diff --git a/internal/services/logic/logic_app_standard_resource.go b/internal/services/logic/logic_app_standard_resource.go
index e59d70d6252d..7b1a44264c09 100644
--- a/internal/services/logic/logic_app_standard_resource.go
+++ b/internal/services/logic/logic_app_standard_resource.go
@@ -341,9 +341,9 @@ func resourceLogicAppStandardCreate(d *pluginsdk.ResourceData, meta interface{})
 	}
 
 	publicNetworkAccess := d.Get("public_network_access").(string)
-	if !features.FivePointOhBeta() && publicNetworkAccess == "" {
+	if !features.FivePointOhBeta() {
 		// if a user is still using `site_config.public_network_access_enabled` we should be setting `public_network_access` for them
-		publicNetworkAccess = helpers.PublicNetworkAccessEnabled
+		publicNetworkAccess = reconcilePNA(d)
 		if v := siteEnvelope.Properties.SiteConfig.PublicNetworkAccess; v != nil && *v == helpers.PublicNetworkAccessDisabled {
 			publicNetworkAccess = helpers.PublicNetworkAccessDisabled
 		}
@@ -379,6 +379,7 @@ func resourceLogicAppStandardCreate(d *pluginsdk.ResourceData, meta interface{})
 	}
 
 	d.SetId(id.ID())
+
 	return resourceLogicAppStandardUpdate(d, meta)
 }
 
@@ -455,6 +456,10 @@ func resourceLogicAppStandardUpdate(d *pluginsdk.ResourceData, meta interface{})
 		}
 	}
 
+	if !features.FivePointOhBeta() { // Until 5.0 the site_config value of this must be reflected back into the top-level property if not set there
+		siteConfig.PublicNetworkAccess = pointer.To(reconcilePNA(d))
+	}
+
 	if clientCertEnabled {
 		siteEnvelope.Properties.ClientCertMode = pointer.To(webapps.ClientCertMode(clientCertMode))
 	}
@@ -484,7 +489,7 @@ func resourceLogicAppStandardUpdate(d *pluginsdk.ResourceData, meta interface{})
 		return fmt.Errorf("updating %s: %+v", *id, err)
 	}
 
-	if d.HasChange("site_config") { // update siteConfig before appSettings in case the appSettings get covered by basicAppSettings
+	if d.HasChange("site_config") || (d.HasChange("public_network_access") && !features.FivePointOhBeta()) { // update siteConfig before appSettings in case the appSettings get covered by basicAppSettings
 		siteConfigResource := webapps.SiteConfigResource{
 			Properties: &siteConfig,
 		}
@@ -1367,13 +1372,7 @@ func expandLogicAppStandardSiteConfig(d *pluginsdk.ResourceData) (webapps.SiteCo
 	}
 
 	if !features.FivePointOhBeta() {
-		if v, ok := config["public_network_access_enabled"]; ok {
-			pna := helpers.PublicNetworkAccessEnabled
-			if !v.(bool) {
-				pna = helpers.PublicNetworkAccessDisabled
-			}
-			siteConfig.PublicNetworkAccess = pointer.To(pna)
-		}
+		siteConfig.PublicNetworkAccess = pointer.To(reconcilePNA(d))
 	}
 
 	return siteConfig, nil
@@ -1555,3 +1554,26 @@ func expandHeaders(input interface{}) map[string][]string {
 
 	return output
 }
+
+func reconcilePNA(d *pluginsdk.ResourceData) string {
+	pna := ""
+	scPNASet := true
+	if !d.GetRawConfig().AsValueMap()["public_network_access"].IsNull() { // is top level set, takes precedence
+		pna = d.Get("public_network_access").(string)
+	}
+	if sc := d.GetRawConfig().AsValueMap()["site_config"]; !sc.IsNull() {
+		if len(sc.AsValueSlice()) > 0 && !sc.AsValueSlice()[0].AsValueMap()["public_network_access_enabled"].IsNull() {
+			scPNASet = true
+		}
+	}
+	if pna == "" && scPNASet { // if not, or it's empty, is site_config value set
+		pnaBool := d.Get("site_config.0.public_network_access_enabled").(bool)
+		if pnaBool {
+			pna = helpers.PublicNetworkAccessEnabled
+		} else {
+			pna = helpers.PublicNetworkAccessDisabled
+		}
+	}
+
+	return pna
+}
diff --git a/internal/services/logic/logic_app_standard_resource_test.go b/internal/services/logic/logic_app_standard_resource_test.go
index d163f15597db..09495412701a 100644
--- a/internal/services/logic/logic_app_standard_resource_test.go
+++ b/internal/services/logic/logic_app_standard_resource_test.go
@@ -50,6 +50,8 @@ func TestAccLogicAppStandard_publicNetworkAccessDisabled(t *testing.T) {
 			Config: r.publicNetworkAccess(data, "Disabled"),
 			Check: acceptance.ComposeTestCheckFunc(
 				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("public_network_access").HasValue("Disabled"),
+				check.That(data.ResourceName).Key("site_config.0.public_network_access_enabled").HasValue("false"),
 			),
 		},
 		data.ImportStep(),
@@ -57,6 +59,17 @@ func TestAccLogicAppStandard_publicNetworkAccessDisabled(t *testing.T) {
 			Config: r.publicNetworkAccess(data, "Enabled"),
 			Check: acceptance.ComposeTestCheckFunc(
 				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("public_network_access").HasValue("Enabled"),
+				check.That(data.ResourceName).Key("site_config.0.public_network_access_enabled").HasValue("true"),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.publicNetworkAccess(data, "Disabled"),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("public_network_access").HasValue("Disabled"),
+				check.That(data.ResourceName).Key("site_config.0.public_network_access_enabled").HasValue("false"),
 			),
 		},
 		data.ImportStep(),