Share via

Unable to run Logic Apps step to execute a query on Azure SQL using managed identity

Jonathan Robinson 0 Reputation points
2025-10-20T19:33:28.45+00:00

I am trying to run a step in Logic Apps to execute a query on an Azure SQL (free version). Logic Apps is using managed identity.

The error in the designer is:

Failed to retrieve dynamic outputs. As a result, this operation's outputs might not be visible in subsequent actions. Error details: Error code: 'Unauthorized', Message: 'Login failed for user '<token-identified principal>'.

The run history shows the following (with placeholders for <GUID>):

Unauthorized

{  "status": 401,  "message": "Login failed for user '<token-identified principal>'.\r\nclientRequestId: <GUID>",  "error": {    "message": "Login failed for user '<token-identified principal>'."  },

{
    "statusCode": 401,
    "headers": {
        "Cache-Control": "no-store, no-cache",
        "Pragma": "no-cache",
        "Strict-Transport-Security": "max-age=31536000; includeSubDomains",
        "x-ms-request-id": "<GUID>",
        "X-Content-Type-Options": "nosniff",
        "X-Frame-Options": "DENY",
        "x-ms-subscription-id": "<GUID>",
        "x-ms-dlp-re": "-|-",
        "x-ms-dlp-gu": "-|-",
        "x-ms-dlp-ef": "-|-/-|-|-",
        "x-ms-mip-sl": "-|-|-|-",
        "Timing-Allow-Origin": "*",
        "x-ms-apihub-cached-response": "false",
        "x-ms-apihub-obo": "false",
        "Date": "Mon, 20 Oct 2025 19:08:14 GMT",
        "Content-Length": "300",
        "Content-Type": "application/json",
        "Expires": "-1"
    },
    "body": {
        "status": 401,
        "message": "Login failed for user '<token-identified principal>'.\r\nclientRequestId: <GUID>",
        "error": {
            "message": "Login failed for user '<token-identified principal>'."
        },
        "source": "sql-wus.azconn-wus-001.p.azurewebsites.net"
    }
}
Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pravallika KV 165 Reputation points Microsoft External Staff Moderator
    2025-10-21T12:52:40.68+00:00

    Hi Jonathan Robinson,

    Thank you reaching out to Microsoft Q&A.

    Login failed for user '<token-identified principal>'.

    This means your Logic App’s Managed Identity is trying to authenticate to Azure SQL Database, but Azure SQL doesn’t recognize or trust it yet. It’s trying to connect with a valid identity token, but if the identity not been created as a SQL user in your database, it leads to 401 unauthorized error.

    • Clear cache and try creating the new connection again.

    Follow below steps to create an API connection to SQL using system assigned managed identity

    • Enable managed identity in logic app and the execute below query in your SQL database.
    
CREATE USER [System Assigned Managed Identity Name (Your logic app Name)] FROM EXTERNAL PROVIDER;

ALTER ROLE db_datareader ADD MEMBER [System assigned managed Identity Name]

ALTER ROLE db_datawriter ADD MEMBER [System assigned managed Identity Name]

    Navigate to SQL Server -> Access Control (IAM) -> Role assignment, grant SQL Server Contributor role to Managed Identity of your logic app.

    image

    Create a connection to Azure SQL server through Logic app Designer. Enable Public access for selected networks.

    • Add the SQL Action

    Click **+ =>**Search for **"SQL Server"=>**Choose "Execute a SQL query (V2)" =>Create or Select Connection

    image

    • A connection form will pop up=> Enter the server's name servername.database.windows.net and Database name by selecting Enter custom value.
    • Run the Http Post URL using curl or Postman to execute the query (add parameters if needed).

    Run History:image Output:

    image Hope it helps!

    Please do not forget to click "Accept the answer” and Yes, this can be beneficial to other community members.

    User's image

    If you have any other questions, let me know in the "comments" and I would be happy to help you.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.