Skip to content

Azure Logic App Token

Service Name: Microsoft Azure Logic Apps

Service Description: Azure Logic Apps is a cloud service that helps you schedule, automate, and orchestrate tasks, business processes, and workflows when you need to integrate apps, data, systems, and services across enterprises or organizations.

Service Address: https://azure.microsoft.com/en-us/services/logic-apps/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the Logic App level using Azure networking features and access control policies.

Secret Access Scope: Grants access to trigger or manage specific Logic App workflows and their connected services.

Secret Revokement URL: https://portal.azure.com/ (Navigate to the specific Logic App > Access control > Shared Access Signatures)

Secret Example: SharedAccessSignature sr=https%3A%2F%2Flogicapp.azure.com%2Fworkflows%2F12345&sig=abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGH%3D&se=1672531199&sp=rwl

Suspicious Activity Investigation Instructions:

  • Review Azure Activity Logs for unusual Logic App executions or modifications
  • Check for unexpected workflow triggers or runs in the Logic App run history
  • Monitor for unauthorized connections to external services or APIs
  • Examine IP addresses that accessed the Logic App in Azure diagnostic logs
  • Look for changes to Logic App workflow definitions or connections

Mitigation Instructions:

  • Navigate to the Azure Portal and locate the affected Logic App
  • Go to the Logic App's "Shared Access Signatures" section
  • Revoke the compromised SAS token by regenerating new keys
  • Update any legitimate applications using the old token with the new one
  • Consider implementing more restrictive IP filtering for Logic App access
  • Enable Azure Defender for additional security monitoring
  • Review and minimize the permissions assigned to the Logic App's managed identity.
  • Implement Azure RBAC (Role-Based Access Control) with the Principle of Least Privilege.