Logic Apps and Configuring Office 365 Email

Question

Configuring a new service connection to Office 365 from the "Send email via Office 365 Outlook" connector in Logic Apps is failing on Save with the following error -

Failing to save logic app . The client has permission to perform action 'Microsoft/.Logic/workflows/write' on scope , however, it does not have permission to perform action 'join/action' on the linked scope '/providers/microsoft.web/connections/office365'.

If I am asking for the permissions for the second part what role is that? It seems to be something in Office 365.

Just added the comment. I fixed it with least privilege possibility by applying "Logic Apps Contributor" at the API Connection level — Nitin Rastogi, May 13 '21 at 15:21

Joy Wang · Accepted Answer · 2021-05-14T02:28:55.503

When you using the Office 365 connecter in the logic app(login your user account to auth successfully), it will create a office365 API connection (i.e. microsoft.web/connections/office365 mentioned in the error) in your resource group.

So to solve the issue, you also need permission at resource group/subscription level, not only at logic app level, just navigate to the resource group/subscription which the logic app located -> Access control (IAM) -> add an RBAC role e.g. Contributor like below.

Update:

For the specific error in your question, the least permission is Microsoft.Web/connections/Join/Action with no doubt, but if you want to do your stuff successfully, the permission I recommend is Microsoft.Web/connections/*, it is small enough, it includes the permissions below, source.

Of course, you can only use Microsoft.Web/connections/Join/Action, but it may raise another permission error, then you need to fix it again, all depend on your requirements.

To create the custom role, follow this doc, in the step 6, use the json like below.

{
    "properties": {
        "roleName": "LogicAPIConnRole",
        "description": "test",
        "assignableScopes": [
            "/subscriptions/xxxxx"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Web/connections/*"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

After the creation, assign the role at the office365 API connection scope, it will work fine.

That gives too many permissions. I ended up doing a very similar activity, within the API connections of the Logic Apps and I gave "Logic Apps Contributor" only. — Nitin Rastogi, May 13 '21 at 15:19
@NitinRastogi Well, you didn’t say you want the least privilege in your question, Contributor is just a normal role we use more often, if you want the least privilege, Logic Apps Contributor is also not the choice, you need to create a custom RBAC role only includes join/action permission mentioned in the error message, https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles — Joy Wang, May 13 '21 at 15:42
Joy, could you please update the answer to include simplistic permissions, and I will mark it as an answer. Also, I couldn't find the exact RBAC permission I should have picked for the custom RBAC. I wanted to assign that but left it as minimal as I could. — Nitin Rastogi, May 13 '21 at 21:15

Logic Apps and Configuring Office 365 Email

1 Answers1

Linked