Using Sites.Selected Permissions in Azure Logic Apps with Managed Identity

Introduction

In the modern cloud-driven landscape, securing access to resources is crucial, especially when dealing with sensitive data. Azure Logic Apps provide a powerful platform for automating workflows, but with great power comes the need for granular control over permissions. One common scenario involves accessing SharePoint Online sites to retrieve or manipulate data. Instead of granting broad permissions across your entire SharePoint tenant, Azure now allows you to use the Sites.Selected permission. This approach lets you restrict access to specific SharePoint sites, ensuring tighter security. In this blog post, we’ll walk you through how to use Sites.Selected permissions with Azure Logic Apps and Managed Identity.

Why Use Sites.Selected Permissions?

Traditionally, applications interacting with SharePoint Online had two main permission scopes: Sites.Read.All and Sites.FullControl.All. These scopes grant read or full control across all site collections within your tenant. While effective, these permissions are often overkill, especially if your application only needs to access a handful of specific sites.

Sites.Selected permissions provide a solution by allowing you to grant access to only the sites your application needs. This approach adheres to the principle of least privilege, minimizing the risk of unauthorized access to other sites.

Step-by-Step Guide: Configuring Sites.Selected Permissions in Azure Logic Apps

Step 1: Create a Logic App

  1. Navigate to the Azure Portal and create a new Logic App.
  2. Configure the Workflow according to your business requirements, making sure you’ll need to interact with SharePoint Online.

Step 2: Enable System-Assigned Managed Identity

  1. Enable Managed Identity:
    • In your Logic App, go to Identity under Settings.
    • Switch on the System-assigned managed identity option.
  2. Copy the Object ID:
    • After enabling the managed identity, copy the Object ID of the managed identity, which is necessary for assigning permissions. Example: c718eabd-f8c6-467a-983d-ced8f10f2647.

Step 3: Retrieve Managed Identity Details from Entra ID

  1. Go to Microsoft Entra ID:
    • Navigate to Microsoft Entera ID in the Azure portal.
  2. Search for the Managed Identity:
    • Click on Enterprise Applications.
    • Remove all default filters to reveal all applications.
    • Search for your Logic App’s managed identity either by using the Object ID copied earlier or by the name of the Logic App.
  3. Get the Application ID:
    • Once you find the managed identity, copy the Application ID for later use. Example: b932ea69-4f50-4182-a462-e0a9a5269a22.

Step 4: Assign the Required Permissions to the Managed Identity

To allow the managed identity to access specific SharePoint sites, follow these steps:

1. Connect to Microsoft Graph:

Open PowerShell and connect to Microsoft Graph:

$scope = "Sites.Selected"
Connect-MgGraph -Scopes "Application.ReadWrite.All", "AppRoleAssignment.ReadWrite.All", "Sites.FullControl.All"

2. Retrieve the SharePoint Online Principal:

Get the service principal and service principal role for SharePoint Online:

$spoPrincipal = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0ff1-ce00-000000000000'"
$spoPrincipalRole = $spoPrincipal.AppRoles | Where-Object Value -eq $scope

Note: To get the list of Application IDs of commonly used Microsoft applications visit the following URL: Verify first-party Microsoft applications in sign-in reports – Azure | Microsoft Learn

3. Assign the Sites.Selected Role:

Use the Object ID of the managed identity to create a role assignment:

$identity = "c718eabd-f8c6-467a-983d-ced8f10f2647"

$roleAssignment = @{
    "principalId" = $identity
    "resourceId" = $spoPrincipal.Id
    "appRoleId" = $spoPrincipal.RoleId
}

New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $identity -BodyParameter $roleAssignment | Format-List

Here,
$identity contains the Object ID of the managed identity that was generated in Step 2
$spoPrincipal is the service principal for SharePoint Online received in second step of Step 4
$spoPrincipalRole is the service principal role (in our case, its Sites.Selected) for the SharePoint Online received in second step of Step 4
– and for more information about the cmdlet used here visit the following URL: New-MgServicePrincipalAppRoleAssignment (Microsoft.Graph.Applications) | Microsoft Learn

Step 5: Grant Permissions to the SharePoint Site

1. Connect to SharePoint Online:

Use the PnP PowerShell module to connect to the specific SharePoint site:

Connect-PnPOnline -Url "<SharePoint Site URL>" -Interactive

Here, add the SharePoint Site URL for which permissions needs to be configured and Logic App will fetch/manipulate the data.

2. Grant the Azure AD App Permission:

Assign the managed identity application the necessary permissions on the site:

Grant-PnPAzureAdAppSitePermission -AppId "<AppID>" -DisplayName "<LogicAppName>" -Permissions Read -Site "<SharePointSiteURL>"

Here,
– Replace the <AppID> with the Application ID that was copied in Step 3
– Replace the <LogicAppName> with the display name of the Logic App
– Replace the <SharePointSiteURL> with the URL of SharePoint Site from where data needs to be managed.
Note: In the above cmdlet, we are granting Read permissions as in this example, we are only planning to read the data. However, it supports other permission levels as well such as Write, Manage & Full Control. Depending on your requirements, you can configure the permissions and for more details about this cmdlet, do visit the official documentation at: Grant-PnPAzureADAppSitePermission | PnP PowerShell

3. Verify the Permissions:

Check if the permissions have been correctly applied:

Get-PnPAzureADAppSitePermission -Site <SharePointSiteURL> -AppIdentity "<AppID>"

Conclusion

By following these steps, you’ve configured your Azure Logic App to use Sites.Selected permissions with a Managed Identity. This setup ensures that your Logic App only accesses specific SharePoint Online sites, enhancing the security of your automation workflows. Using the Sites.Selected permission scope effectively limits access and adheres to best practices in cloud security.

Note: While this guide uses Azure Logic Apps for demonstration purposes, the same principles can be applied to any Azure service that supports managed identities and requires granular permissions, such as Azure Functions, Azure Data Factory, or Azure Automation. The ability to restrict access to specific resources rather than the entire tenant can be a powerful security measure across a wide range of Azure services.

Call to action

Implement this security measure in your Azure environment to ensure that your Logic Apps are both functional and secure. Start by creating a Logic App today and see the benefits of granular access control with Sites.Selected permissions.

Leave a Reply

Your email address will not be published. Required fields are marked *