Azure Logic Apps store the inputs and outputs of every action in the workflow run history by default. If Secure Inputs and Secure Outputs are not enabled, sensitive payloads are logged in plain text and visible to anyone with access to the run history.

Why is this an issue?

When Secure Inputs and Secure Outputs are not enabled on Logic App actions, sensitive data such as tokens, credentials, Personally Identifiable Information (PII), and API keys are stored in the run history in plain text. This can lead to:

What is the potential impact?

If sensitive data is exposed in run history, anyone with read access to the Logic App can view credentials, tokens, and Personally Identifiable Information (PII). This significantly increases the risk of credential theft and data breaches.

How to fix it in JSON templates

Set runtimeConfiguration.secureData.properties to include both "inputs" and "outputs" on each action that handles sensitive data.

Code examples

Noncompliant code example

{
  "type": "Microsoft.Logic/workflows",
  "apiVersion": "2019-05-01",
  "name": "example-workflow",
  "location": "[resourceGroup().location]",
  "properties": {
    "definition": {
      "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
      "actions": {
        "HTTP_Call": {
          "type": "Http",
          "inputs": {
            "method": "POST",
            "uri": "https://api.example.com/sensitive",
            "body": "@triggerBody()"
          }
        }
      },
      "triggers": {}
    }
  }
}

Compliant solution

{
  "type": "Microsoft.Logic/workflows",
  "apiVersion": "2019-05-01",
  "name": "example-workflow",
  "location": "[resourceGroup().location]",
  "properties": {
    "definition": {
      "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
      "actions": {
        "HTTP_Call": {
          "type": "Http",
          "inputs": {
            "method": "POST",
            "uri": "https://api.example.com/sensitive",
            "body": "@triggerBody()"
          },
          "runtimeConfiguration": {
            "secureData": {
              "properties": ["inputs", "outputs"]
            }
          }
        }
      },
      "triggers": {}
    }
  }
}

How to fix it in Bicep

Set runtimeConfiguration.secureData.properties to include both 'inputs' and 'outputs' on each action that handles sensitive data.

Code examples

Noncompliant code example

resource workflow 'Microsoft.Logic/workflows@2019-05-01' = {
  name: 'example-workflow'
  location: resourceGroup().location
  properties: {
    definition: {
      '$schema': 'https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#'
      actions: {
        HTTP_Call: { // Noncompliant
          type: 'Http'
          inputs: {
            method: 'POST'
            uri: 'https://api.example.com/sensitive'
            body: '@triggerBody()'
          }
        }
      }
      triggers: {}
    }
  }
}

Compliant solution

resource workflow 'Microsoft.Logic/workflows@2019-05-01' = {
  name: 'example-workflow'
  location: resourceGroup().location
  properties: {
    definition: {
      '$schema': 'https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#'
      actions: {
        HTTP_Call: {
          type: 'Http'
          inputs: {
            method: 'POST'
            uri: 'https://api.example.com/sensitive'
            body: '@triggerBody()'
          }
          runtimeConfiguration: {
            secureData: {
              properties: [
                'inputs'
                'outputs'
              ]
            }
          }
        }
      }
      triggers: {}
    }
  }
}

Resources

Documentation

Standards