Logic Apps Standard AS2 Decode action does not sign outbound MDN

Hi Eric,

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

While your AS2 setup appears mostly correct, there are some specific nuances when working with Logic Apps Standard that often cause the isMdnSigned: false issue.

Here are the key areas to verify within your Standard environment:

1. B2B Artifacts Location (Local vs. Integration Account): Unlike Consumption logic apps, Logic Apps Standard natively hosts B2B artifacts. Ensure you are checking your configuration directly under your Logic App resource in the Azure portal (navigate to Artifacts -> Agreements and Certificates), rather than an external Integration Account.
2. Private Key Availability: For the AS2 Decode action to successfully sign the outbound MDN, the certificate specified in securitySettings.signingCertificateName = "AS2" must contain the private key.
   • Navigate to your Logic App -> Settings -> Certificates.
   • Ensure the certificate was uploaded as a .pfx file and allows for Digital Signature operations. If only the public key (.cer) is available to the runtime, the action will silently fail to sign the MDN and return isMdnSigned: false.
   • Reference: Add certificates to secure B2B messages - Azure Logic Apps
3. Built-in vs. Managed Connector: Double-check that your workflow is using the built-in AS2 (v2) operations (which run natively on the Standard runtime) rather than the Azure-managed API connector. The built-in connector is specifically designed to read the local B2B artifacts directly from the Standard app's state.
   • Reference: Exchange AS2 messages in B2B workflows - Azure Logic Apps
4. The micalg Format: Regarding your secondary issue with the sha2_256 format: your workaround (sha2AlgorithmFormat=ShaHashSize) is indeed the correct approach. The connector defaults to sha2_256 based on certain RFC interpretations, but many trading partners require the strict sha256 string.

If your local agreement is configured correctly and you have verified the private key is accessible, could you share the sanitized JSON definition of your AS2 Decode action or provide specific configuration steps? I would like to try reproducing the inbound request and MDN generation in my own Azure environment to trace exactly where the signing step is being dropped.

Note: The response is drafted with the help of AI systems.

Hi Eric, following up to see if you had a chance to check my previous response and if it was helpful. Please do let me know if you're still facing the issue and need any further assistance on this.

Hi Eric,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

Hi Rakesh,

Apologies for the late reply. We've confirmed this is reproducible. Here are the details:

• Logic App type: Standard (Stateful)
• Action type: AS2Decode (not v2)
• Agreement signMDN: true, signingCertificateName: AS2-SAFEFOODS
• Action inputs: signMDN: true, signingCertificateName: AS2-SAFEFOODS
• Key Vault access policy: Logic App managed identity has get, list, sign, verify on keys
• Integration Account: Standard tier, LOGIC_APP_INTEGRATION_ACCOUNT_CONNECTION_STRING app setting configured
• Result: isMdnSigned always false, MDN sent as unsigned 2-part multipart/report

Is there a fix or workaround available?

Hi @Rakesh Mishra

Is there a way to have a one on one call to get this sorted out as soon as possible?