Dataverse Trigger in Logic App Standard (ASE) Not Working

Question

Dataverse Trigger in Logic App Standard (ASE) Not Working

Amit Anand 60

Hi There,

I am currently working with Azure Logic App Standard hosted inside an App Service Environment (ASE) integrated with a Virtual Network (VNet). The goal is to use the out-of-the-box Dataverse trigger — specifically:

“When a row is added, modified or deleted”

This trigger is configured to work with a Dynamics 365 Customer Engagement (D365 CE) / Dataverse instance.

Current Setup:

Logic App Standard is hosted in an ASE v3
The ASE subnet is behind an NSG that has Inbound and Outbound rules for managing traffic in / out of the Virtual Network (VNet)
The Logic App has:
- A workflow which has Dataverse trigger configured correctly

What works well

The connection to the CRM instance works well and I am able to see the available environments and entities as well.

What's not working

The workflow trigger fails and in the trigger history, it throws a BadRequest error.

Below is the Logic App Workflow Code

  "definition": {
    "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
    "actions": {
      "Initialize_variables": {
        "type": "InitializeVariable",
        "inputs": {
          "variables": [
            {
              "name": "RequestBody",
              "type": "object",
              "value": "@{triggerBody()}"
            }
          ]
        },
        "runAfter": {}
      }
    },
    "contentVersion": "1.0.0.0",
    "outputs": {},
    "triggers": {
      "When_a_row_is_added,_modified_or_deleted": {
        "type": "ApiConnectionWebhook",
        "inputs": {
          "host": {
            "connection": {
              "referenceName": "commondataservice"
            }
          },
          "body": {
            "entityname": "Replaced-Entity-Name",
            "message": 7,
            "scope": 2,
            "version": 1,
            "url": "@listCallbackUrl()"
          },
          "headers": {
            "organization": "Organization-CRM-URI",
            "Consistency": "Strong",
            "catalog": "all",
            "category": "all"
          },
          "path": "/api/data/v9.1/callbackregistrations"
        }
      }
    }
  },
  "kind": "Stateful"
}

Below is the error in Trigger history

{
  "type": "MsPortalFx.Errors.AjaxError",
  "baseTypes": [
    "MsPortalFx.Errors.AjaxError",
    "MsPortalFx.Errors.Error"
  ],
  "data": {
    "uri": "Logic-App-Workflow-Trigger-URI",
    "type": "GET",
    "pathAndQuery": "",
    "failureCause": "",
    "status": 0,
    "statusText": "error",
    "duration": 257.90000000596046
  },
  "extension": "Microsoft_Azure_EMA",
  "errorLevel": 0,
  "timestamp": 546108.5,
  "name": "AjaxError",
  "innerErrors": [],
  "textStatus": "error",
  "errorThrown": "",
  "jqXHR": {
    "readyState": 0,
    "status": 0,
    "statusText": "error"
  }
}

My understanding (correct me if I am wrong)

Based on my understanding, this is because Dataverse (as a Microsoft-managed SaaS) cannot reach the webhook endpoint of the Logic App since it resides in a restricted subnet behind NSG rules.What I'm Trying to Achieve:

I want to open only the minimum required IP ranges in the NSG and Logic App inbound settings so that the Dataverse webhook registration and invocation succeed but still keeping my Logic App within the App Service Environment (ASE).

Where I'm Stuck

I’ve gone through the Azure IP Ranges and Service Tags JSON file, of MS Azure, but I can’t confidently identify which IP address blocks Dataverse webhook traffic originates from in the West Europe region.

Request for Help:

Is there a recommended practice for securely enabling this in the Logic App while still keeping the Logic App within ASE?
Are there any specific IP / IP ranges that I need to whitelist in NSG and Inbound Addresses for:
- Logic App Standard (in ASE) to receive Dataverse trigger webhooks
- Region: West Europe
Are there any up-to-date references or service tags that definitively represent Dataverse webhook traffic origin IPs?

Thank you for your time and consideration.

Ranashekar Guda 1,360 Reputation points Microsoft External Staff Moderator

2025-05-09T23:01:09.2766667+00:00

Hello @Amit Anand,
To enable the Dataverse trigger in your Logic App Standard hosted within an App Service Environment (ASE) to work correctly with the Dynamics 365 Customer Engagement (D365 CE) / Dataverse instance, you need to ensure that the necessary IP addresses are whitelisted in the NSG and Inbound Addresses.

Here are the steps you can follow:

1.Recommended Practice: To securely enable the Dataverse webhook traffic while keeping the Logic App within ASE, you should whitelist the specific IP ranges that Dataverse uses to send webhook requests.

2.Whitelisting IP Ranges: For Logic App Standard in ASE to receive Dataverse trigger webhooks in the West Europe region, you need to whitelist the IP ranges that Dataverse uses to send requests.

3.Identifying IP Ranges: To identify the specific IP ranges for Dataverse webhook traffic in the West Europe region, you can refer to the Azure IP Ranges and Service Tags JSON file provided by Microsoft Azure. However, it's essential to accurately identify the IP addresses that Dataverse uses for webhook requests.

4.Up-to-Date References: Ensure that you have the most up-to-date references or service tags that represent the IP addresses used by Dataverse for webhook traffic. This will help you whitelist the correct IP ranges and ensure that the webhook registration and invocation from Dataverse succeed.

Kindly refer below links:

Limits and configuration reference for Azure Logic Apps

Secure access and data for workflows in Azure Logic Apps

By following these steps and accurately identifying the IP ranges used by Dataverse for webhook traffic, you can configure the NSG and Inbound Addresses to allow the necessary traffic for the Dataverse trigger in your Logic App Standard hosted within the ASE.

Your answer

Ranashekar Guda 1,360 Reputation points Microsoft External Staff Moderator

2025-05-09T23:01:09.2766667+00:00

Hello @Amit Anand,
To enable the Dataverse trigger in your Logic App Standard hosted within an App Service Environment (ASE) to work correctly with the Dynamics 365 Customer Engagement (D365 CE) / Dataverse instance, you need to ensure that the necessary IP addresses are whitelisted in the NSG and Inbound Addresses.

Here are the steps you can follow:

1.Recommended Practice: To securely enable the Dataverse webhook traffic while keeping the Logic App within ASE, you should whitelist the specific IP ranges that Dataverse uses to send webhook requests.

2.Whitelisting IP Ranges: For Logic App Standard in ASE to receive Dataverse trigger webhooks in the West Europe region, you need to whitelist the IP ranges that Dataverse uses to send requests.

3.Identifying IP Ranges: To identify the specific IP ranges for Dataverse webhook traffic in the West Europe region, you can refer to the Azure IP Ranges and Service Tags JSON file provided by Microsoft Azure. However, it's essential to accurately identify the IP addresses that Dataverse uses for webhook requests.

4.Up-to-Date References: Ensure that you have the most up-to-date references or service tags that represent the IP addresses used by Dataverse for webhook traffic. This will help you whitelist the correct IP ranges and ensure that the webhook registration and invocation from Dataverse succeed.

Kindly refer below links:

Limits and configuration reference for Azure Logic Apps

Secure access and data for workflows in Azure Logic Apps

By following these steps and accurately identifying the IP ranges used by Dataverse for webhook traffic, you can configure the NSG and Inbound Addresses to allow the necessary traffic for the Dataverse trigger in your Logic App Standard hosted within the ASE.

Share via

Dataverse Trigger in Logic App Standard (ASE) Not Working

Your answer