sasAuthenticationPolicy JSON object disable in Logic App

Question

sasAuthenticationPolicy JSON object disable in Logic App

AdamBudzinskiAZA-0329 96

hi,

anyone has a working example on hop to patch a Logic App to disable SAS token ?

https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app?tabs=azure-portal&ref=hybridbrothers.com#add-the-sasauthenticationpolicy-property-to-your-workflow-definition

{
  "properties": {
    "definition": {
      "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
      "contentVersion": "1.0.0.0",
      "parameters": {
        "$connections": {
          "defaultValue": {},
          "type": "Object"
        }
      },
      "triggers": {
        "When_a_HTTP_request_is_received": {
          "type": "Request",
          "kind": "Http",
          "inputs": {
            "method": "POST",
            "schema": {
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "id": {
                    "type": "string"
                  },
                  "topic": {
                    "type": "string"
                  },
                  "subject": {
                    "type": "string"
                  },
                  "data": {
                    "type": "object",
                    "properties": {
                      "timestamp": {
                        "type": "string"
                      },
                      "policyAssignmentId": {
                        "type": "string"
                      },
                      "policyDefinitionId": {
                        "type": "string"
                      },
                      "policyDefinitionReferenceId": {
                        "type": "string"
                      },
                      "complianceState": {
                        "type": "string"
                      },
                      "subscriptionId": {
                        "type": "string"
                      },
                      "complianceReasonCode": {
                        "type": "string"
                      }
                    }
                  },
                  "eventType": {
                    "type": "string"
                  },
                  "eventTime": {
                    "type": "string"
                  },
                  "dataVersion": {
                    "type": "string"
                  },
                  "metadataVersion": {
                    "type": "string"
                  }
                },
                "required": [
                  "id",
                  "topic",
                  "subject",
                  "data",
                  "eventType",
                  "eventTime",
                  "dataVersion",
                  "metadataVersion"
                ]
              }
            }
          },
          "conditions": [
            {
              "expression": "@startsWith(triggerOutputs()?['headers']?['Authorization'], 'Bearer')"
            }
          ],
          "operationOptions": "EnableSchemaValidation, IncludeAuthorizationHeadersInOutputs"
        }
      },
      "actions": {},
      "outputs": {}
    },
    "parameters": {
      "$connections": {
        "value": {}
      }
    },
    "accessControl": {
      "triggers": {
        "openAuthenticationPolicies": {
          "policies": {
            "etst": {
              "type": "AAD",
              "claims": [
                {
                  "name": "iss",
                  "value": "https://sts.windows.net/tennt-id-goes-here/"
                }
              ]
            }
          }
        },
        "sasAuthenticationPolicy": {
          "state": "Disabled"
        }
      }

getting

{

"error": {

"code": "PatchWorkflowPropertiesNotSupported",

"message": "The request to patch workflow 'Logic App' is not supported. None of the fields inside the properties object can be patched."

}

anyone ?

Vahid Ghafarpour 23,200 Reputation points

2025-04-19T02:38:20.4633333+00:00

Unfortunately, Azure Logic Apps does not support direct patching of workflow properties, including disabling SAS authentication through an API call.

If you need to automate this, modify the ARM template and redeploy the Logic App with the sasAuthenticationPolicy set to "Disabled".
Shireesha Eeraboina 2,815 Reputation points Microsoft External Staff

2025-04-21T05:56:27.79+00:00

Hello AdamBudzinskiAZA-0329,

Following up to see if you had a chance to review the information provided above to Vahid Ghafarpour and Suwarna S Kale . If you have any further updates on this issue, please feel free to share them here.
Shireesha Eeraboina 2,815 Reputation points Microsoft External Staff

2025-04-22T04:18:29.38+00:00

Hello AdamBudzinskiAZA-0329,

Could you confirm if you are still experiencing the issue?
AdamBudziski-8216 21 Reputation points

2025-04-22T11:26:14.48+00:00
@Suwarna S Kale thank you for reaching out!

I've exported the ARM template from the portal, added the required objects to disable

sasAuthenticationPolicy and deployed the template with the New-AzResourceGroupDeployment cmdlet. Checked in the Logic App and in fact can confirm that the Request trigger's URL no longer includes the SAS.

Tested with Postman, it now requires a Bearer token to be included with any request.

{ "error": { "code": "DirectApiAuthorizationRequired", "message": "The OAuth authorization scheme is required. Please add authentication scheme and try again." } }

In my Logic App created an Azure Active Directory Authorization Policy for or Logic App. As a bear minimum, include the issuer claim to point to my tenant.

Requested a new token with

$accessToken = $accessToken = az account get-access-token | ConvertFrom-Json $accessToken.accessToken

and included as Bearer token in the authorization header in Postman, and it worked, the Loigc App run history confirms that it was triggered, and without SAS based authentication.

However, now I’m facing another issue. I was looking for a way to disable SAS auth in my consumption Logic App, because according to the MSFT docs, if both SAS based, and Entra / OAuth based is enabled at the same time, authentication may/will fail.

What I’m trying to achieve is configure an Event Grid subscription for an Event Grid System Topic of type policy insights to catch policy state changes (for example resource changing state from compliant to non-compliant). When configuring the event grid subscription, I select the endpoint type to by of type Web Hook (since there’s no Logic App dedicated one) and endpoint, here I passed the HTTP request trigger URI from my Logic App.

I also have followed https://learn.microsoft.com/en-us/azure/event-grid/secure-webhook-delivery to configure event delivery to Entra protect endpoints (in my case Logic App).

But whenever I try to save the event subscription details, I’m getting the following error

It works ONLY when I use the HTTP trigger URL from the Logic App when it includes a SAS as a query parameter ! I’m sure everything on my end is configured correctly, because I have configured for test a dummy webhook in Pipedream and when receiving the POST requests from Event Grid I can see that it includes a Bearer token with the correct claims !

Why is his not working? Is there any limitations regarding Logic Apps in Consumption tier ?
Suwarna S Kale 2,136 Reputation points

2025-04-22T23:50:21.0366667+00:00
Hello AdamBudziski-8216,

The issue arises due to a fundamental limitation in how Azure Event Grid interacts with Logic Apps (Consumption) when OAuth authentication is enforced. While Logic Apps support disabling SAS-based authentication in favor of OAuth (Bearer tokens), Event Grid’s webhook delivery mechanism does not yet support sending events with OAuth tokens to Consumption-tier Logic Apps. Instead, Event Grid relies on SAS tokens for authentication when invoking Logic App HTTP triggers.

This creates a conflict: If SAS is disabled, Event Grid cannot deliver events, yet enabling SAS reintroduces security risks. The problem does not exist in Logic Apps (Standard), which supports Managed Identity authentication for Event Grid. However, Consumption Logic Apps lack this capability, forcing users to either re-enable SAS (with manual token validation) or introduce an intermediary service (like Azure Functions) to handle OAuth authentication before forwarding events.

There are few alternatives you may try, as I have provided below options:

Option 1: Re-enable SAS (Temporarily) & Use Event Grid Validation

Re-enable SAS in your Logic App (either via ARM template or the portal).

Configure an Event Grid subscription using the SAS-based URL.

Add manual OAuth validation inside the Logic App:

Use an "HTTP Request" trigger (instead of the built-in Event Grid trigger).

Add a "Parse JSON" action to extract the Authorization header.

Use a "Condition" action to validate the Bearer token (if present).

If the token is missing/invalid, reject the request.

Option 2: Use an Intermediate Azure Function (Recommended) - Since Event Grid does support OAuth for Azure Functions, you can:

Create an Azure Function with an Event Grid trigger.

Configure OAuth (Bearer token) authentication for the Function.

Forward the event to your Logic App (using its OAuth-protected endpoint).

This way, Event Grid authenticates with the Function (OAuth), and the Function forwards the event to the Logic App (also OAuth).

If the above answer helped, please do not forget to "Accept Answer" as this may help other community members to refer the info if facing a similar issue. Your contribution to the Microsoft Q&A community is highly appreciated.
Shireesha Eeraboina 2,815 Reputation points Microsoft External Staff

2025-04-24T03:59:17.1633333+00:00

Hello AdamBudzinskiAZA-0329,

Just checking in to see if the above information provided by Suwarna S Kale helped.

if you have any further query do let us know.
AdamBudzinskiAZA-0329 96 Reputation points

2025-04-24T09:50:09.8433333+00:00
@Suwarna S Kale Thank you for the detailed input, however I’m bit confused.

You stated that “Event Grid’s webhook delivery mechanism does not yet support sending events with OAuth tokens to Consumption-tier Logic Apps”

This would hold true, as I can see that the event grid subscription can only be successfully saved when the Logic App HTTP URL includes the SAS.

But then you outline the following steps:

Option 1: Re-enable SAS (Temporarily) & Use Event Grid Validation

Re-enable SAS in your Logic App (either via ARM template or the portal). I understand and can see why this would have to ne re-enabled (with SAS disabled) the URI does not include the SAS token as query parameter

Configure an Event Grid subscription using the SAS-based URL. Same as above

Add manual OAuth validation inside the Logic App: But this I don’t get tbh. Additionally quoting from https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app?tabs=azure-portal&ref=hybridbrothers.com#considerations-before-you-enable-oauth-20-with-microsoft-entra-id

Use an "HTTP Request" trigger (instead of the built-in Event Grid trigger). à this is what I’m using, the built-in Event Grid trigger never worked for me.

Add a "Parse JSON" action to extract the Authorization header.

Use a "Condition" action to validate the Bearer token (if present).

If the token is missing/invalid, reject the request.

So according to the linked doc one cannot use SAS and OAuth authorization schema at the same time. What would be the exact steps ?

Re-enable SAS on the Logic App

Configure Entra authentication for Event Grid secure event delivery to the Logic App webhook endpoint https://learn.microsoft.com/en-us/azure/event-grid/secure-webhook-delivery

Delete the Azure Active Directory Authorization Policy from the Logic App

Configure the Event Grid subscription pointing to Logic App HTTP trigger URI using SAS

Validate incoming requests in the Logic App workflow whether a Bearer token is included in the header of the incoming request ? Many articles advise the following, however I’m afraid that’s just a primitive way of checking for the presence of a Bearer token, so I doubt it would get validated and in theory a forged token could be inserted in a request header and still bypass the token validation part.
Praveen Kumar Gudipudi 170 Reputation points Microsoft External Staff

2025-04-25T21:04:34.45+00:00

Hello AdamBudzinskiAZA-0329,

Could you please check private message and share me the requested to proceed further.
Praveen Kumar Gudipudi 170 Reputation points Microsoft External Staff

2025-04-28T18:43:30.83+00:00

Hello AdamBudzinskiAZA-0329,

Following up to see if you have chance to check my previous response and help us with requested information to check and assist you further on this.
AdamBudziski-8216 21 Reputation points

2025-04-30T07:04:20.13+00:00

@Praveen Kumar Gudipudi H, I don't see any private message from you.

Thanks,

Adam
Praveen Kumar Gudipudi 170 Reputation points Microsoft External Staff

2025-04-30T16:24:43.3733333+00:00

Hello AdamBudzinskiAZA-0329,

Could you please share me Http request trigger raw out.

That would help me to check whether you received token or not. According to that we can write a trigger condition.
Praveen Kumar Gudipudi 170 Reputation points Microsoft External Staff

2025-05-02T19:43:51.41+00:00

Hello AdamBudzinskiAZA-0329,

Following up to see if you have chance to check my previous response and help us with requested information to check and assist you further on this.

1 answer

Your answer

Vahid Ghafarpour 23,200 Reputation points

2025-04-19T02:38:20.4633333+00:00

Unfortunately, Azure Logic Apps does not support direct patching of workflow properties, including disabling SAS authentication through an API call.

If you need to automate this, modify the ARM template and redeploy the Logic App with the sasAuthenticationPolicy set to "Disabled".
Shireesha Eeraboina 2,815 Reputation points Microsoft External Staff

2025-04-21T05:56:27.79+00:00

Hello AdamBudzinskiAZA-0329,

Following up to see if you had a chance to review the information provided above to Vahid Ghafarpour and Suwarna S Kale . If you have any further updates on this issue, please feel free to share them here.
Shireesha Eeraboina 2,815 Reputation points Microsoft External Staff

2025-04-22T04:18:29.38+00:00

Hello AdamBudzinskiAZA-0329,

Could you confirm if you are still experiencing the issue?
Shireesha Eeraboina 2,815 Reputation points Microsoft External Staff

2025-04-24T03:59:17.1633333+00:00

Hello AdamBudzinskiAZA-0329,

Just checking in to see if the above information provided by Suwarna S Kale helped.

if you have any further query do let us know.
Praveen Kumar Gudipudi 170 Reputation points Microsoft External Staff

2025-04-25T21:04:34.45+00:00

Hello AdamBudzinskiAZA-0329,

Could you please check private message and share me the requested to proceed further.
Praveen Kumar Gudipudi 170 Reputation points Microsoft External Staff

2025-04-28T18:43:30.83+00:00

Hello AdamBudzinskiAZA-0329,

Following up to see if you have chance to check my previous response and help us with requested information to check and assist you further on this.
AdamBudziski-8216 21 Reputation points

2025-04-30T07:04:20.13+00:00

@Praveen Kumar Gudipudi H, I don't see any private message from you.

Thanks,

Adam
Praveen Kumar Gudipudi 170 Reputation points Microsoft External Staff

2025-04-30T16:24:43.3733333+00:00

Hello AdamBudzinskiAZA-0329,

Could you please share me Http request trigger raw out.

That would help me to check whether you received token or not. According to that we can write a trigger condition.
Praveen Kumar Gudipudi 170 Reputation points Microsoft External Staff

2025-05-02T19:43:51.41+00:00

Hello AdamBudzinskiAZA-0329,

Following up to see if you have chance to check my previous response and help us with requested information to check and assist you further on this.

Answer 1

Hello AdamBudzinskiAZA-0329,

Thank you for posting your question in the Microsoft Q&A forum.

The error occurs because Azure Logic Apps do not support direct PATCH operations on workflow properties. Instead, you must update the entire Logic App definition via an ARM template or PUT request. To disable SAS tokens:

Export your Logic App’s JSON definition (via Azure Portal or GET API call).
Add/modify the sasAuthenticationPolicy property under accessControl.triggers as shown in your example.
Redeploy the updated JSON using an ARM template deployment or PUT request to the Logic App’s resource endpoint.

Key Notes:

Use PUT (not PATCH) to overwrite the entire definition.
Validate the JSON structure to avoid syntax errors.
Consider Azure Policy or DevOps pipelines for automated enforcement.

If the above answer helped, please do not forget to "Accept Answer" as this may help other community members to refer the info if facing a similar issue. Your contribution to the Microsoft Q&A community is highly appreciated.

Share via

sasAuthenticationPolicy JSON object disable in Logic App

1 answer

Your answer