🔐 Enabling Easy Auth for Azure Logic Apps (Standard)

When you expose a Logic App workflow through an HTTP trigger, you usually secure it with a Shared Access Signature (SAS) key (sig=...). While that works, it’s not ideal — anyone with the URL can call your workflow.

A better option is to enable App Service Authentication/Authorization (also known as Easy Auth) in front of your Logic App. This way, only callers with a valid Microsoft Entra ID (Azure AD) token can invoke your workflows.

In this guide, I’ll show you how to enable Easy Auth for Logic Apps Standard (single-tenant).

---

🚦 Prerequisites

• A Logic App (Standard) deployed in Azure
• An App Registration in Microsoft Entra ID (Azure AD)
• Owner or Contributor rights on the Logic App resource

⚠️ Note: Easy Auth is not available for Logic Apps (Consumption). For Consumption, you’ll need API Management or IP restrictions.

---

🔧 Step 1: Enable, Configure, and Enforce Authentication

1. Go to your Logic App in the Azure Portal.
2. Under Settings, select Authentication.
3. Click Add identity provider → choose Microsoft.
4. Select your existing App Registration (or create a new one) and Save.

5. After adding, click Edit on the Microsoft provider and configure:

   • Issuer URL Use the v2.0 endpoint for your tenant:

    https://login.microsoftonline.com/<tenantId>/v2.0
   

• Allowed token audiences
  • api://<your-client-id>
  • <your-client-id> (the raw GUID)
• Additional checks
  • Client application requirement
    • Allow requests from specific client applications (recommended, list trusted client IDs)
    • or Allow requests from any application (for testing)
  • Identity requirement
    • Allow requests from any identity (default)
    • or Allow requests from specific identities (restrict to chosen users/groups)
  • Tenant requirement
    • Only from this tenant (recommended for single-tenant)
    • or Allow requests from any Microsoft Entra tenant (multi-tenant)

6. Open Authentication → Settings and review:
   • App Service authentication → Enabled
   • Restrict access → Require authentication (blocks unauthenticated requests)
7. Save your changes.

8. Acquire a token for your Logic App (using Postman, Azure CLI, or your app).
   • Example: in Postman, use grant_type=client_credentials with your client_id, client_secret, and scope.
   • The response will include an access_token.
   
9. Decode the token at https://jwt.ms.
   • Paste the access_token into the decoder.
   • Look for the claim "oid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" in the payload.
   • This value is the Object ID (OID) of the user or service principal.
   
10. Configure Identity Requirement in your Logic App.
    • Go to Authentication → Microsoft provider → Identity requirement.
    • Select Allow requests from specific identities.
    • Paste the OID(s) you collected into the allowed list.

---

✅ Validation & Testing

Here’s how the Logic App behaves with different authentication methods:

1. Using SAS Key (default) → works, but less secure — anyone with the URL + sig can call it.
2. Using Easy Auth (Bearer Token) → works ✅ — only valid Entra ID tokens are accepted.
3. Missing Bearer Prefix → fails with 401 Unauthorized.

---

⚡ Wrapping Up

With Easy Auth enabled and Identity requirement restricted to specific OIDs:

• Your Logic App endpoints are protected by Microsoft Entra ID.
• Only specific client apps, tenants, and identities can access them.
• This brings your Logic App in line with enterprise-grade API security practices.

---