How to create API connection (Logic App consumption) using ARM REST API

This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .

As we know, we can deploy Logic App connector API connection using different ways, like via ARM template in Azure CLI, Powershell or DevOps. In some scenarios, customer may want to create the API connection using API calls which cannot perform interactive thing (like login with the credentials). The process described in the following article shows step-by-step guide to create API connection for a Logic App connector (consumption) using ARM REST API with client like Postman.

 

Register a client application with Azure AD

To register a client that accesses an Azure Resource Manager REST API:

1. Sign in the Azure portal, search for and select Azure Active Directory.

2. In the left panel, under Manage, select App registrations > New registration.

3. Enter a display Name for the application and specify who can use the application:

Yingjie_Shi_13-1657167083673.png

4. Select Register to complete the initial app registration.

5. Once the registration finishes, the Azure portal displays the app registration's Overview pane. The Application (client) ID uniquely identifies your application in the Microsoft identity platform. Please note down the Application (client) ID and Directory (tenant) ID for later use:

Yingjie_Shi_14-1657167083674.png

6. In the left panel, select Certificates & secrets > Client secrets > New client secret:

7. Add a description for your client secret and select an expiration for the secret or specify a custom lifetime.

8. Select Add

    Note: Please make sure to record the secret's value for use later. This secret value is never displayed again after you leave this page.     

Yingjie_Shi_0-1657175007767.png

9. In the left panel, select API permissions > Add a permission > Microsoft APIs, select Azure Service ManagementSelect Delegated permissions and select the permissions the client app should have on behalf of the signed-in user. Currently, Azure Service Management API has only one permission listed - user_impersonation.

Yingjie_Shi_16-1657167083676.png

10. Select Add permissions;

11. Back to the API permissions page, click Grant admin consent:

Yingjie_Shi_17-1657167083677.png

12. Please grant the registered application the Logic App Contributor role of the target resource group. Go to the resource group, in the left panel, select Access control (IAM)-> Add role assignment:

Yingjie_Shi_18-1657167083679.png

13. Search for Logic App Contributor

Yingjie_Shi_19-1657167083680.png

14. Select the registered application to be assigned the role -> Review + assign:Yingjie_Shi_20-1657167083681.pngYingjie_Shi_21-1657167083682.png

Note: If the Logic App Contributor role is not assigned, when trying to create the API connection using ARM API, you may encounter the following error:

 

	{
	    "error": {
	        "code": "AuthorizationFailed",
	        "message": "The client 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' with object id 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' does not have authorization to perform action 'Microsoft.Web/connections/write' over scope '/subscriptions/<subscriptionid>/resourceGroups/LAtestRG/providers/Microsoft.Web/connections/testconn58' or the scope is invalid. If access was recently granted, please refresh your credentials."
	    }
}

 

 

Acquire an access token

After we have a valid client registration, we can use the OAuth 2.0 client credentials grant (non-interactive clients) to acquire an access token:

 

In the Postman, create a request like below:

1. From Method dropdown list, select POST method;

2. For URI, enter "https://login.microsoftonline.com/<Your tenant id>/oauth2/v2.0/token", please check step 5 above for your tenant id;

3. Add header with key: Content-Type, value: application/x-www-form-urlencoded:

Yingjie_Shi_22-1657167083683.png

4. In Body, select x-www-form-urlencoded and enter keys:

client_id= <your Application ID> (refer step 5 above)

scope=https://management.azure.com/.default

client_secret=<your secret value> (refer step 8 above)

grant_type=client_credentials

 

After sending the request, you should get the response like below and the access_token will be Bearer token used for the next call to create the API connection.

 

	{
	    "token_type": "Bearer",
	    "expires_in": 3599,
	    "ext_expires_in": 3599,
	    "access_token": "<encoded bearer-token>"
}

 

 

Call the ARM REST API to create the API connection

After we have a valid bearer token, we can send an HTTPS PUT request method for an Azure Resource Manager provider to create the API connection:

 

In the Postman, create a request like below:

1. From Method dropdown list, select PUT method;

2. For URI, enter "https://management.azure.com/subscriptions/<Your subscription id>/resourceGroups/<Your Resource Group Name>/providers/Microsoft.Web/connections/<API connection name>?api-version=2018-07-01-preview", for example: https://management.azure.com/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/LAtestRG/providers/Microsoft.Web/connections/testconn61?api-version=2018-07-01-preview

3. Add header with keys: 

Content-Type: application/json

Authorization: Bearer <bearer-token> (it's the access_token in the above step)

4. In Body, select raw and enter ARM template body of the API connection resource, for example:

 

{
        "properties": {
            "api": {
               "id": "/subscriptions/11111111-1111-1111-1111-111111111111/providers/Microsoft.Web/locations/australiaeast/managedApis/servicebus"
            },
            "parameterValueSet": {
            "name":"connectionstringauth",
            "values":{
               "connectionString":{
                    "value":"Endpoint=sb://<sbnamespace>.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=<Access key>"
                    }
                }
            },
            "displayName":"sbtest03"
        },
        "kind": "V1",
        "location": "australiaeast"
}

 

 

5. Then the successful response should be like below:

 

{
	    "kind": "V1",
	    "properties": {
	        "displayName": "sbtest03",
	        "authenticatedUser": {},
	        "overallStatus": "Connected",
	        "statuses": [
	            {
	                "status": "Connected"
	            }
	        ],
	        "parameterValueSet": {
	            "name": "connectionstringauth",
	            "values": {}
	        },
	        "customParameterValues": {},
	        "createdTime": "2022-07-06T03:39:23.9337935Z",
	        "changedTime": "2022-07-06T03:39:24.340078Z",
	        "api": {
	            "name": "servicebus",
	            "displayName": "Service Bus",
	            "description": "Connect to Azure Service Bus to send and receive messages. You can perform actions such as send to queue, send to topic, receive from queue, receive from subscription, etc.",
	            "iconUri": "https://connectoricons-prod.azureedge.net/releases/v1.0.1568/1.0.1568.2757/servicebus/icon.png",
	            "brandColor": "#c4d5ff",
	            "category": "Standard",
	            "id": "/subscriptions/711111111-1111-1111-1111-111111111111/providers/Microsoft.Web/locations/australiaeast/managedApis/servicebus",
	            "type": "Microsoft.Web/locations/managedApis"
	        },
	        "testLinks": [],
	        "testRequests": []
	    },
	    "id": "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/LAtestRG/providers/Microsoft.Web/connections/testconn61",
	    "name": "testconn61",
	    "type": "Microsoft.Web/connections",
	    "location": "australiaeast"
}

 

 

6. And in the target resource group, the API connection should be created:

Yingjie_Shi_0-1657172643211.png

 

Note: For the connections which require MFA, you would need to Authorize the API connection in the portal after creation.  

 

Hope it helps, thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.