Full in-app support for managed identities

[rvvincelli]

Hi! I'm pretty sure not to be the first one suggesting this: by searching for managed identity or claim quite a few issues and threads popup. Apologies if this is a duplicate, the maintainers will close or link it.

We have a workflow where all steps have an In App runtime (they are deployed and run on the AppService instance of Logic App, if I understand correctly). This is handy for us, because the AppService itself has dedicated in- and outbound private endpoints and we can keep the network context private and safe. We always prefer managed identities, AppService/Logic App supports them too.

The issue though is that the current implementation of a few actions and connectors, for example the in-app Blob storage connector, does not support specifying an audience (among other things), causing an OAuth2 failure. The only simple alternative we could find was to degrade to a connection-string based authentication.

The interesting thing is that classic (non In App) connectors with MSI support this:

(managed API connections). I couldn't find a scheme for serviceProviderConnections, so perhaps there is an (undocumented) way to specify the aud and more.

Just to be clear, this is the error we're getting.

Please let me know if we are missing anything, and if the request makes sense of course. Thanks in advanced,

[JeffreySchmitz-Motion10]

We use the in app blob connector with managed identity and it works without a problem using the following config:

I assume you don't need to specify the audience because it already knows that it is a blob connection, so it knows the audience. The error you linked suggests that the managed identity is somehow missing/deleted?

[rvvincelli]

Thanks for the follow-up @JeffreySchmitz-Motion10 , useful! Two quick questions:

• does the action have an In app runtime or not?
• did you edited the connections JSON yourself, or was this autogenerated?

The managed identity works for us too, but only with the default runtime; if I select the In app runtime (where things run in the AppService if I understand correctly) it does not.

TIA!

[TWolversonReply]

"serviceProviderConnections" indicates that this is in-app. I can confirm that connecting to storage with managed identity using the in-app connector works fine for us. It is not required to provide an audience.