I was recently reading through this article titled Configure an application to trust a managed identity (preview) and also looking through Bicep FIC sample. This made me curious on how I can use this in Function App or Logic App to authenticate with Dataverse. Since Function App was going to be a bit cumbersome to get started, I thought I will explore Logic Apps first. I tested the below setup in Logic Apps Standard.
Here is a quick summary diagram of the setup.
Clik here to view.
The first step is to assign a user assigned managed identity to Logic Apps.
Clik here to view.
Next step is to create a new App Registration and get it to trust the managed identity. The Subject identifier is basically the ObjectId of the user assigned Managed Identity. Let’s call this tenant, the source tenant.
Clik here to view.
The App Registration has to be multi-tenant.
Clik here to view.
Next step is to create the Service Principal on the other tenant using this App Registration. To do this we can use this special URL mentioned in the creating service principal article. The format is
https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?response_type=code&response_mode=query&scope=openid&client_id=<your_client_ID>
You need to login with a user account with admin privs on the other tenant, so that the service principal can be created on this tenant. Let’s call this the target tenant. Assuming that the Dataverse environment is in the target tenant, this service principal has to be added as an Application User on to the environment from Power Platform Admin Center and assigned roles.
Now, from the Logic App on the source tenant, let’s try to invoke a Dataverse API call with no client-secret. This is the Logic App.
Clik here to view.
The first step is to authenticate with the managed identity and get the client assertion token. We will use the PowerShell action for this. AccountId parameter simply the ClientId/ApplicationId of the Managed Identity. We are using Az PowerShell to get the token from the IMDS endpoint.
Clik here to view.
If you try to do this directly by doing a GET http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/ with managed identity authentication on HTTP action, you won’t be able to get the token, because it is a restricted URL. Hence, the PS route.
You also need to enable Az PowerShell module from Kudu, because it is not installed by default.
Clik here to view.
Clik here to view.
We can get the access token using the client assertion token by POSTing on the token endpoint on the Target tenant.
Clik here to view.
Below is the expression for the Body parameter.
scope=https://[TARGET].crm5.dynamics.com/.default&client_id=[CLIENT_ID]&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_assertion=@{body('Get_Token_for_Managed_Identity')?['Token']}&grant_type=client_credentials
Now we can call the Dataverse endpoint on the target tenant with the Bearer token.
Clik here to view.
The expression on the Value parameter is from the response body of the previous step.
Bearer @{body('Get_Token_for_Dataverse_in_Guest_Tenant')?['access_token']}
Now you should be able to run the Logic App to do a simple WhoAmI call on the Dataverse API on the target tenant, without any secret, even though the Logic App is on the source tenant.
Clik here to view.
I haven’t explored Azure Function yet, but a similar approach with Azure Identity Framework should work, as the core idea is the same. Word of warning – This capability is still in Preview.
References:
- https://devblogs.microsoft.com/identity/access-cloud-resources-across-tenants-without-secrets/
- https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation-config-app-trust-managed-identity?tabs=microsoft-entra-admin-center
- https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-client-creds-grant-flow#third-case-access-token-request-with-a-federated-credential