How to retrieve the trigger URL for an Azure Logic App programmatically via a service principal

A customer asked me how to get the trigger URL (including SAS token) that is displayed in the Azure portal programmatically via a service principal.

Here are the steps:

• Set up a service principal in Azure AD
• Grant the service principal access to your Azure Logic App
• Retrieve a AAD bearer token
• Call the Azure REST API to get the trigger URL

Changes for Azure Government

Note that the steps below are for Azure Commercial. If you are using Azure Government, you will need to substitute the following values since there are different endpoints & scopes in Azure Government.

Set up a service principal in Azure AD

Follow the steps in the following link to create an App Registration/Service Principal in AAD.

Quickstart: Register an app in the Microsoft identity platform – Microsoft Entra | Microsoft Learn

Additionally, you will need to grant your service principal the Azure Service Management user_impersonation API permission so it can call the Azure REST API.

Make sure and copy the client_id, client_secret, & redirect_uri to retrieve an access token in the next step.

Make sure and copy the “token endpoint” to retrieve an access token in the next step.

Grant the service principal access to your Azure Logic App

You will need to grant your service principal Contributor access to your Logic App (or a scope above that, like the Resource Group).

Retrieve a AAD bearer token

In this example, we will use Client Credential flow to retrieve a valid Bearer token (since this will be run via a service principal).

We will need to provide the client_id, client_secret, scope & redirect_uri specified in the AAD App Registration. The scope needs to be https://management.azure.com/.default.

curl -X POST https://login.microsoftonline.com/4abfaf16-9535-4531-85a9-c85268607bae/oauth2/v2.0/token -H "Content-Type: application/x-www-form-urlencoded" -d "client_id=72efcdea-2159-41eb-9801-2f66ce3fa36c&client_secret=E6p8Q~YMxgoEh...7d5UjdXbfU&scope=https%3A%2F%2Fmanagement.azure.com%2F.default&grant_type=client_credentials&redirect_uri=http%3A%2F%2Flocalhost"

Our Bearer token is contained in the access_token field.

{"token_type":"Bearer","expires_in":3599,"ext_expires_in":3599,"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUz...YwLu_Ys4Oxmgcg"}

If this was an interactive application, we should use Authorization Code flow instead with a scope of https://management.azure.com/user_impersonation.

Call the Azure REST API to get the trigger URL

The specific REST API call we want is the “list-callback-url”.

https://learn.microsoft.com/en-us/rest/api/logic/workflow-versions/list-callback-url?tabs=HTTP

We need to list the specific Azure resource ID for our logic app (/subscriptions/cfa014c2-6565-444f-8241-b3edd39a2a44/resourceGroups/rg-daprtest-ussc-dev/providers/Microsoft.Logic/workflows/logic-smtp-daprTest-ussc-dev). We will also need to provide the Bearer token retrieved in the previous step.

curl -X POST https://management.azure.com/subscriptions/cfa014c2-6565-444f-8241-b3edd39a2a44/resourceGroups/rg-daprtest-ussc-dev/providers/Microsoft.Logic/workflows/logic-smtp-daprTest-ussc-dev/triggers/manual/listCallbackUrl?api-version=2016-10-01 -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLC...7VhDIqmGxgM6HzFY4Imu0awjsJBeBQQ" -H "Content-Length: 0"

Here is the result, with the trigger URL as the value.

{
"value":"https://prod-35.eastus.logic.azure.com:443/workflows/9f1f6e2b8a6548daadaafa3f0029afeb/triggers/manual/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=dwEnfZ_...wPbkyFMWeJywg","method":"POST","basePath":"https://prod-35.eastus.logic.azure.com/workflows/9f1f6e2b8a6548daadaafa3f0029afeb/triggers/manual/paths/invoke","queries":{"api-version":"2016-10-01","sp":"/triggers/manual/run","sv":"1.0","sig":"dwEnfZ_b0y1tW8A...kyFMWeJywg"}
}

The same technique can be used to query any other Azure REST API.