When working with M365 Search, it’s great to follow the principle of least privilege. The ExternalItem.ReadWrite.OwnedBy gives you a way to restrict an application to a single connection. The problem is that the documentation (mslearn and graph permissions) does not shed any light on how to use this permission. In our project we were about to give up and grant the bolder ExternalItem.ReadWrite.All and then we tried a few things and found a way.

This is a guide for how to handle secrets in a logic app in a secure way. It combines three resources: Accessing Key Vault from Logic App with Managed Identity Get Secrets Key Vault API Hide your logic apps secrets from prying eyes First, enable a Managed Identity for your Logic App: In the KeyVault, add a new Access Policy for the new Managed Identity (from the previous step). Use the least priviliges.