, but the extension is not installed:
Is there any way I can do this automatically? Either via an ARM template, a PowerShell script, or something else?
Edit: In the "Extensions" blade, I can see "Application Insights extension for Azure App Service" (v2.6.5) and "ASP.NET Core Logging Extensions" (v2.2.0), but I'm still asked to "Turn on site extension" in the "Aplication Insights" blade.

In an ARM-template you can do:
{
"type": "Microsoft.Web/sites",
"apiVersion": "2018-02-01",
"name": "[variables('web_app_service_name')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', variables('plan_name'))]",
"[resourceId('Microsoft.Insights/components', variables('app_insights_name'))]"
],
"kind": "app",
"properties": {
"siteConfig": {
"appSettings": [
{
"name": "APPINSIGHTS_INSTRUMENTATIONKEY",
"value": "[reference(variables('app_insights_name'), '2015-05-01').InstrumentationKey]"
},
{
"name": "ApplicationInsightsAgent_EXTENSION_VERSION",
"value": "~2"
}
]
}
}
}
Refer to documentation at https://learn.microsoft.com/en-us/azure/azure-monitor/app/azure-web-apps#automate-monitoring

i think you would need to do something like that:
{
"apiVersion": "2015-08-01",
"name": "[parameters('webSiteName')]",
"type": "Microsoft.Web/sites",
"location": "[resourceGroup().location]",
"tags": {
"[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/', parameters('hostingPlanName'))]": "Resource",
"displayName": "Website"
},
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms/', parameters('hostingPlanName'))]",
"[resourceId('microsoft.insights/components/', parameters('appInsightsName'))]"
],
"properties": {
"name": "[parameters('webSiteName')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('hostingPlanName'))]"
},
"resources": [
{
"apiVersion": "2015-08-01",
"name": "appsettings",
"type": "config",
"dependsOn": [
"[resourceId('Microsoft.Web/Sites', parameters('webSiteName'))]",
"Microsoft.ApplicationInsights.AzureWebSites"
],
"properties": {
"APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(concat('microsoft.insights/components/', parameters('appInsightsName'))).InstrumentationKey]"
}
},
{
// this bit installs application insights extension
"apiVersion": "2015-08-01",
"name": "Microsoft.ApplicationInsights.AzureWebSites",
"type": "siteextensions",
"dependsOn": [
"[resourceId('Microsoft.Web/Sites', parameters('webSiteName'))]"
],
"properties": {
}
}
]
}
I've never actually tried this, but looks correct, link to the example I've found: https://github.com/tomasr/webapp-appinsights/blob/master/WebSite.json

Make sure that your app settings key is APPINSIGHTS_INSTRUMENTATIONKEY and not ApplicationInsights:InstrumentationKey. Somewhere in the MS docs it gives the impression that you can use either. In fact that's not the case, in Azure you need to use the former otherwise Application Insights won't be enabled for server side insights.

In order for the Azure Portal to show an active integration with Application Insights, you need to set three app settings.
https://learn.microsoft.com/en-us/azure/azure-monitor/app/azure-web-apps?tabs=net#automate-the-creation-of-an-application-insights-resource-and-link-to-your-newly-created-app-service
{
"resources": [
{
"name": "[parameters('name')]",
"type": "Microsoft.Web/sites",
"properties": {
"siteConfig": {
"appSettings": [
{
"name": "APPINSIGHTS_INSTRUMENTATIONKEY",
"value": "[reference('microsoft.insights/components/AppMonitoredSite', '2015-05-01').InstrumentationKey]"
},
{
"name": "APPLICATIONINSIGHTS_CONNECTION_STRING",
"value": "[reference('microsoft.insights/components/AppMonitoredSite', '2015-05-01').ConnectionString]"
},
{
"name": "ApplicationInsightsAgent_EXTENSION_VERSION",
"value": "~2"
}
]
},
"name": "[parameters('name')]",
"serverFarmId": "[concat('/subscriptions/', parameters('subscriptionId'),'/resourcegroups/', parameters('serverFarmResourceGroup'), '/providers/Microsoft.Web/serverfarms/', parameters('hostingPlanName'))]",
"hostingEnvironment": "[parameters('hostingEnvironment')]"
},
"dependsOn": [
"[concat('Microsoft.Web/serverfarms/', parameters('hostingPlanName'))]",
"microsoft.insights/components/AppMonitoredSite"
],
"apiVersion": "2016-03-01",
"location": "[parameters('location')]"
},
{
"apiVersion": "2016-09-01",
"name": "[parameters('hostingPlanName')]",
"type": "Microsoft.Web/serverfarms",
"location": "[parameters('location')]",
"properties": {
"name": "[parameters('hostingPlanName')]",
"workerSizeId": "[parameters('workerSize')]",
"numberOfWorkers": "1",
"hostingEnvironment": "[parameters('hostingEnvironment')]"
},
"sku": {
"Tier": "[parameters('sku')]",
"Name": "[parameters('skuCode')]"
}
},
{
"apiVersion": "2015-05-01",
"name": "AppMonitoredSite",
"type": "microsoft.insights/components",
"location": "West US 2",
"properties": {
"ApplicationId": "[parameters('name')]",
"Request_Source": "IbizaWebAppExtensionCreate"
}
}
],
"parameters": {
"name": {
"type": "string"
},
"hostingPlanName": {
"type": "string"
},
"hostingEnvironment": {
"type": "string"
},
"location": {
"type": "string"
},
"sku": {
"type": "string"
},
"skuCode": {
"type": "string"
},
"workerSize": {
"type": "string"
},
"serverFarmResourceGroup": {
"type": "string"
},
"subscriptionId": {
"type": "string"
}
},
"$schema": "https://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
"contentVersion": "1.0.0.0"
}
See also my other answer on this: Azure Cli How to enable Application Insights for webapp

Azure ARM SSL Binding using App service certificate

I have a site with custom hostnames configured with hostnameBindings in the ARM template. This deploys fine.
I have also the SSL certificate created and verified from Azure, with the corresponding thumbprint.
In the Azure site I am also able to bind the certificate to the app service.
But when I use the ARM template to assign the SSL from the template in the hostnameBindings it gives an error that the certificate was not found...
I don't understand what goes wrong...
My guesses:
the certificate is in a different resource group so it cannot be
found, but in the template settings I cannot set the group.
in the Azure website before I can use the SSL I have to import, so maybe I am missing this step in the ARM template?
using wrong thumbprint?
In the hostnameBindings I am defining only the thumbprint and the sslState
Any idea which step I am missing?
thank you
UPDATE
My parameter json file:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.5.0.8",
"parameters": {
"baseResourceName": {
"value": "base-name"
},
"environments": {
"value": [
"preview"
]
},
"hostNames": {
"value": [
{
"name": "myhostname.example.com",
"sslState": "SniEnabled",
"thumbprint": "9897LKJL88KHKJH8888KLJLJLJLKJLJLKL4545"
},
{
"name": "myhostname2.example.com"
}
]
},
"ipSecurityRestrictions": {
"value": []
}
}
}
My template json file:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.5.0.8",
"parameters": {
"hostName": {
"defaultValue": [],
"type": "array",
"metadata": {
"description": "The custom hostnames of sites"
}
}
},
"variables": {
"standardPlanMaxAdditionalSlots": 4,
"appName": "[concat(parameters('baseResourceName'), '-private')]",
"appServicePlanName": "[concat(parameters('baseResourceName'), '-appServicePlan')]",
"appInsightName": "[concat(parameters('baseResourceName'), '-appInsight')]",
"ipSecurityRestrictions": "[parameters('ipSecurityRestrictions')]"
},
"resources": [
{
"type": "Microsoft.Web/serverfarms",
"comments": "AppPlan for app.",
"sku": {
"name": "[if(lessOrEquals(length(parameters('environments')), variables('standardPlanMaxAdditionalSlots')), 'S1', 'P1')]"
},
"tags": {
"displayName": "AppServicePlan-Private"
},
"name": "[variables('appServicePlanName')]",
"kind": "app",
"apiVersion": "2016-09-01",
"location": "[resourceGroup().location]",
"properties": {},
"dependsOn": []
},
{
"type": "Microsoft.Web/sites",
"comments": "This is the private web app.",
"kind": "app",
"apiVersion": "2016-03-01",
"name": "[variables('appName')]",
"location": "[resourceGroup().location]",
"tags": {
"displayName": "WebApp"
},
"properties": {
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]",
"siteConfig": {
"appSettings": [],
"phpVersion": "",
"ipSecurityRestrictions": "[variables('ipSecurityRestrictions')]",
"http20Enabled": true,
"minTlsVersion": "1.2"
}
},
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]",
"[resourceId('microsoft.insights/components/', variables('appInsightName'))]"
]
},
{
"type": "Microsoft.Web/sites/hostnameBindings",
"name": "[concat(variables('appName'), '/', parameters('hostName')[copyIndex()].Name)]",
"apiVersion": "2016-03-01",
"location": "[resourceGroup().location]",
"properties": "[parameters('hostName')[copyIndex()]]",
"condition": "[greater(length(parameters('hostName')), 0)]",
"copy": {
"name": "hostnameCopy",
"count": "[length(parameters('hostName'))]",
"mode": "Serial"
},
"dependsOn": [
"[concat('Microsoft.Web/sites/',variables('appName'))]"
]
}
]
}

completely unrelated, did you test your condition greater(..., 0) with zero length array? pretty sure it will blow up.
on the subject. i think you can maybe make it work if you link your certificate resource to the app service plan. so this is an operation that is performed on the certificate resource. this is totally possible if you use keyvault to store the certificate
{
"apiVersion": "2016-03-01",
"name": "[variables('certificateName')]",
"location": "[resourceGroup().location]",
"type": "Microsoft.Web/certificates",
"dependsOn": [
"[parameters('appServicePlan')]"
],
"properties": {
"keyVaultId": "kvResourceId",
"keyVaultSecretName": "secretName",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlan'))]"
}
}

Azure - Set WebSocket On from ARM json template

I'm trying to turn WebSockets On for an Azure WebApp from an Azure ARM json template that deploys my whole infrastructure.
Here is an extract with regards to the Azure Web App. It doesn't work, i.e the WebSockets are still Off. I unsuccessfully tried different spelling: webSocketsEnabled or WebSockets.
"resources":[
{
"name": "[variables('MyApp')]",
"type": "Microsoft.Web/sites",
"location": "Brazil South",
"apiVersion": "2016-08-01",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', variables('MyAppPlanBrazil'))]"
],
"tags": {
"[concat('hidden-related:', resourceId('Microsoft.Web/serverfarms', variables('MyAppPlanBrazil')))]": "Resource",
"displayName": "MyAppAppBrazil"
},
"properties": {
"name": "[variables('MyAppPlanBrazil')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('MyAppPlanBrazil'))]",
"siteConfig": {
"AlwaysOn": true,
"webSocketsEnabled": true,
"connectionStrings": [
{
...
},
{
...
},
]
}
}
]
UPDATE
As suggested in answer below I updated the apiVersion to "2016-08-01" but this still doesn't work.
Also note that while my schema is the one described here, apiVersion is squiggled in VS and it says the authorized value is "2015-08-01" only.
UPDATE2
I tried the solutions below. They work for their authors but not for me. I guess the problem is elsewhere. My infrastructure is already deployed and I try to update it with webSocketsEnabled. Whereas in the solution below I imagine the authors directly create the web app with webSocketsEnabled.
Also, I coupled webSocketsEnabled with alwaysOn whereas the pricing tier of my webapp doesn't allow "AlwaysOn" (as it says in the portal I need to upgrade to use that feature) so I'll try without alwaysOn.
UPDATE3
At the end, the above template worked when I removed AlwaysOn.
Thank you to those who tried to help me.

Set your api version to this: "2016-08-01"
Use
"webSocketsEnabled": true
This is from the Microsoft.Web/sites template reference:
https://learn.microsoft.com/en-us/azure/templates/microsoft.web/sites
The api version you are using (2015-08-01) from:
https://github.com/Azure/azure-resource-manager-schemas/blob/master/schemas/2015-08-01/Microsoft.Web.json
Doesn't have web sockets in it, but the later one:
https://github.com/Azure/azure-resource-manager-schemas/blob/master/schemas/2016-08-01/Microsoft.Web.json
Does have webSocketsEnabled.

Please have a try to use the following code. It works correctly on my side.
Updated: add whole test arm template and you could have a try to use the following code with your service plan name and resource group name
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"serverFarmName": {
"type": "string",
"defaultValue": "YourPlan"
},
"serverFarmResourceGroup": {
"type": "string",
"defaultValue": "ResourceGroupName"
}},
"variables": {
"ARMtemplateTestName": "[concat('ARMtemplateTest', uniqueString(resourceGroup().id))]"},
"resources": [
{
"name": "[variables('ARMtemplateTestName')]",
"type": "Microsoft.Web/sites",
"location": "southcentralus",
"apiVersion": "2015-08-01",
"dependsOn": [ ],
"tags": {
"[concat('hidden-related:', resourceId(parameters('serverFarmResourceGroup'), 'Microsoft.Web/serverFarms', parameters('serverFarmName')))]": "Resource",
"displayName": "ARMtemplateTest"
},
"properties": {
"name": "[variables('ARMtemplateTestName')]",
"serverFarmId": "[resourceId(parameters('serverFarmResourceGroup'), 'Microsoft.Web/serverFarms', parameters('serverFarmName'))]"
},
"resources": [
{
"name": "web",
"type": "config",
"apiVersion": "2015-08-01",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('ARMtemplateTestName'))]"
],
"tags": {
"displayName": "enableWebSocket"
},
"properties": {
"webSocketsEnabled": true,
"alwaysOn": true
}
},
{
"apiVersion": "2015-08-01",
"name": "connectionstrings",
"type": "config",
"dependsOn": [
"[resourceId('Microsoft.Web/Sites', variables('ARMtemplateTestName'))]"
],
"properties": {
"ConnString1": {
"value": "My custom connection string",
"type": "custom"
},
"ConnString2": {
"value": "My SQL connection string",
"type": "SQLAzure"
}
}
},
{
"name": "appsettings",
"type": "config",
"apiVersion": "2015-08-01",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('ARMtemplateTestName'))]"
],
"tags": {
"displayName": "Appsetting"
},
"properties": {
"key1": "value1",
"key2": "value2"
}
}
]
}],
"outputs": {}
}
Test Result:

All the above solution should work.
My initial snippet worked as well ... as soon as I removed alwaysOn.
Indeed, I was using a free tiers App Service Plan for which alwaysOn is not available. While there was no errors or anything else indicating something wrong, I could not set webSocketEnabled and alwaysOn at the same time in that case.