Azure-docs: Unable to use openAuthenticationPolicies in accessControl for Logic Apps ARM template

Created on 27 Aug 2020 · 3Comments · Source: MicrosoftDocs/azure-docs

Using ARM template unable to use the openAuthenticationPolicies for Logic App deployment

"accessControl": { "triggers": { "allowedCallerIpAddresses": [ { "addressRange": "10.0.24.36/32" }, { "addressRange": "10.0.104.44/32" } ], "openAuthenticationPolicies": { "policies": { "adfpolicy": { "type": "AAD", "claims": [ { "name": "Audience", "values": "https://management.core.windows.net/" } ] } } } }, "contents": { "allowedCallerIpAddresses": [ { "addressRange": "10.0.24.36/32" }, { "addressRange": "10.0.104.44/32" } ] } }

I get this error whenever the arm template is executed. If I remove the openAuthenticationPolicies block the template works fine.

I am also confused with about the values or value to be used in the claims block.

if _"claims": [{ "name": "Audience", "values": "https://management.core.windows.net/"}]_

Error waiting for deployment: Code="DeploymentFailed" Message="At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details." Details=[{"code":"BadRequest","message":"{\r\n \"error\" : {\r\n \"code\": \"InvalidRequestContent\",\r\n \"message\": \"The request content is not valid and could not be deserialized: 'Could not find member 'values' on object of type 'OpenAuthenticationPolicyClaim'. Path 'properties.accessControl.triggers.openAuthenticationPolicies.policies.adfpolicy.claims[0].values', line 1, position 434.'.\"\r\n }\r\n}"}]]

if _"claims": [{ "name": "Audience", "value": "https://management.core.windows.net/"}]_

Error waiting for deployment: Code="DeploymentFailed" Message="At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details." Details=[{"code":"BadRequest","message":"{\r\n \"error\" : {\r\n \"code\": \"OAuthIssuerClaimValue\",\r\n \"message\": \"OAuth authentication policy 'adfpolicy' in access control configuration of workflow is not valid. The required claim 'iss' is missing.\"\r\n }\r\n}"}]

Reference:

https://github.com/Azure/azure-rest-api-specs/blob/master/specification/logic/resource-manager/Microsoft.Logic/stable/2019-05-01/logic.json#L9021
https://github.com/MicrosoftDocs/azure-docs/issues/60176
https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app#define-authorization-policy-in-azure-resource-manager-template

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: 95b48753-cabe-fe92-42de-21775f4f99c3
Version Independent ID: 45a1fa90-c4f8-6d0b-e1a8-ed996de671eb
Content: Secure access and data - Azure Logic Apps
Content Source: articles/logic-apps/logic-apps-securing-a-logic-app.md
Service: logic-apps
GitHub Login: @ecfan
Microsoft Alias: estfan

Pri3 cxp doc-bug logic-appsvc triaged

Source

akdracarys

All 3 comments

@akdracarys - Thanks for posting the question. We are currently investigating into the issue and will update you shortly.

HarithaMaddi-MSFT on 28 Aug 2020

👍1

@akdracarys Thanks for catching that! Based on the REST API Spec, it is indeed value and not values. I have corrected my comment in the issue that you've linked and I've also raised a PR for the doc, which once merged should reflect in a couple of hours.

As for the error that you see even when using value, is stating that iss (Issuer in the portal) is a required claim. This mentioned in the table above the ARM Template snippet. I've also added a note specific for the ARM Template section.

PramodValavala-MSFT on 31 Aug 2020

👍1

@PramodValavala-MSFT Thank you for clarifying. The issue is been resolved now.

       "accessControl": {
          "triggers": {
            "allowedCallerIpAddresses": [
              {
                "addressRange": "10.0.24.36/32"
              },
              {
                "addressRange": "10.0.104.44/32"
              }
            ],
            "openAuthenticationPolicies": {
                "policies": {
                  "adfpolicy": {
                    "type": "AAD",
                    "claims": [
                      {
                        "name": "iss",
                        "values": "https://sts.windows.net/"
                      },
                      {
                      "name": "aud",
                      "value": "https://management.core.windows.net/"
                      }
                    ]
                  }
                }
            }
          },
          "contents": {
            "allowedCallerIpAddresses": [
              {
                "addressRange": "10.0.24.36/32"
              },
              {
                "addressRange": "10.0.104.44/32"
              }
            ]
          }
        }

akdracarys on 2 Sep 2020

Was this page helpful?

0 / 5 - 0 ratings