Basic Authentication transmits a username and password with every request. In Azure Logic Apps, using Basic auth for HTTP actions and API connections is insecure because credentials are long-lived, difficult to rotate, and stored in the workflow definition.

Why is this an issue?

Using Basic or Raw authentication in Azure Logic Apps HTTP actions introduces several risks:

What is the potential impact?

If credentials are compromised, an attacker can reuse them to access the target service indefinitely. There is no built-in mechanism to detect or revoke the compromised credentials centrally.

How to fix it in JSON templates

Replace Basic or Raw authentication with ManagedServiceIdentity or ActiveDirectoryOAuth in the action’s inputs.authentication block.

Code examples

Noncompliant code example

{
  "type": "Microsoft.Logic/workflows",
  "apiVersion": "2019-05-01",
  "name": "basic-auth-workflow",
  "location": "[resourceGroup().location]",
  "properties": {
    "definition": {
      "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
      "actions": {
        "Call_API": {
          "type": "Http",
          "inputs": {
            "method": "GET",
            "uri": "https://api.example.com/data",
            "authentication": {
              "type": "Basic",
              "username": "apiuser",
              "password": "P@ssw0rd!"
            }
          }
        }
      },
      "triggers": {}
    }
  }
}

Compliant solution

{
  "type": "Microsoft.Logic/workflows",
  "apiVersion": "2019-05-01",
  "name": "managed-identity-workflow",
  "location": "[resourceGroup().location]",
  "identity": {
    "type": "SystemAssigned"
  },
  "properties": {
    "definition": {
      "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
      "actions": {
        "Call_API": {
          "type": "Http",
          "inputs": {
            "method": "GET",
            "uri": "https://api.example.com/data",
            "authentication": {
              "type": "ManagedServiceIdentity",
              "audience": "https://api.example.com"
            }
          }
        }
      },
      "triggers": {}
    }
  }
}

How to fix it in Bicep

Replace Basic or Raw authentication with ManagedServiceIdentity or ActiveDirectoryOAuth in the action’s inputs.authentication block.

Code examples

Noncompliant code example

resource workflow 'Microsoft.Logic/workflows@2019-05-01' = {
  name: 'basic-auth-workflow'
  location: resourceGroup().location
  properties: {
    definition: {
      '$schema': 'https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#'
      actions: {
        Call_API: {
          type: 'Http'
          inputs: {
            method: 'GET'
            uri: 'https://api.example.com/data'
            authentication: {
              type: 'Basic' // Noncompliant
              username: 'apiuser'
              password: 'P@ssw0rd!'
            }
          }
        }
      }
      triggers: {}
    }
  }
}

Compliant solution

resource workflow 'Microsoft.Logic/workflows@2019-05-01' = {
  name: 'managed-identity-workflow'
  location: resourceGroup().location
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    definition: {
      '$schema': 'https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#'
      actions: {
        Call_API: {
          type: 'Http'
          inputs: {
            method: 'GET'
            uri: 'https://api.example.com/data'
            authentication: {
              type: 'ManagedServiceIdentity'
              audience: 'https://api.example.com'
            }
          }
        }
      }
      triggers: {}
    }
  }
}

Resources

Documentation

Standards