I am creating a Logic App in Azure that needs to post a message to Microsoft Teams' chat.
I am adding the "Post message in a chat or channel" action:
But in order to connect to Teams, I get a prompt that only allows a connection based on a user account:
Instead of a user account, I'd much rather use a System Managed Identity or an Azure Entra Application to connect to Teams.
Is there a way to use System Managed Identity or Azure Entra Application to connect from Logic App to Teams?
If I have to use a user account, would I need to worry about re-authorizing the Connection periodically once the Logic App is in production, or is the authorization to Teams a one-time / design-time activity only?
The simple answer is no, the long winded answer is kind of but it's not going to be the standard managed identity approach that you're used to.
If the connector and application supported it holistically (that's the important point) then it would be possible.
Teams is an O365 service whereas the managed identity concept is better served for Azure resources given that's what it was originally designed for ... i.e. resource to resource authentication so credentials, etc. do not need to be passed through when needing to lock down and secure resource access within Azure itself.
If you look at the list contained within, you'll see it's all Azure.
https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-status
When it comes to the "long winded" answer, if you want to access Teams services via an application (basically the same thing as a managed identity) rather than a user then go via the MS Graph API using an app registration created in Entra.
https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app
You'll need to provide the app with the appropriate Graph API permissions and then generate the keys, etc. to authenticate. In LogicApps, you'd then need to make the calls via the HTTP connector.
https://learn.microsoft.com/en-us/graph/api/resources/teams-api-overview?view=graph-rest-1.0
You may be hamstrung though depending on what you want to do because a lot of the Teams API's rely on a user, not an application, to authenticate and as you can appreciate, that's for good reason.
The other suggestion would be to use a service account. This approach is contentious organisation to organisation depending on security standards, etc. but it's the best approach IMO, IF you want to abstract the human, normal named user aspect from the authentication layer.