![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 56.00000000000001%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 77%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
Hi Keerthi,
To fully automate the connection authorization in a Logic App Standard CI/CD pipeline, you need to explicitly create an Access Policy resource that grants your Logic App’s System-Assigned Managed Identity access to the API Connection.
When this access policy is omitted from your ARM/Bicep templates, the API connection successfully deploys but remains unauthenticated, displaying the “Access Policies are missing” warning in the portal.
You can automate this using one of the following methods:
Method 1: Automating via Bicep/ARM (Recommended)
Instead of relying on manual portal clicks, add the access policy as a child resource (Microsoft.Web/connections/accessPolicies) to your Bicep/ARM template during deployment.
Here is the correct Bicep snippet:
// 1. Reference your existing Logic App to fetch its Identity
resource logicApp 'Microsoft.Web/sites@2022-09-01' existing = {
name: logicAppName
}
// 2. Create the API Connection
resource myConn 'Microsoft.Web/connections@2016-06-01' = {
name: connectionName
location: resourceGroup().location
properties: {
// Your connection specific parameters here
}
}
// 3. Create the Access Policy linking the Identity to the Connection
resource accessPolicy 'Microsoft.Web/connections/accessPolicies@2016-06-01' = {
name: '${myConn.name}/${logicApp.name}' // The name must follow the pattern: ConnectionName/LogicAppName
location: resourceGroup().location
properties: {
principal: {
type: 'ActiveDirectory'
identity: {
tenantId: subscription().tenantId
objectId: logicApp.identity.principalId
}
}
}
}
Method 2: Azure CLI via DevOps Pipeline Task
If you prefer to authorize the connections using an inline script after the deployment job completes, you can use az resource create to explicitly create the child resource:
# Get the Logic App Managed Identity Principal ID
principalId=$(az resource show \
--resource-group $RG \
--resource-type Microsoft.Web/sites \
--name $LOGIC_APP_NAME \
--query identity.principalId -o tsv)
# Get your Tenant ID
tenantId=$(az account show --query tenantId -o tsv)
# Create the Access Policy child resource
az resource create \
--id "/subscriptions/$SUB/resourceGroups/$RG/providers/Microsoft.Web/connections/$CONN_NAME/accessPolicies/$LOGIC_APP_NAME" \
--api-version "2016-06-01" \
--properties "{\"principal\": {\"type\": \"ActiveDirectory\", \"identity\": {\"tenantId\": \"$tenantId\", \"objectId\": \"$principalId\"}}}"
Crucial detail for your Zip Deploy: In addition to deploying the infrastructure access policies, ensure that the connections.json file inside your compiled workflow Zip Artifact configures the managed connections to use the identity. The authentication block should look like this:
"authentication": {
"type": "ManagedServiceIdentity"
}
Once you incorporate this child resource into your IaC pipeline and ensure your connections.json reflects Managed Identity auth, your connections will automatically be authorized post-deployment.
Let me know if you run into any issues adapting this to your specific connectors! Note: This response is drafted with the help of AI systems.