we need to setup an external integration with a document storage solution. That solution has an external api. In order to have a reusable integration pattern, we propose to setup a logic app. I know that we could call out to that logic app via webhook trigger (or service hub, if we would put that in front of the logic app). However, they think sas tokens are not secure enough, and want to put API Management in front, with security based on Azure AD.
I was wondering what would be the safest way of calling that endpoint, since we now have to store clientid/secret somewhere, instead of the sas token. Working with keyvault seems to have the same issue (we could store the endpoint in there, but need some kind of identity to get the values).
An alternative i thought of was power automate, but since we have multiple triggers, we would have to create a flow for every (When record created). If we would have to create a plugin, then we have to code the authentication part (and perhaps store the token and its lifecycle somewhere).
What would be the most convenient and secure way to solve this in your opinion?
I assume Power Platform cannot be used with managed identities?
No, unfortunately Power Platform doesn't not support Managed Identities. A flow or logic app can have action that supports Managed Identities but not CDS or a flow itself. Also, unfortunately up-to-now native KeyVault integration with CDS/D365 is not supported. We usually integrate manually with KV via the KV Rest API and/or via an Azure Function to KV (with Managed Identities).
Typically integration with an external system, if we cannot leverage Dataflows or Power Automate, the CDS best practice is Azure Service Bus Queues which is supported out-of-the-box but uses SAS Key... I never tried it yet authenticating a Queue with a SPN and not sure it supports it out-of-the-box...