This is an edge case but boy was I happy to find the solution.
Some time ago I was tasked with finding what Logic Apps where using a particular application (or app reg) as an authentication mechansim. The reason was that the secret was expiring and we needed to know which Logic Apps to update.
There are several way to solve this. I tried using the search code option in Azure DevOps to find references to it. That did not turn up that many depending on how the codebase ws configured. We usually inject connection settings from the release pipeline in Azure DevOps.
Enter Azure Resource Graph Explorer
This is a tool that uses KQL to query Azure resources. List all the VMs, show a list of all IP-addresses used etc etc. It is very very useful. Particularly to me, looking for application references.
Access
First off you need access to the resources you want to query. That might go without saying but I thought I just point that out.
Finding it
Use the search box in Azure (at the top of the page) and type resource graph
. The service will show up in the result.
Using it
There are a number of predefined queries, and there is also an explorer to the left, showing you all types of Azure resources grouped by type. You can click any of these and they will show up in the query window.
Using it for Logic Apps
Sadly, there is very little in the way of help for Logic Apps and connectors but the resource type is very easy to find. Just pull up resource of the type you want to the query to be about and look under properties
. There is always a property called Resoource ID
. That contains the resource type.
Finding all connectors using the application
First off, you need the client ID of the application you are looking for. It can be found on its overview page in Azure Entra. If you want to filter your results to one particular subscription, you need the subscription ID as well.
Here is the KQL query.
resources
| where type == "microsoft.web/connections" and subscriptionId == "your subscription ID here"
| where properties.parameterValues.["token:clientId"] == "application client ID"
This will give you a list of all connections that are using that application to authenticate.
Note the strange syntax for ["token:clientId"]
. This is because the KQL language does not like colons. So you have to use a string literal and []
for it to work.
If the property you are looking for does not contain any colon, you do not need it. Here is an example looking for connections with a particular display name.
resources
| where type == "microsoft.web/connections" and subscriptionId == "your subscription ID here"
| where properties.displayName == "the displayname"
Happy hunting.