Using EasyAuth to protect HTTP Triggers in Azure Logic Apps (Standard)
    • Dark
    • PDF

    Using EasyAuth to protect HTTP Triggers in Azure Logic Apps (Standard)

    • Dark
    • PDF

    Article Summary

    #ServerlessTips - Azure Logic Apps
    Author: Kent Weare Integration MVP

    By default, when you expose an HTTP trigger in Azure Logic Apps, it includes a SAS key which is used for authentication. This makes connecting to your logic app very simple. For some organizations, they are looking for additional governance. Enabling EasyAuth, allows you to impose restrictions that ensure a valid Azure AD token has been passed as a bearer token to your logic app.

    EasyAuth is a capability found within Azure App services, so it is an approach that you will also find with Azure Functions and Azure Web Sites. Since Logic Apps runs on top of the same platform as these products, this capability works across these different services.

    To see the detailed steps in enabling EasyAuth, please see the following video: 131 - Enabling EasyAuth for Azure Logic Apps (Standard) HTTP Triggers - YouTube. But in summary, here are the steps that you need to take to perform to enable EasyAuth:

    1. Create an App Registration in Azure Active Directory
      a. Capture details such as Client ID, Tenant Id, Secret
    2. Create a Client Token by calling
    3. Modify Logic Apps configuration through the Azure Management API
      a. Include client id, allowed audiences and object Ids that are allowed to call endpoint.
      b. Allowed audience can be derived by opening token created in step #2
      c. Object Ids can be an app registration or a Managed Identity
    4. Create new client token or use client token created in step #2
    5. Pass client token from step 4 as part your request to your logic app as a bearer token
      Provided you have created a token successfully and it matches the configuration that you created in your logic app (step #3), you will be able to successfully call your logic app. Now to ensure that someone can’t call your logic app using a SAS token, as part of your trigger condition, check for the existence of a bearer token. If it doesn’t exist, discard the request.


    In this post we discussed the importance of securing your HTTP trigger endpoints by using the EasyAuth feature. This approach ensures that clients are generating a valid token before they call your service.

    Was this article helpful?