← Back to DevBytes

Logic Apps Security: IAM Policies and Network Security

Securing Azure Logic Apps: A Developer's Guide to IAM and Network Security

Azure Logic Apps serve as the orchestration backbone in countless enterprise integration workflows. They connect to SaaS applications, on-premises systems, databases, storage accounts, and custom APIs, often handling sensitive business data and triggering critical processes. Securing these workflows demands a layered approach. Two foundational pillars of Logic Apps security are Identity and Access Management (IAM) Policies and Network Security. This tutorial walks you through both, providing practical code examples, configuration patterns, and best practices you can apply directly in your own environment.

Identity and Access Management (IAM) Policies for Logic Apps

🚀 Deploy your AI agent in 10 minutes

Managed Hermes hosting. Zero DevOps. 100M tokens/mo included.

Try it free →

What IAM Means in the Context of Logic Apps

IAM governs who or what can perform actions on your Logic App resources, and what permissions a Logic App itself has when calling other Azure services. There are two distinct angles:

Modern Logic Apps use Managed Identities (system-assigned or user-assigned) as the preferred authentication method for downstream calls. Combined with Azure Role-Based Access Control (RBAC), you achieve a true zero-secret model, eliminating the need to embed connection strings, keys, or passwords inside workflow definitions.

Why IAM Matters

Weak identity controls lead to several common security risks:

Robust IAM ensures the principle of least privilege, reduces blast radius, and simplifies compliance by tying every action to a verifiable identity.

How to Implement IAM Policies

1. Enable System-Assigned Managed Identity

The simplest path is enabling the system-assigned identity on your Logic App. This identity is automatically provisioned by Azure, has a lifecycle tied to the Logic App resource, and can be granted RBAC roles on target services.

// Bicep snippet for Logic App with system-assigned managed identity
resource logicApp 'Microsoft.Logic/workflows@2019-05-01' = {
  name: 'la-order-processing'
  location: resourceGroup().location
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    definition: {
      // workflow definition here
    }
    parameters: {}
    state: 'Enabled'
  }
}

Using Azure CLI, you can enable the identity on an existing Logic App:

# Enable system-assigned managed identity
az logic workflow identity assign \
  --resource-group rg-orders \
  --name la-order-processing \
  --system-assigned

2. Grant RBAC Roles to the Managed Identity

Once the identity exists, grant it exactly the permissions needed on target resources. For example, to let the Logic App read and write blobs in a storage container for order documents:

# Get the managed identity principal ID
PRINCIPAL_ID=$(az logic workflow show \
  --resource-group rg-orders \
  --name la-order-processing \
  --query identity.principalId -o tsv)

# Grant "Storage Blob Data Contributor" on a specific storage account
az role assignment create \
  --assignee $PRINCIPAL_ID \
  --role "Storage Blob Data Contributor" \
  --scope "/subscriptions//resourceGroups/rg-orders/providers/Microsoft.Storage/storageAccounts/stordersdocs" \
  --assignee-object-type ServicePrincipal

For Azure Service Bus, you might assign Azure Service Bus Data Sender or Azure Service Bus Data Receiver instead. Always prefer the narrowest built-in data-plane role that satisfies the workflow's needs.

3. Use Managed Identity in Workflow Actions

Inside the Logic App designer or code view, configure connectors to authenticate with the managed identity rather than a connection string. For the built-in Service Bus connector:

// Example action using managed identity authentication (Service Bus - built-in connector)
{
  "Send_a_message": {
    "type": "ServiceProvider",
    "inputs": {
      "parameters": {
        "queueName": "orders-queue",
        "content": {
          "OrderId": "@{triggerBody()?['OrderId']}"
        }
      },
      "serviceProviderConfiguration": {
        "connection": {
          "referenceName": "serviceBus-orders-connection"
        }
      }
    }
  }
}

In the connection definition, set "authentication" to use the managed identity:

// Connection resource definition for managed identity auth
{
  "type": "Microsoft.Web/connections",
  "apiVersion": "2016-06-01",
  "name": "serviceBus-orders-connection",
  "location": "[resourceGroup().location]",
  "properties": {
    "displayName": "ServiceBusOrders",
    "api": {
      "id": "/subscriptions//providers/Microsoft.Web/locations/westeurope/managedApis/servicebus"
    },
    "parameterValues": {
      "namespace": "sb-orders-prod",
      "policyName": "RootManageSharedAccessKey",
      "authenticationType": "ManagedServiceIdentity"
    }
  }
}

4. Control-Plane RBAC for Operators and Developers

Assign human identities (developers, DevOps engineers, support teams) roles scoped to the Logic App resource group or individual workflow. Use built-in roles:

# Assign Logic App Contributor to a developer at resource group scope
az role assignment create \
  --assignee developer@contoso.com \
  --role "Logic App Contributor" \
  --resource-group rg-integration-dev

For production, enforce just-in-time access or use Privileged Identity Management (PIM) to elevate permissions temporarily when troubleshooting failed runs.

5. User-Assigned Managed Identities for Multi-Workflow Scenarios

When multiple Logic Apps share the same downstream permissions, a user-assigned managed identity centralizes identity lifecycle and role grants. Create it once, assign roles once, then reference it across workflows.

// User-assigned managed identity resource
resource uamiLogicApps 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
  name: 'id-logicapps-shared'
  location: resourceGroup().location
}

// Logic App referencing the user-assigned identity
resource logicApp 'Microsoft.Logic/workflows@2019-05-01' = {
  name: 'la-inventory-sync'
  location: resourceGroup().location
  identity: {
    type: 'UserAssigned'
    userAssignedIdentities: {
      '${uamiLogicApps.id}': {}
    }
  }
  properties: {
    state: 'Enabled'
    definition: {
      // workflow definition
    }
  }
}

Grant roles to the user-assigned identity's principal ID exactly as you would for a system-assigned one.

IAM Best Practices for Logic Apps

Network Security for Logic Apps

What Network Security Entails

Network security controls determine which network traffic can reach your Logic App and which outbound traffic the workflow generates. With the shift toward built-in, single-tenant Logic Apps (the "Logic Apps Standard" SKU hosted in App Service Environments), network controls have become significantly more granular. Consumption-tier Logic Apps also support network restrictions, though with some differences.

Key network security features include:

Why Network Security Matters

How to Implement Network Security

1. Restrict Inbound Traffic with Access Control Lists

For Consumption-tier Logic Apps, configure inbound IP restrictions through the portal or ARM template. Only allowed IP ranges can invoke HTTP-triggered workflows.

// ARM template snippet: IP restriction on Consumption Logic App
{
  "type": "Microsoft.Logic/workflows",
  "apiVersion": "2019-05-01",
  "name": "la-http-gateway",
  "location": "[resourceGroup().location]",
  "properties": {
    "definition": { /* workflow definition */ },
    "parameters": {},
    "state": "Enabled",
    "accessControl": {
      "triggers": {
        "allowedCallerIpAddresses": [
          {
            "addressRange": "192.168.100.0/24"
          },
          {
            "addressRange": "203.0.113.50"
          }
        ]
      },
      "actions": {
        "allowedCallerIpAddresses": []
      }
    }
  }
}

For Standard SKU Logic Apps (App Service-backed), use the ipSecurityRestrictions property on the App Service configuration, or leverage the built-in Networking blade in the portal.

// Bicep: Logic Apps Standard with inbound IP restrictions
resource logicAppSite 'Microsoft.Web/sites@2022-09-01' = {
  name: 'la-standard-orders'
  kind: 'workflowapp'
  location: resourceGroup().location
  properties: {
    siteConfig: {
      ipSecurityRestrictions: [
        {
          ipAddress: '10.20.0.0/24'
          action: 'Allow'
          priority: 100
          name: 'Allow-internal-vnet'
        }
      ]
      ipSecurityRestrictionsDefaultAction: 'Deny'
    }
  }
}

2. Deploy Private Endpoints for Total Isolation

A Private Endpoint assigns a private IP from your VNet to the Logic App, making it reachable only from within the VNet or peered networks. This is the strongest inbound control available.

// Bicep: Private Endpoint for Logic App Standard
resource privateEndpoint 'Microsoft.Network/privateEndpoints@2023-04-01' = {
  name: 'pe-la-standard-orders'
  location: resourceGroup().location
  properties: {
    subnet: {
      id: subnetPrivateEndpoints.id
    }
    privateLinkServiceConnections: [
      {
        name: 'pe-connection-logicapp'
        properties: {
          privateLinkServiceId: logicAppSite.id
          groupIds: [
            'sites'
          ]
        }
      }
    ]
  }
}

// Optional: create a private DNS zone for the endpoint
resource privateDnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' = {
  name: 'privatelink.azurewebsites.net'
  location: 'global'
  properties: {}
}

resource dnsZoneGroup 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2023-04-01' = {
  parent: privateEndpoint
  name: 'dns-group'
  properties: {
    privateDnsZoneConfigs: [
      {
        name: 'webapp-zone'
        properties: {
          privateDnsZoneId: privateDnsZone.id
        }
      }
    ]
  }
}

Using Azure CLI to create the Private Endpoint on an existing Logic App (Standard):

# Create Private Endpoint for a Logic Apps Standard site
az network private-endpoint create \
  --resource-group rg-orders \
  --name pe-la-standard-orders \
  --location westeurope \
  --connection-name pe-connection \
  --private-connection-resource-id /subscriptions//resourceGroups/rg-orders/providers/Microsoft.Web/sites/la-standard-orders \
  --group-id sites \
  --subnet /subscriptions//resourceGroups/rg-orders/providers/Microsoft.Network/virtualNetworks/vnet-orders/subnets/snet-privateendpoints

Once the Private Endpoint is active, disable public network access entirely:

# Disable public access on the Logic App Standard site
az webapp update \
  --resource-group rg-orders \
  --name la-standard-orders \
  --set publicNetworkAccess='Disabled'

3. Outbound VNet Integration for Secure Backend Calls

When a Logic App needs to reach services inside a VNet—on-premises SQL Server behind ExpressRoute, a private API, or a storage account with firewall enabled—configure outbound VNet integration. This routes traffic through the designated subnet.

// Bicep: outbound VNet integration on Logic Apps Standard
resource logicAppSite 'Microsoft.Web/sites@2022-09-01' = {
  name: 'la-vnet-integrated'
  kind: 'workflowapp'
  properties: {
    virtualNetworkSubnetId: subnetIntegration.id
    vnetRouteAllEnabled: true
  }
}

For Consumption Logic Apps, use the legacy "VNet Integration" via the portal or set the runtimeConfiguration in the ARM template:

{
  "properties": {
    "definition": { /* ... */ },
    "runtimeConfiguration": {
      "storage": {
        "name": "stordersvnet",
        "resourceGroupName": "rg-orders"
      }
    }
  }
}

Note that Consumption VNet integration requires a dedicated storage account accessible from within the VNet and uses a different mechanism than Standard SKU's native integration.

4. Lock Down Target Services with Service Firewall Rules

Even with VNet integration, the target service must trust the source. Configure Storage Accounts, Key Vaults, Service Bus namespaces, and other PaaS services to accept traffic only from your VNet or from specific service tags.

// Storage account locked to a specific VNet subnet
resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = {
  name: 'storderssecure'
  location: resourceGroup().location
  kind: 'StorageV2'
  sku: { name: 'Standard_LRS' }
  properties: {
    defaultAction: 'Deny'
    networkAcls: {
      bypass: 'AzureServices'
      virtualNetworkRules: [
        {
          id: subnetIntegration.id
          action: 'Allow'
        }
      ]
      ipRules: []
    }
  }
}

For Key Vault, similarly enable the firewall and add a virtual network rule:

# Add VNet rule to Key Vault firewall
az keyvault network-rule add \
  --resource-group rg-orders \
  --name kv-orders-prod \
  --subnet subnetIntegration.id \
  --action Allow

When using service tags, you can allow the AzureLogicApps tag on target service firewalls, but note this permits all Logic Apps in the region, which may be too broad for strict environments. Prefer VNet rules wherever possible.

5. Network Security for API Connections

Managed API connections (the connectors that bridge Logic Apps to external services) often have their own network considerations. Some connectors support connecting via VNet. For example, Azure SQL connectors can be configured with connection policies that enforce traffic through a private endpoint or VNet. Ensure connection strings resolve to private IPs when DNS is properly configured with private zones.

Network Security Best Practices

Combining IAM and Network Security: Defense in Depth

The most resilient security posture layers IAM and network controls together. Consider a high-security order processing workflow:

Even if an attacker compromises the Logic App's workflow definition (e.g., injecting a malicious HTTP action), the network egress controls prevent data exfiltration to arbitrary internet hosts. If the attacker somehow bypasses network restrictions, the managed identity's narrow RBAC scope limits the blast radius to a single storage container and queue—no ability to read secrets from Key Vault, delete other resources, or escalate privileges.

Best Practices Summary

Here is a condensed checklist for securing your Logic Apps from both the IAM and network perspectives:

Conclusion

Securing Azure Logic Apps is not a single configuration toggle—it is a deliberate, layered practice combining robust identity governance with rigorous network isolation. By adopting managed identities and fine-grained RBAC, you remove the single largest attack vector: static, over-privileged credentials. By wrapping your workflows in private networks with strict inbound and outbound rules, you dramatically shrink the exposure surface and gain full visibility into traffic patterns. Together, these pillars form a defense-in-depth model that protects your integration workloads from both external threats and insider risks. Start with the checklist above, iterate based on your compliance requirements, and treat security as an ongoing engineering discipline rather than a one-time setup.

🚀 Need a reliable AI agent for your project?

Deploy Hermes Agent in 10 minutes. Managed hosting, zero DevOps.

Get Started — $23.99/mo
← Back to all articles