Search code examples
azuredeploymentdevopsazure-logic-appsazure-rm-template

Deploying access policies in Azure


Does anyone know if it is really neccessary to insert the actually object-ID in the access policy name property? It seems like it work just fine with any "string".

"name": "[concat('connection-name'),'/','object-ID')]"

The object-ID is used together with the tenant-ID as one of the identity properties. So why does it have to be used twice according to Microsofts ARM Template description

https://learn.microsoft.com/en-us/azure/logic-apps/azure-arc-enabled-logic-apps-create-deploy-workflows?tabs=azure-cli

 {
       "type": "Microsoft.Web/connections/accessPolicies",
       "apiVersion": "2016-06-01",
       "name": "[concat('<connection-name>'),'/','<object-ID>')]",
       "location": "<location>",
       "dependsOn": [
          "[resourceId('Microsoft.Web/connections', parameters('connection_name'))]"
       ],
       "properties": {
          "principal": {
             "type": "ActiveDirectory",
             "identity": {
                "objectId": "<object-ID>",
                "tenantId": "<tenant-ID>"
             }
          }
       }
    }

Solution

  • In single-tenant Azure Logic Apps, each logic app has an identity that is granted permissions by access policies to use Azure-hosted and managed connections.

    The name property of the access property in the above JSON code represents the Connection name and it is a required field. You can give any string value in the name property. At the same time it's not mandatory to put object id. But it's recommended to concatenate the object id with connection name to make the connection name unique and to avoid ambiguity.

    Please check the following Microsoft.Web/connections/accesspolicies (ARM template) documentation for more information.