Background image

2 ways to connect Azure Key Vault and Azure Logic Apps

Two ways to connect Azure Key Vault and Azure Logic Apps Two ways to connect Azure Key Vault and Azure Logic Apps

Azure Key Vault is a great resource for keeping the data and apps you run in the cloud secure, and Azure Logic Apps can be incredibly helpful when trying to connect different business apps and services. But storing secrets from Azure Logic Apps in Azure Key Vault takes some configuration.  

Ensuring that your data and applications are secure should be an essential aspect of everyone’s cloud governance strategy. Azure Key Vault offers you a way to safely store your credentials, certificates, and hardware security modules in Azure. These values can also be used inside your custom applications, like in web applications, Azure Functions, and Azure Logic Apps.  

Once you’ve placed secrets in a vault, your code must authenticate to access Key Vault to retrieve them. Unless you’re using managed identities in Azure Active Directory (AD). You can then use the identity to authenticate to any service that supports Azure AD authentication without any credentials in your code. 

Azure Logic Apps lets you build solutions that can connect a myriad of business apps and services together in the cloud. Because it can be used to link so many different tools, there are often security concerns of varying levels associated with it. 

Azure Logic Apps offers an out-of-the-box Azure Key Vault connector that you can use to easily retrieve values for use in your Logic App. Unfortunately, the connector can’t use managed identities to access Azure Key Vault. Instead, you have to do some manual work.   

In this blog, I’m going to show you two different ways to connect to Azure Key Vault from your Logic App. Along the way, I’ll give an overview of the differences between the approaches from a security perspective.  

ShareGate Apricot logo

Ensure external users have access to the right things in Teams.

Laying the groundwork

Before we can jump right into connecting Azure Logic Apps and Azure Key Vault, we have to make sure that our Azure AD, Azure Key Vault, and managed identities are properly configured.  

Setting up this demo

Before starting this demo, I created an app registration in Azure AD, added delegated permissions to access the Microsoft Graph Invitation API, and copied the Azure AD TenantID, AppID, and AppSecret to Notepad. You can read this blog for more information on how to register an Azure AD app and set the required permissions.  

I also already deployed a Logic App called KeyVaultConnector in a new resource group called KeyVaultConnectorGroup. I used the Recurrence trigger for the Logic App. If you want more information on how to create a Logic App, check out this blog

Now that we have everything in place, we can set up our Key Vault.  

Setting up the Key Vault 

To set up the Key Vault, navigate to the Azure portal, select Cloud Shell in the top right corner, select Bash and add the following line of code: 

az keyvault create –location westus –name SZConnectorKeyVault –resource-group KeyVaultConnectorGroup

  • Create the Key Vault in the same resource group where the Logic App is deployed (make sure to set a unique name for the Key Vault). 
  • Once it’s created, we can add the values of the service principal to it. To do this, navigate to the Azure Key Vault overview page in the Azure portal. 
  • In the left menu, under settings, select Secrets. In the top menu, click + Generate/import. There you can create the secrets for the service principal. Make sure Manual is selected for the upload option, and then add the values for the service principal:
Creating a secret for a service principal with Azure Key Vault
  • After adding the AppID, AppSecret, and TenantID, the list will look like this:

Now that we’ve set up the Key Vault, we can create our managed identity for the Logic App. 

Creating a managed identity for the Azure Logic App 

To create the managed identity, navigate to the newly-created Logic App in the Azure portal. 

  • From there, in the left menu under Settings, select Identity. 
  • Set the status to On and click Save. This will create the managed identity for the Logic App using the exact same name as the Logic App:
Creating a managed identity for Azure Logic App

Now that we have created the managed identity for the Logic App, we can add it to the Key Vault to access the values for the Azure AD registration. 

Adding the managed identity to Azure Key Vault

To add the managed identity that we created in the previous step to the Key Vault, you have to take the following steps: 

  • In the Key Vault overview blade, select Access Policies in the left menu. Then select + Add access policy:
Adding a managed identity to Azure Key Vault
  • Select the following values:
    • Secret Permissions: List and Get (this will allow the Logic App to retrieve values from the Key Vault) 
    • Select Principal: KeyVaultConnector 
  • Then select Add:
Adding an access policy in Azure

The managed identity of the Logic App now has permissions to retrieve values from the Key Vault. In the next step we are going to retrieve the values in our Logic App.  

Using service principals to connect Azure Key Vault and Azure Logic Apps

A service principal is essentially an identity for an app. As soon as you create an app in Azure, a corresponding service principal will be automatically created.

ShareGate Apricot logo

Ensure external users have access to the right things in Teams.

Apricot security illustration

You can authenticate with a service principal with either a certificate or a secret, and you decide how long the certificate or secret will be valid—which means you need to remind yourself to create a new certificate or secret and switch over to it before the old one expires. Then, you need to update your app to use the new identity credential.

All in all, it takes a little more work on your end and opens you up to potential issues if you don’t rotate your access token before it expires.

The out-of-the-box Azure Key Vault connector is the easiest way to retrieve secrets, keys, certificates, and other values from the Key Vault in a Logic App. In this section, we’re going to use this connector and see what it has to offer.  

To do this, navigate to the Logic App that you created in the Azure portal. 

  • Click Edit to open the Logic App designer. 
  • Under the Recurrence trigger, click + New step. Search for Key Vault and select Get secret from the list:
Getting a secret from Azure Key Vault
  • Specify the name of the Key Vault you want to use. 
  • At this point, there are two different options to authenticate.
    • The first is to sign into the Key Vault using the credentials with an account added to Azure AD and which has the proper permissions in your Azure RBAC to access the Key Vault.
    • The other one is to connect with a service principal. When you select the latter here, you have to specify the Vault name, Client ID, Client Secret, and Tenant ID.  
  • Selecting the managed identity is not possible here:
Connecting to Azure Key Vault with a service principal
  • We don’t have a service principal created in Azure AD. Therefore, we’re we’re going to connect with our administrator credentials for now. Click Connect with sign in and click the Sign in button. 
  • Pick your account, in my case this is an administrator account, so I have access to the Key Vault by default. After authenticating you can select the secrets from the Key Vault:
Retrieving a secret from Azure Key Vault

This is not an ideal way of authenticating. For applications, it is recommended that you use service principals over account credentials. However, the drawback with service principals is that we still need to handle the credentials and the rotation of the access tokens. These credentials need to be stored and the tokens expire and need to be renewed. That’s why we want to connect with our managed identity.  

Using managed identities to connect Azure Key Vault and Azure Logic Apps

You can think of managed identities essentially as managed service principals. When you create a managed identity, Azure will create a service principal for you and handle the secret rotation so that you don’t have to.

Another perk to using managed identities is that they are assigned to a resource, so you’re able to get the identity at run time without having to know the secret itself, making it more secure.

By the time of writing this blog, the only way to connect to the Key Vault using the managed identity is by using an HTTP action and making a request to the Key Vault API.  

That’s what I’ll show you how to do next.  

Delete the Azure Key Vault action from the Logic App designer and take the following steps: 

  • Add a new step to the canvas. 
  • Search for HTTP and select the HTTP action. Then select HTTP from the list.
Connecting to Azure Key Vault using API
  • Now, we can use the managed identity to connect to the Key Vault.  
  • Repeat this last step until you have retrieved the three secrets: AppID, AppSecret, and TenantID from the Key Vault. This will look like the following image:
  • Now that we have our Key Vault secrets using the managed identity, we can store them in variables. To do this, add three new steps and select the Initialize variable action. For each variable, add a name, such as AppID, AppSecret, and TenantID.  
  • Select the type string and add the following expressions for each action in the Value field: 
    • Value 1: body(‘Get_TenantID’)?[‘value’] 
    • Value 2: body(‘Get_AppID’)?[‘value’] 
    • Value 3: body(‘Get_AppSecret’)?[‘value’] 
  • This will look like the following image:
  • Next, make a request to the Graph API.  
  • First, we need an access token from Azure AD. To get this, add another HTTP action under the previous one and add the following values (replace the TenantID, AppID, and AppSecret with the variables that were created in the previous steps): 

grant_type=client_credentials&[email protected]{‘AppID’}&client_secret={ ‘AppSecret’}&resource=

  • This will look like the following image:
  • Before continuing, first save the Logic App and Run it. 
  • When the Logic App finishes executing this action, click on the last HTTP action and copy the body from the output and paste it into Notepad. 
  • Open the Logic App in edit mode again and add a new step and select the Parse JSON action. We are going to parse the access token to a variable so we can use it in the next step.
  • Add the following values: 
    • Content: Select the Body from the previous step. 
    • Schema: For this, select Use sample payload to generate schema and paste the output from the previous step here to let the schema be generated based on the output of the body. 
  • Add a new HTTP action for the request to the Microsoft Graph using the access token. Add the following values: 
  • At this point, select the access token from the dynamic content list and make sure there is a whitespace between the Bearer part and the access token:
  • Body:

{“inviteRedirectUrl”: “”,

“invitedUserDisplayName”: “Sjoukje Zaal”,

“invitedUserEmailAddress”: “[email protected]”,

“invitedUserMessageInfo”: {“customizedMessageBody”: “Hey there! Check this out. I created an invitation through the Graph API”},

“sendInvitationMessage”: true}

  • Click Save and run the Logic App again. This will create an external user in Azure AD B2B. 

And that’s it! We’ve now successfully created an external user in our Azure AD tenant using the credentials that were stored inside the Azure Key Vault.  

We used two different approaches to connect Azure Key Vault and Azure Logic Apps. First we used the out-of-the-box Azure Key Vault connector and created a service principal—which offers a lot of functionality but can’t be used in conjunction with a managed identity. And then we used the Key Vault API and the managed identity.  

Authenticating using a managed identity is the most secure way to connect to the Key Vault because you don’t have to login using any other credentials except the Logic App credentials, and you don’t have to maintain any recycling of access tokens. This is all handled for you by Azure. 

Managed identity is newer than service principals, and it essentially builds on top of the concept of service principals—so, it’s helpful to understand how service principals work. But if you’re able to use managed identities instead of service principals, that’s what I’d recommend.

Recommended by our team

What did you think of this article?

Simplify Microsoft 365 adoption with your ShareGate subscription Watch our on-demand webinar.