Configure Logic Apps for workflow use update

Author: OWinfreyATL

articles/active-directory/governance/configure-logic-app-lifecycle-workflows.md

@@ -5,7 +5,7 @@ author: owinfreyATL
 ms.author: owinfrey
 ms.service: active-directory
 ms.topic: reference
-ms.date: 01/26/2023
+ms.date: 03/17/2023
 ms.custom: template-how-to
 ---
 
@@ -15,6 +15,19 @@ ms.custom: template-how-to
 
 Before you can use an existing Azure Logic App with the custom task extension feature of Lifecycle Workflows, it must first be made compatible. This reference guide provides a list of steps that must be taken to make the Azure Logic App compatible. For a guide on creating a new compatible Logic App via the Lifecycle Workflows portal, see [Trigger Logic Apps based on custom task extensions (preview)](trigger-custom-task.md).
 
+## Determine type of token security of your custom task extension
+
+Before configuring your Azure Logic App custom extension for use with Lifecycle Workflows, you must first figure out what type of token security it has. The two token security types can either be:
+
+- Normal
+- Proof of Possession(POP)
+
+
+To determine the security token type of your custom task extension, you'd check the **Custom extensions (Preview)** page:
+
+:::image type="content" source="media/configure-logic-app-lifecycle-workflows/custom-task-extension-token-type.png" alt-text="Screenshot of custom task extension and token type.":::
+
+
 ## Configure existing Logic Apps for LCW use
 
 Making an Azure Logic app compatible to run with the **Custom Task Extension** requires the following steps:
@@ -24,7 +37,7 @@ Making an Azure Logic app compatible to run with the **Custom Task Extension** r
 - Enable system assigned managed identity.
 - Configure AuthZ policies.
 
-To configure those you'll follow these steps:
+To configure those you follow these steps:
 
 1. Open the Azure Logic App you want to use with Lifecycle Workflow. Logic Apps may greet you with an introduction screen, which you can close with the X in the upper right corner.
 
@@ -202,11 +215,16 @@ To configure those you'll follow these steps:
 
 1. Select Save.    
 
-1. For Logic Apps authorization policy, we'll need the managed identities **Application ID**. Since the Azure portal only shows the Object ID, we need to look up the Application ID. You can search for the managed identity by Object ID under **Enterprise Applications in the Azure portal** to find the required Application ID.
+
+## Configure authorization policy for custom task extension with normal security token type
+
+If the security token type is **Normal** for your custom task extension, you'd set the authorization policy by following these steps:
+
+1. For Logic Apps authorization policy, we need the managed identities **Application ID**. Since the Azure portal only shows the Object ID, we need to look up the Application ID. You can search for the managed identity by Object ID under **Enterprise Applications in the Azure AD Portal** to find the required Application ID.
 
 1. Go back to the logic app you created, and select **Authorization**.
 
-1. Create two authorization policies based on the tables below:
+1. Create two authorization policies based on these tables:
 
     Policy name: AzureADLifecycleWorkflowsAuthPolicy   
     
@@ -228,6 +246,39 @@ To configure those you'll follow these steps:
 > [!NOTE]
 > Due to a current bug in the Logic Apps UI you may have to save the authorization policy after each claim before adding another.
 
+## Configure authorization policy for custom task extension with POP security token type
+If the security token type is **Proof of Possession (POP)** for your custom task extension, you'd set the authorization policy by following these steps:
+
+1. For Logic Apps authorization policy, we need the managed identities **Application ID**. Since the Azure portal only shows the Object ID, we need to look up the Application ID. You can search for the managed identity by Object ID under **Enterprise Applications in the Azure AD Portal** to find the required Application ID.
+
+1. Go back to the logic app you created, and select **Authorization**.
+
+1. Create two authorization policies based on these tables:
+
+    Policy name: POP-Policy   
+    
+    |Claim  |Value  |
+    |---------|---------|
+    |Issuer     |  https://sts.windows.net/(Tenant ID)/       |
+    |Audience     | Application ID of your Logic Apps Managed Identity       |
+    |appid     |  ce79fdc4-cd1d-4ea5-8139-e74d7dbe0bb7   |
+    |m     |  POST   |
+    |u     |  management.Azure.com   |
+    |p     |  /subscriptions/(subscriptionId)/resourceGroups/(resourceGroupName)/providers/Microsoft.Logic/workflows/(logicAppName)   |
+
+    Policy name: AzureADLifecycleWorkflowsAuthPolicyV2App   
+ 
+    |Claim  |Value  |
+    |---------|---------|
+    |Issuer     |  https://login.microsoftonline.com/(Tenant ID)/v2.0       |
+    |Audience     | Application ID of your Logic Apps Managed Identity       |
+    |azp     |  ce79fdc4-cd1d-4ea5-8139-e74d7dbe0bb7   |
+
+1. Save the Authorization policy.
+> [!NOTE]
+> Due to a current bug in the Logic Apps UI you may have to save the authorization policy after each claim before adding another.
+
+
 > [!CAUTION]
 > Please pay attention to the details as minor differences can lead to problems later.
 -	For Issuer, ensure you did include the slash after your Tenant ID