How-to: Call SharePoint REST API with application permissions from Azure Logic App with Azure Key Vault and Managed Identity

If you have a need to interact with SharePoint API from Power Automate \ Logic Apps, most likely you would select SharePoint connector, which uses user identity for authentication. However, it's also possible to connect to SharePoint REST API with application permissions and certificate authentication. It's fairly easy if you have an Azure Key Vault. 

Here is what steps needed.

1. Configure Key Vault and an app registration for SharePoint API access.

I described these steps in the previous article here Simplify secret keys management for M365 applications with Azure Key Vault and Azure Managed Identity So just follow the first two "Configure Key Vault" and "Configure an app registration for SharePoint API access" if don't have them configured. 

2. Create a Logic App. 

I use Logic Apps because in Power Automate both HTTP and Azure Key Vault connectors are premium. If you have a license, you can use Power Automate with the only difference, that for the Key Vault connection you will use credentials authentication and not a Managed Identity. 

At a bare minimum, you need only two actions to reach SharePoint API. 

Add an action to get a private key (pfx)

Select Key Vault connector, select "Get Secret" action, for authentication select "Connect with Managed Identity". Currently, it's in preview, if you would like not to use the preview feature, read further for an alternative method. 

Give the connection a name, provide a vault name (in my case it will be "sp-keys"). Then in a dropdown select a secret - the name should be the same, as your certificate. In my case, it's "sp-auth".

Add a SharePoint REST API action

For SharePoint REST API we're going to use a regular HTTP connector. Add a GET request configured as below:

where

  • Tenant is your Tenant Id from the first step
  • Audience is your SharePoint root url
  • Client Id is your Client Id from the first step
  • Pfx is a value from Key Vault step
  • Password should be empty (despite "required" indication)

Just run it and you should receive web information from REST API. 

How to configure without Key Vault preview features

In this case, you can either use Sign in authentication or use HTTP connector and Managed Identity to get secret manually. 

Simply add an HTTP call action configured as below: 

Take a note on the Authentication node and the URI. This URI is from the certificate's "Key Identifier" property. 

Store it inside a variable:

And use in SharePoint REST API action:

Basically, this is it! We configured SharePoint REST API calls with application permissions and certificate authentication. 

Title image credits - Clouds vector created by vectorjuice - www.freepik.com