Share via

Why Does My Logic App's SQL Connection Break When Deployed via DevOps pipelines using Service Principal?

Buchammagarivikram Reddy 45 Reputation points
2025-07-30T14:57:48.7666667+00:00

We've been troubleshooting a deployment issue and could use some guidance from the community.

After extensive trial and error, we've confirmed that there's no problem with the Logic App ARM template itself. When deploying the Logic App manually using individual user accounts, the SQL Server connection (using SQL authentication) works as expected. However, when deploying the same Logic App via automated Azure DevOps pipelines using a service principal (App Registration), the Logic App deploys successfully—but the SQL Server connection breaks.

Interestingly, if we manually re-authenticate the SQL connection in the Azure Portal using the same credentials, the connection works again—until the next pipeline deployment, at which point it breaks again.

We've verified that both the service principal and our individual accounts have identical roles and permissions on the data gateway. This leads us to suspect that the issue might be related to missing API permissions on the service principal in Microsoft Entra ID.

Could there be specific API permissions required for the service principal to establish or maintain the SQL Server connection during deployment? We're struggling to identify the root cause, and any insights or suggestions would be greatly appreciated.

Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anurag Rohikar 205 Reputation points Microsoft External Staff Moderator
    2025-08-06T17:34:46.18+00:00

    Hello Buchammagarivikram Reddy, Thanks for reaching out on Microsoft Q&A and really appreciate your patience while we looked into this.
    The core of the issue is that a service principal (SPN), while it can deploy resources, often lacks the specific, underlying API permissions to "handshake" and authorize certain connectors, like the SQL connector, on its own. When you re-authenticate manually, your user account possesses the necessary delegated permissions, temporarily fixing the connection until the next deployment overwrites it.
    Recommended Solutions:

    1. Best Practice: Switch to Managed Identity for SQL Authentication

    This is the recommended approach for any Azure-to-Azure authentication. A managed identity is a special type of service principal that Azure manages automatically, eliminating the need to handle credentials.

    • Action: Enable a System-Assigned Managed Identity for your Logic App.

    Permissions: Grant this managed identity the appropriate permissions on your SQL Server database (e.g., as an Azure AD user in the database).

    Result: The Logic App will now use its managed identity to authenticate, and the connection will not break on subsequent deployments.

    For guidance, please refer to the Microsoft documentation on Using a Managed Identity with Azure SQL.

    1. Manual Automation: Re-authorize the API Connection Post-Deployment

    If you cannot use a managed identity, you can add a step to your deployment pipeline to explicitly re-authorize the connection after the Logic App has been deployed.

    • Action: Add a step to your pipeline that uses either the Azure CLI or a REST API call to "patch" the Microsoft.Web/connections resource. This step will pass the SQL credentials securely, re-authenticating the connection.
    • Example Command: You would use a command similar to az resource update --ids <connection-id> --set properties.parameterValues.

    Result: The connection is authenticated programmatically, and the Logic App works immediately after deployment.

    The documentation on Authorizing API Connections via ARM provides the necessary details for this approach.

    1. Assign Required API Permissions to the Service Principal

    This solution directly addresses the root cause of the permission issue. You can manually grant the service principal the permissions it needs.

    • Action: In the Microsoft Entra admin center, navigate to your App Registration and add the following API permissions to Microsoft Graph or the specific connector's API:
      • APIConnectors.ReadWrite.All
      • APIConnectors.Read.All
    • Important: An administrator must grant admin consent for these permissions.

    Result: The service principal can now manage and authorize the connection during deployment, preventing the manual re-authentication loop.

    You can find more information on these permissions in the Microsoft Entra built-in roles.

    1. Use ARM Template Deployment Scripts

    This is a powerful method that embeds the re-authentication logic directly into your ARM deployment.

    • Action: Add a Microsoft.Resources/deploymentScripts resource to your ARM template. This script can contain the Azure CLI or PowerShell commands to re-authenticate the connection.

    Result: The authentication step becomes an atomic part of your deployment, ensuring the connection is always valid after a successful deployment.

    For further reading on this approach, see the Microsoft documentation on Deployment Scripts in ARM.

    Please feel free to share an update at your convenience or let me know if any further clarification or support would be helpful. Thank You!

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.