Securing your Logic App via API Management

There are different ways in which we can protect our Logic App either by generating a shared access signature, restricting IP addresses, using Azure AD, exposing your Logic APP using API management and leveraging its benefits or other way could be use of Integration Service Environment where your Logic APP is deployed in an isolated environment.

Every request endpoint of a Logic APP has a Shared access signature associated with it.


I have created a simple Logic App called demoLogicapp which returns – “Hello World”. Below is the URL for my Logic App.
/invoke?api-version=2016-10 01&

The main purpose of the SAS token associated with our Logic App is for Authentication and Authorization. But having those details in the URL can be problematic. Anyone who knows these token details can easily sent across inappropriate request. Its always wise to hide those details or pass as a header property like (subscription-key, Bearer-Token etc) before sending it across for use.

Navigate to your API management service in Azure and lets add a new API. I will select the “demoLogicapp” created earlier and click on CREATE.



Once the API is created click on the below highlighted icon – FRONT END. Here we will define the Header for our API.

  • Content-Type
  • SAS-Token



Now if we look at the Logic App URI we had, the below highlighted we would like to pass as SAS-Token in the header property of our API request we defined above.
/invoke?api-version=2016-10 01&

This value you can see in the Named values tab of the API management property which let you define common values or secrets in your API management instance, which can be referenced from policies.


Now let’s set the policy so that the SAS-Token can be sent across in the Header of the API request we defined above. Navigate to policies of your demoLogicapp and click on code view. </>


Create a new variable called sasToken as below –

securelogicapp8Make the necessary changes to re-write-Uri. The template attribute here is responsible for routing your request from API to Logic app instance.

Remove the highlighted part from the rewrite-uri.





Now let’s set the set-query-parameter which will helps us to pass the value to the SAS-Token in the header. 


Now let’s test the Logic App using postman. On passing successfully header properties you will get a successful response back. For test case I passed an invalid Token and get an authentication issue. Later passing a correct value gives you an appropriate response back.



You can add a further security by restricting or allowing a specific IP addresses. Navigate through Workflow settings of your Logic App and do as below –


When I now run the Postman back, I get the error message as follows. As soon as I whitelist the IP in the workflow settings, I can see a successful response back.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s