Logic App connector for Key Vault using Managed Identity

2 minute read

Connectors provide quick access from Azure Logic Apps to events, data, and actions across other apps, services, systems, protocols, and platforms. One of the frequently used connectors is the one for connecting to the Azure Key Vault resource.

Before introducing support for using a Managed Identity with the Azure Key Vault connector, if we wanted to use the Logic App’s identity to access the Key Vault, we needed to use the HTTP action. Today when you create a Key Vault connection, you can choose “Connect with managed identity”.

Desktop View

If you deploy your Logic Apps with automation, you can’t find any information in the documentation on how to do the same thing with an ARM template. Use the following ARM snippet to create a connection to the Key Vault using Managed Identity:

    "type": "Microsoft.Web/connections",
    "apiVersion": "2016-06-01",
    "name": "keyvault",
    "location": "[parameters('location')]",
    "kind": "V1",
    "properties": {
        "displayName": "[parameters('keyVaultName')]",
        "parameterValueType": "Alternative",
        "alternativeParameterValues": {
            "vaultName": "[parameters('keyVaultName')]"
        "customParameterValues": {},
        "api": {
            "id": "[subscriptionResourceId('Microsoft.Web/locations/managedApis', parameters('location'), 'keyvault')]"

In the Logic App definition, the definition of the connection needs to include the ManagedServiceIdentity authentication:

"$connections": {
    "value": {
        "keyvault": {
            "connectionId": "[resourceId('Microsoft.Web/connections', 'keyvault')]",
            "connectionName": "keyvault",
            "connectionProperties": {
                "authentication": {
                    "type": "ManagedServiceIdentity"
            "id": "[subscriptionResourceId('Microsoft.Web/locations/managedApis', parameters('location'), 'keyvault')]"