Add managed API connection authentication info

ecfan · ecfan · commit 06eed2397fae · 2024-10-11T14:01:49.000-07:00
diff --git a/articles/logic-apps/create-standard-workflows-hybrid-deployment.md b/articles/logic-apps/create-standard-workflows-hybrid-deployment.md
@@ -37,7 +37,7 @@ This how-to guide shows how to create and deploy a Standard logic app workflow u
   - Managed identity authentication
   - File System connector
 
-- Although you can create connections for managed connectors in your workflow through Azure portal and Visual Studio Code, to set up authentication for managed connectors, [follow these steps to set up authentication in Visual Studio Code](azure-arc-enabled-logic-apps-create-deploy-workflows.md#set-up-connection-authentication).
+- Azure Arc-enabled Kubernetes clusters currently don't support managed identity authentication for managed API connections. Instead, you must create your own app registration using Microsoft Entra ID. For more information, [follow these steps later in this guide](#authenticate-managed-api-connections).
 
 - Some function-based triggers, such as Azure Blob, Cosmos DB, and Event Hubs require a connection to the Azure storage account associated with your Standard logic app. If you use any function-based triggers, in your Standard logic app's environment variables in the Azure portal or in your logic app project's **local.settings.json** file in Visual Studio Code, add the following app setting and provide your storage account connection string:
 
@@ -161,6 +161,78 @@ After you meet the prerequisites, but before you create your Standard logic app
 
 1. Build your workflow as usual by adding a trigger and actions. For more information, see [Build a workflow with a trigger and actions](create-workflow-with-trigger-or-action.md).
 
+<a name="authenticate-managed-api-connections"></a>
+
+## Set up managed API connections
+
+To authenticate managed API connections in Standard logic app workflows hosted on Azure Arc-enabled Kubernetes clusters, you must create your own app registration using Microsoft Entra ID. You can then use this app registration's values as an identity with your Standard logic app resource to authenticate your API connections instead.
+
+### Create an app registration with Microsoft Entra ID
+
+#### [Portal](#tab/azure-portal)
+
+1. In the [Azure portal](https://portal.azure.com), follow [Quickstart: Register an application with the Microsoft identity platform](/entra/identity-platform/quickstart-register-app) to create an app registration.
+
+1. After creation completes, find your new app registration in the portal.
+
+1. On the resource menu, select **Overview**, and save the following values, which you need later for connection authentication:
+
+   - Client ID
+   - Object ID
+   - Tenant ID
+   - Client secret
+
+#### [Azure CLI](#tab/azure-cli)
+
+1. To create the app registration, use the [**az ad sp create** command](/cli/azure/ad/sp#az-ad-sp-create).
+
+1. To review all the properties, use the [**az ad sp show** command](/cli/azure/ad/sp#az-ad-sp-show).
+
+1. In the output from both commands, find and save the the following values, which you need later for connection authentication:
+
+   - Client ID
+   - Object ID
+   - Tenant ID
+   - Client secret
+
+---
+
+### Add environment variable values to your Standard logic app 
+
+1. In the [Azure portal](https://portal.azure.com), go to your Standard logic app resource.
+
+1. On the resource menu, under **Settings**, select **Containers**, and then select the **Environment variables** tab.
+
+1. On the toolbar, select **Edit and deploy**.
+
+1. On the **Edit a container** pane, select **Environment variables**, and then select **Add**.
+
+1. From the following table, add each environment variable with the specified value:
+
+   | Environment variable | Value |
+   |----------------------|-------|
+   | **WORKFLOWAPP_AAD_CLIENTID** | <*my-client-ID*> |
+   | **WORKFLOWAPP_AAD_OBJECTID** | <*my-object-ID*> |
+   | **WORKFLOWAPP_AAD_TENANTID** | <*my-tenant-ID*> |
+   | **WORKFLOWAPP_AAD_CLIENTSECRET** | <*my-client-secret*> |
+
+1. When you finish, select **Save**.
+
+1. To create secrets instead to store these values and reference them from the **Environment variables** tab, follow these steps:
+
+   1. On the resource menu, under **Settings**, select **Secrets**.
+
+   1. On the toolbar, select **Add**.
+
+   1. On the **Add secret** pane, provide the following information for each secret, and then select **Add**:
+
+      | Key | Value |
+      |-----|-------|
+      | **WORKFLOWAPP_AAD_CLIENTID** | <*my-client-ID*> |
+      | **WORKFLOWAPP_AAD_OBJECTID** | <*my-object-ID*> |
+      | **WORKFLOWAPP_AAD_TENANTID** | <*my-tenant-ID*> |
+      | **WORKFLOWAPP_AAD_CLIENTSECRET** | <*my-client-secret*> |
+
 ## Deploy your logic app from Visual Studio Code
 
 After you finish building your workflow, you can deploy your logic app to your Container Apps connected environment.
diff --git a/articles/logic-apps/set-up-standard-workflows-hybrid-deployment-requirements.md b/articles/logic-apps/set-up-standard-workflows-hybrid-deployment-requirements.md
@@ -74,10 +74,10 @@ Your Kubernetes cluster requires inbound and outbound connectivity with the [SQL
 1. Set the following environment variables for the Kubernetes cluster that you want to create:
 
    ```azurecli
-   $SUBSCRIPTION="<Azure-subscription-ID>"
-   $AKS_CLUSTER_GROUP_NAME="<aks-cluster-resource-group-name>"
-   $AKS_NAME="<aks-cluster-name>"
-   $LOCATION="eastus"
+   SUBSCRIPTION="<Azure-subscription-ID>"
+   AKS_CLUSTER_GROUP_NAME="<aks-cluster-resource-group-name>"
+   AKS_NAME="<aks-cluster-name>"
+   LOCATION="eastus"
    ```
 
    | Parameter | Required | Value | Description |
@@ -241,12 +241,12 @@ To create your Azure Arc-enabled Kubernetes cluster, connect your Kubernetes clu
 1. Based on your Kubernetes cluster deployment, set the following environment variable to provide a name to use for the Azure resource group that contains your Azure Arc-enabled cluster and resources:
 
    ```azurecli
-   $GROUP_NAME="<Azure-Arc-cluster-resource-group-name>"
+   GROUP_NAME="<Azure-Arc-cluster-resource-group-name>"
    ```
 
    | Parameter | Required | Value | Description |
    |-----------|----------|-------|-------------|
-   | **GROUP_NAME** | Yes | <*Azure-Arc-cluster-resource-group-name*> | The name for the Azure resource group to use with your Azure Arc-enabled cluster and resources. This name must be unique across regions and can contain only letters, numbers, hyphens (**-**), underscores (**_**), parentheses (**()**), and periods (**.**). <br><br>This example uses **Hybrid-Arc-RG**. |
+   | **GROUP_NAME** | Yes | <*Azure-Arc-cluster-resource-group-name*> | The name for the Azure resource group to use with your Azure Arc-enabled cluster and other resources, such as your Azure Container Apps extension, custom location, and Azure Container Apps connected environment. This name must be unique across regions and can contain only letters, numbers, hyphens (**-**), underscores (**_**), parentheses (**()**), and periods (**.**). <br><br>This example uses **Hybrid-Arc-RG**. |
 
 1. Create the Azure resource group for your Azure Arc-enabled cluster and resources:
 
@@ -264,7 +264,7 @@ To create your Azure Arc-enabled Kubernetes cluster, connect your Kubernetes clu
 1. Set the following environment variable to provide a name for your Azure Arc-enabled Kubernetes cluster:
 
    ```azurecli
-   $CONNECTED_CLUSTER_NAME="$GROUP_NAME-cluster"
+   CONNECTED_CLUSTER_NAME="$GROUP_NAME-cluster"
    ```
 
    | Parameter | Required | Value | Description |
@@ -306,7 +306,7 @@ You can create an optional, but recommended, Azure Log Analytics workspace, whic
 1. Set the following environment variable to provide a name your Log Analytics workspace:
 
    ```azurecli
-   $WORKSPACE_NAME="$GROUP_NAME-workspace"
+   WORKSPACE_NAME="$GROUP_NAME-workspace"
    ```
 
    | Parameter | Required | Value | Description |
@@ -329,21 +329,21 @@ You can create an optional, but recommended, Azure Log Analytics workspace, whic
 1. Get the base64-encoded ID and shared key for your Log Analytics workspace. You need these values for a later step.
 
    ```azurecli
-   $LOG_ANALYTICS_WORKSPACE_ID=$(az monitor log-analytics workspace show \
+   LOG_ANALYTICS_WORKSPACE_ID=$(az monitor log-analytics workspace show \
       --resource-group $GROUP_NAME \
       --workspace-name $WORKSPACE_NAME \
       --query customerId \
       --output tsv)
 
-   $LOG_ANALYTICS_WORKSPACE_ID_ENC=[Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($LOG_ANALYTICS_WORKSPACE_ID))
+   LOG_ANALYTICS_WORKSPACE_ID_ENC=[Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($LOG_ANALYTICS_WORKSPACE_ID))
 
-   $LOG_ANALYTICS_KEY=$(az monitor log-analytics workspace get-shared-keys \
+   LOG_ANALYTICS_KEY=$(az monitor log-analytics workspace get-shared-keys \
       --resource-group $GROUP_NAME \
       --workspace-name $WORKSPACE_NAME \
       --query primarySharedKey \
       --output tsv)
 
-   $LOG_ANALYTICS_KEY_ENC=[Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($LOG_ANALYTICS_KEY))
+   LOG_ANALYTICS_KEY_ENC=[Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($LOG_ANALYTICS_KEY))
    ```
 
    | Parameter | Required | Value | Description |
@@ -370,9 +370,9 @@ Now, create and install the Azure Container Apps extension with your Azure Arc-e
 1. Set the following environment variables to the following values:
    
    ```azurecli
-   $EXTENSION_NAME="logicapps-aca-extension"
-   $NAMESPACE="logicapps-aca-ns"
-   $CONNECTED_ENVIRONMENT_NAME="<connected-environment-name>"
+   EXTENSION_NAME="logicapps-aca-extension"
+   NAMESPACE="logicapps-aca-ns"
+   CONNECTED_ENVIRONMENT_NAME="<connected-environment-name>"
    ```
 
    | Parameter | Required | Value | Description |
@@ -433,7 +433,7 @@ Now, create and install the Azure Container Apps extension with your Azure Arc-e
 1. Save the **ID** value for the Azure Container Apps extension to use later:
 
    ```azurecli
-   $EXTENSION_ID=$(az k8s-extension show \
+   EXTENSION_ID=$(az k8s-extension show \
       --cluster-type connectedClusters \
       --cluster-name $CONNECTED_CLUSTER_NAME \
       --resource-group $GROUP_NAME \
@@ -470,9 +470,9 @@ Now, create and install the Azure Container Apps extension with your Azure Arc-e
 1. Set the following environment variables to the specified values:
 
    ```azurecli
-   $CUSTOM_LOCATION_NAME="my-custom-location"
+   CUSTOM_LOCATION_NAME="my-custom-location"
 
-   $CONNECTED_CLUSTER_ID=$(az connectedk8s show \
+   CONNECTED_CLUSTER_ID=$(az connectedk8s show \
       --resource-group $GROUP_NAME \
       --name $CONNECTED_CLUSTER_NAME \
       --query id \
@@ -526,7 +526,7 @@ Now, create and install the Azure Container Apps extension with your Azure Arc-e
 1. Save the custom location ID for use in a later step:
 
    ```azurecli
-   $CUSTOM_LOCATION_ID=$(az customlocation show \
+   CUSTOM_LOCATION_ID=$(az customlocation show \
       --resource-group $GROUP_NAME \
       --name $CUSTOM_LOCATION_NAME \
       --query id \
