Events
Take the Microsoft Learn Challenge
19 Nov, 23 - 10 Jan, 23
Ignite Edition - Build skills in Microsoft Azure and earn a digital badge by January 10!
Register nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Application settings in a function app contain configuration options that affect all functions for that function app. These settings are accessed as environment variables. This article lists the app settings that are available in function apps.
There are several ways that you can add, update, and delete function app settings:
Changes to function app settings require your function app to be restarted.
In this article, example connection string values are truncated for readability.
Because Azure Functions uses the Azure App Service platform for hosting, you might find some settings relevant to your function app hosting documented in Environment variables and app settings in Azure App Service.
When using app settings, you should be aware of the following considerations:
Changes to function app settings require your function app to be restarted.
In setting names, double-underscore (__
) and colon (:
) are considered reserved values. Double-underscores are interpreted as hierarchical delimiters on both Windows and Linux, and colons are interpreted in the same way only on Windows. For example, the setting AzureFunctionsWebHost__hostid=somehost_123456
would be interpreted as the following JSON object:
"AzureFunctionsWebHost": {
"hostid": "somehost_123456"
}
In this article, only double-underscores are used, since they're supported on both operating systems. Most of the settings that support managed identity connections use double-underscores.
When Functions runs locally, app settings are specified in the Values
collection in the local.settings.json.
There are other function app configuration options in the host.json file and in the local.settings.json file.
You can use application settings to override host.json setting values without having to change the host.json file itself. This is helpful for scenarios where you need to configure or modify specific host.json settings for a specific environment. This also lets you change host.json settings without having to republish your project. To learn more, see the host.json reference article.
This article documents the settings that are most relevant to your function apps. Because Azure Functions runs on App Service, other application settings are also supported. For more information, see Environment variables and app settings in Azure App Service.
Some scenarios also require you to work with settings documented in App Service site settings.
Changing any read-only App Service application settings can put your function app into an unresponsive state.
Take care when updating application settings by using REST APIs, including ARM templates. Because these APIs replace the existing application settings, you must include all existing settings when adding or modifying settings using REST APIs or ARM templates. When possible use Azure CLI or Azure PowerShell to programmatically work with application settings. For more information, see Work with application settings.
The instrumentation key for Application Insights. Don't use both APPINSIGHTS_INSTRUMENTATIONKEY
and APPLICATIONINSIGHTS_CONNECTION_STRING
. When possible, use APPLICATIONINSIGHTS_CONNECTION_STRING
. When Application Insights runs in a sovereign cloud, you must use APPLICATIONINSIGHTS_CONNECTION_STRING
. For more information, see How to configure monitoring for Azure Functions.
Key | Sample value |
---|---|
APPINSIGHTS_INSTRUMENTATIONKEY | 55555555-af77-484b-9032-64f83bb83bb |
Don't use both APPINSIGHTS_INSTRUMENTATIONKEY
and APPLICATIONINSIGHTS_CONNECTION_STRING
. Use of APPLICATIONINSIGHTS_CONNECTION_STRING
is recommended.
Enables access to Application Insights by using Microsoft Entra authentication. Use this setting when you must connect to your Application Insights workspace by using Microsoft Entra authentication. For more information, see Microsoft Entra authentication for Application Insights.
When you use APPLICATIONINSIGHTS_AUTHENTICATION_STRING
, the specific value that you set depends on the type of managed identity:
Managed identity | Setting value |
---|---|
System-assigned | Authorization=AAD |
User-assigned | Authorization=AAD;ClientId=<USER_ASSIGNED_CLIENT_ID> |
This authentication requirement is applied to connections from the Functions host, snapshot debugger, profiler, and any language-specific agents. To use this setting, the managed identity must already be available to the function app, with an assigned role equivalent to Monitoring Metrics Publisher.
Note
When using APPLICATIONINSIGHTS_AUTHENTICATION_STRING
to connect to Application Insights using Microsoft Entra authentication, you should also Disable local authentication for Application Insights. This configuration requires Microsoft Entra authentication in order for telemetry to be ingested into your workspace.
The connection string for Application Insights. Don't use both APPINSIGHTS_INSTRUMENTATIONKEY
and APPLICATIONINSIGHTS_CONNECTION_STRING
. While the use of APPLICATIONINSIGHTS_CONNECTION_STRING
is recommended in all cases, it's required in the following cases:
For more information, see Connection strings.
Key | Sample value |
---|---|
APPLICATIONINSIGHTS_CONNECTION_STRING | InstrumentationKey=... |
To connect to Application Insights with Microsoft Entra authentication, you should use APPLICATIONINSIGHTS_AUTHENTICATION_STRING
.
Important
Azure Functions proxies is a legacy feature for versions 1.x through 3.x of the Azure Functions runtime. For more information about legacy support in version 4.x, see Functions proxies.
By default, Functions proxies use a shortcut to send API calls from proxies directly to functions in the same function app. This shortcut is used instead of creating a new HTTP request. This setting allows you to disable that shortcut behavior.
Key | Value | Description |
---|---|---|
AZURE_FUNCTION_PROXY_DISABLE_LOCAL_CALL | true |
Calls with a backend URL pointing to a function in the local function app won't be sent directly to the function. Instead, the requests are directed back to the HTTP frontend for the function app. |
AZURE_FUNCTION_PROXY_DISABLE_LOCAL_CALL | false |
Calls with a backend URL pointing to a function in the local function app are forwarded directly to the function. false is the default value. |
Important
Azure Functions proxies is a legacy feature for versions 1.x through 3.x of the Azure Functions runtime. For more information about legacy support in version 4.x, see Functions proxies.
This setting controls whether the characters %2F
are decoded as slashes in route parameters when they're inserted into the backend URL.
Key | Value | Description |
---|---|---|
AZURE_FUNCTION_PROXY_BACKEND_URL_DECODE_SLASHES | true |
Route parameters with encoded slashes are decoded. |
AZURE_FUNCTION_PROXY_BACKEND_URL_DECODE_SLASHES | false |
All route parameters are passed along unchanged, which is the default behavior. |
For example, consider the proxies.json file for a function app at the myfunction.com
domain.
{
"$schema": "http://json.schemastore.org/proxies",
"proxies": {
"root": {
"matchCondition": {
"route": "/{*all}"
},
"backendUri": "example.com/{all}"
}
}
}
When AZURE_FUNCTION_PROXY_BACKEND_URL_DECODE_SLASHES
is set to true
, the URL example.com/api%2ftest
resolves to example.com/api/test
. By default, the URL remains unchanged as example.com/test%2fapi
. For more information, see Functions proxies.
Configures the runtime hosting environment of the function app when running in Azure. This value is read during initialization, and only these values are honored by the runtime:
Value | Description |
---|---|
Production |
Represents a production environment, with reduced logging and full performance optimizations. This is the default when AZURE_FUNCTIONS_ENVIRONMENT either isn't set or is set to an unsupported value. |
Staging |
Represents a staging environment, such as when running in a staging slot. |
Development |
A development environment supports more verbose logging and other reduced performance optimizations. The Azure Functions Core Tools sets AZURE_FUNCTIONS_ENVIRONMENT to Development when running on your local computer. This setting can't be overridden in the local.settings.json file. |
Use this setting instead of ASPNETCORE_ENVIRONMENT
when you need to change the runtime environment in Azure to something other than Production
. For more information, see Environment-based Startup class and methods.
This setting isn't available in version 1.x of the Functions runtime.
In version 2.x and later versions of the Functions runtime, application settings can override host.json settings in the current environment. These overrides are expressed as application settings named AzureFunctionsJobHost__path__to__setting
. For more information, see Override host.json values.
Sets the host ID for a given function app, which should be a unique ID. This setting overrides the automatically generated host ID value for your app. Use this setting only when you need to prevent host ID collisions between function apps that share the same storage account.
A host ID must meet the following requirements:
An easy way to generate an ID is to take a GUID, remove the dashes, and make it lower case, such as by converting the GUID 1835D7B5-5C98-4790-815D-072CC94C6F71
to the value 1835d7b55c984790815d072cc94c6f71
.
Key | Sample value |
---|---|
AzureFunctionsWebHost__hostid | myuniquefunctionappname123456789 |
For more information, see Host ID considerations.
This setting is deprecated and is only supported when running on version 1.x of the Azure Functions runtime.
Optional storage account connection string for storing logs and displaying them in the Monitor tab in the portal. The storage account must be a general-purpose one that supports blobs, queues, and tables. To learn more, see Storage account requirements.
Key | Sample value |
---|---|
AzureWebJobsDashboard | DefaultEndpointsProtocol=https;AccountName=... |
A value of true
disables the default landing page that is shown for the root URL of a function app. The default value is false
.
Key | Sample value |
---|---|
AzureWebJobsDisableHomepage | true |
When this app setting is omitted or set to false
, a page similar to the following example is displayed in response to the URL <functionappname>.azurewebsites.net
.
true
means use Release
mode when compiling .NET code; false
means use Debug mode. Default is true
.
Key | Sample value |
---|---|
AzureWebJobsDotNetReleaseCompilation | true |
A comma-delimited list of beta features to enable. Beta features enabled by these flags aren't production ready, but can be enabled for experimental use before they go live.
Key | Sample value |
---|---|
AzureWebJobsFeatureFlags | feature1,feature2,EnableProxies |
Add EnableProxies
to this list to re-enable proxies on version 4.x of the Functions runtime while you plan your migration to Azure API Management. For more information, see Re-enable proxies in Functions v4.x.
Indicates the Kubernetes Secrets resource used for storing keys. Supported only when running in Kubernetes. This setting requires you to set AzureWebJobsSecretStorageType
to kubernetes
. When AzureWebJobsKubernetesSecretName
isn't set, the repository is considered read only. In this case, the values must be generated before deployment. The Azure Functions Core Tools generates the values automatically when deploying to Kubernetes.
Key | Sample value |
---|---|
AzureWebJobsKubernetesSecretName | <SECRETS_RESOURCE> |
To learn more, see Manage key storage.
The client ID of the user-assigned managed identity or the app registration used to access the vault where keys are stored. This setting requires you to set AzureWebJobsSecretStorageType
to keyvault
. Supported in version 4.x and later versions of the Functions runtime.
Key | Sample value |
---|---|
AzureWebJobsSecretStorageKeyVaultClientId | <CLIENT_ID> |
To learn more, see Manage key storage.
The secret for client ID of the user-assigned managed identity or the app registration used to access the vault where keys are stored. This setting requires you to set AzureWebJobsSecretStorageType
to keyvault
. Supported in version 4.x and later versions of the Functions runtime.
Key | Sample value |
---|---|
AzureWebJobsSecretStorageKeyVaultClientSecret | <CLIENT_SECRET> |
To learn more, see Manage key storage.
This setting is deprecated and was only used when running on version 3.x of the Azure Functions runtime.
The name of a key vault instance used to store keys. This setting was only used in version 3.x of the Functions runtime, which is no longer supported. For version 4.x, instead use AzureWebJobsSecretStorageKeyVaultUri
. This setting requires you to set AzureWebJobsSecretStorageType
to keyvault
.
The vault must have an access policy corresponding to the system-assigned managed identity of the hosting resource. The access policy should grant the identity the following secret permissions: Get
,Set
, List
, and Delete
.
When your functions run locally, the developer identity is used, and settings must be in the local.settings.json file.
Key | Sample value |
---|---|
AzureWebJobsSecretStorageKeyVaultName | <VAULT_NAME> |
To learn more, see Manage key storage.
The tenant ID of the app registration used to access the vault where keys are stored. This setting requires you to set AzureWebJobsSecretStorageType
to keyvault
. Supported in version 4.x and later versions of the Functions runtime. To learn more, see Manage key storage.
Key | Sample value |
---|---|
AzureWebJobsSecretStorageKeyVaultTenantId | <TENANT_ID> |
The URI of a key vault instance used to store keys. Supported in version 4.x and later versions of the Functions runtime. This is the recommended setting for using a key vault instance for key storage. This setting requires you to set AzureWebJobsSecretStorageType
to keyvault
.
The AzureWebJobsSecretStorageKeyVaultUri
value should be the full value of Vault URI displayed in the Key Vault overview tab, including https://
.
The vault must have an access policy corresponding to the system-assigned managed identity of the hosting resource. The access policy should grant the identity the following secret permissions: Get
,Set
, List
, and Delete
.
When your functions run locally, the developer identity is used, and settings must be in the local.settings.json file.
Key | Sample value |
---|---|
AzureWebJobsSecretStorageKeyVaultUri | https://<VAULT_NAME>.vault.azure.net |
To learn more, see Use Key Vault references for Azure Functions.
A Blob Storage SAS URL for a second storage account used for key storage. By default, Functions uses the account set in AzureWebJobsStorage
. When using this secret storage option, make sure that AzureWebJobsSecretStorageType
isn't explicitly set or is set to blob
. To learn more, see Manage key storage.
Key | Sample value |
---|---|
AzureWebJobsSecretStorageSas | <BLOB_SAS_URL> |
Specifies the repository or provider to use for key storage. Keys are always encrypted before being stored using a secret unique to your function app.
Key | Value | Description |
---|---|---|
AzureWebJobsSecretStorageType | blob |
Keys are stored in a Blob storage container in the account provided by the AzureWebJobsStorage setting. Blob storage is the default behavior when AzureWebJobsSecretStorageType isn't set.To specify a different storage account, use the AzureWebJobsSecretStorageSas setting to indicate the SAS URL of a second storage account. |
AzureWebJobsSecretStorageType | files |
Keys are persisted on the file system. This is the default behavior for Functions v1.x. |
AzureWebJobsSecretStorageType | keyvault |
Keys are stored in a key vault instance set by AzureWebJobsSecretStorageKeyVaultName . |
AzureWebJobsSecretStorageType | kubernetes |
Supported only when running the Functions runtime in Kubernetes. When AzureWebJobsKubernetesSecretName isn't set, the repository is considered read only. In this case, the values must be generated before deployment. The Azure Functions Core Tools generates the values automatically when deploying to Kubernetes. |
To learn more, see Manage key storage.
Specifies the connection string for an Azure Storage account that the Functions runtime uses for normal operations. Some uses of this storage account by Functions include key management, timer trigger management, and Event Hubs checkpoints. The storage account must be a general-purpose one that supports blobs, queues, and tables. For more information, see Storage account requirements.
Key | Sample value |
---|---|
AzureWebJobsStorage | DefaultEndpointsProtocol=https;AccountName=... |
Instead of a connection string, you can use an identity-based connection for this storage account. For more information, see Connecting to host storage with an identity.
When using an identity-based storage connection, sets the account name of the storage account instead of using the connection string in AzureWebJobsStorage
. This syntax is unique to AzureWebJobsStorage
and can't be used for other identity-based connections.
Key | Sample value |
---|---|
AzureWebJobsStorage__accountName | <STORAGE_ACCOUNT_NAME> |
For sovereign clouds or when using a custom DNS, you must instead use the service-specific AzureWebJobsStorage__*ServiceUri
settings.
When using an identity-based storage connection, sets the data plane URI of the blob service of the storage account.
Key | Sample value |
---|---|
AzureWebJobsStorage__blobServiceUri | https://<STORAGE_ACCOUNT_NAME>.blob.core.windows.net |
Use this setting instead of AzureWebJobsStorage__accountName
in sovereign clouds or when using a custom DNS. For more information, see Connecting to host storage with an identity.
When using an identity-based storage connection, sets the data plane URI of the queue service of the storage account.
Key | Sample value |
---|---|
AzureWebJobsStorage__queueServiceUri | https://<STORAGE_ACCOUNT_NAME>.queue.core.windows.net |
Use this setting instead of AzureWebJobsStorage__accountName
in sovereign clouds or when using a custom DNS. For more information, see Connecting to host storage with an identity.
When using an identity-based storage connection, sets data plane URI of a table service of the storage account.
Key | Sample value |
---|---|
AzureWebJobsStorage__tableServiceUri | https://<STORAGE_ACCOUNT_NAME>.table.core.windows.net |
Use this setting instead of AzureWebJobsStorage__accountName
in sovereign clouds or when using a custom DNS. For more information, see Connecting to host storage with an identity.
Path to the compiler used for TypeScript. Allows you to override the default if you need to.
Key | Sample value |
---|---|
AzureWebJobs_TypeScriptPath | %HOME%\typescript |
Indicates the password used to access a private container registry. This setting is only required when deploying your containerized function app from a private container registry. For more information, see Environment variables and app settings in Azure App Service.
Indicates the URL of a private container registry. This setting is only required when deploying your containerized function app from a private container registry. For more information, see Environment variables and app settings in Azure App Service.
Indicates the account used to access a private container registry. This setting is only required when deploying your containerized function app from a private container registry. For more information, see Environment variables and app settings in Azure App Service.
Sets the shared memory size (in bytes) when the Python worker is using shared memory. To learn more, see Shared memory.
Key | Sample value |
---|---|
DOCKER_SHM_SIZE | 268435456 |
The value above sets a shared memory size of ~256 MB.
Requires that FUNCTIONS_WORKER_SHARED_MEMORY_DATA_TRANSFER_ENABLED
be set to 1
.
Indicates whether the Oryx build system is used during deployment. ENABLE_ORYX_BUILD
must be set to true
when doing remote build deployments to Linux. For more information, see Remote build.
Key | Sample value |
---|---|
ENABLE_ORYX_BUILD | true |
Indicates whether you're able to edit your function app in the Azure portal. Valid values are readwrite
and readonly
.
Key | Sample value |
---|---|
FUNCTION_APP_EDIT_MODE | readonly |
The value is set by the runtime based on the language stack and deployment status of your function app. For more information, see Development limitations in the Azure portal.
The version of the Functions runtime that hosts your function app. A tilde (~
) with major version means use the latest version of that major version (for example, ~4
). When new minor versions of the same major version are available, they're automatically installed in the function app.
Key | Sample value |
---|---|
FUNCTIONS_EXTENSION_VERSION | ~4 |
The following major runtime version values are supported:
Value | Runtime target | Comment |
---|---|---|
~4 |
4.x | Recommended |
~1 |
1.x | Support ends September 14, 2026 |
A value of ~4
means that your app runs on version 4.x of the runtime. A value of ~1
pins your app to version 1.x of the runtime. Runtime versions 2.x and 3.x are no longer supported. For more information, see Azure Functions runtime versions overview.
If requested by support to pin your app to a specific minor version, use the full version number (for example, 4.0.12345
). For more information, see How to target Azure Functions runtime versions.
Indicates whether to an app can use .NET 8 on the in-process model. To use .NET 8 on the in-process model, this value must be set to 1
. See Updating to target .NET 8 for complete instructions, including other required configuration values.
Key | Sample value |
---|---|
FUNCTIONS_INPROC_NET8_ENABLED | 1 |
Set to 0
to disable support for .NET 8 on the in-process model.
This app setting is a temporary way for Node.js apps to enable a breaking change that makes entry point errors easier to troubleshoot on Node.js v18 or lower. It's highly recommended to use true
, especially for programming model v4 apps, which always use entry point files. The behavior without the breaking change (false
) ignores entry point errors and doesn't log them in Application Insights.
Starting with Node.js v20, the app setting has no effect and the breaking change behavior is always enabled.
For Node.js v18 or lower, the app setting is used, and the default behavior depends on if the error happens before or after a model v4 function has been registered:
false
.true
.Key | Value | Description |
---|---|---|
FUNCTIONS_NODE_BLOCK_ON_ENTRY_POINT_ERROR | true |
Block on entry point errors and log them in Application Insights. |
FUNCTIONS_NODE_BLOCK_ON_ENTRY_POINT_ERROR | false |
Ignore entry point errors and don't log them in Application Insights. |
Overrides the default limit on the body size of requests sent to HTTP endpoints. The value is given in bytes, with a default maximum request size of 104,857,600 bytes.
Key | Sample value |
---|---|
FUNCTIONS_REQUEST_BODY_SIZE_LIMIT | 250000000 |
Important
This setting is no longer supported. It was originally provided to enable a short-term workaround for apps that targeted the v2.x runtime to be able to instead run on the v3.x runtime while it was still supported. Except for legacy apps that run on version 1.x, all function apps must run on version 4.x of the Functions runtime: FUNCTIONS_EXTENSION_VERSION=~4
. For more information, see Azure Functions runtime versions overview.
Specifies the maximum number of language worker processes, with a default value of 1
. The maximum value allowed is 10
. Function invocations are evenly distributed among language worker processes. Language worker processes are spawned every 10 seconds until the count set by FUNCTIONS_WORKER_PROCESS_COUNT
is reached. Using multiple language worker processes isn't the same as scaling. Consider using this setting when your workload has a mix of CPU-bound and I/O-bound invocations. This setting applies to all language runtimes, except for .NET running in process (FUNCTIONS_WORKER_RUNTIME=dotnet
).
Key | Sample value |
---|---|
FUNCTIONS_WORKER_PROCESS_COUNT | 2 |
The language or language stack of the worker runtime to load in the function app. This corresponds to the language being used in your application (for example, python
). Starting with version 2.x of the Azure Functions runtime, a given function app can only support a single language.
Key | Sample value |
---|---|
FUNCTIONS_WORKER_RUNTIME | node |
Valid values:
Value | Language/language stack |
---|---|
dotnet |
C# (class library) C# (script) |
dotnet-isolated |
C# (isolated worker process) |
java |
Java |
node |
JavaScript TypeScript |
powershell |
PowerShell |
python |
Python |
custom |
Other |
This setting enables the Python worker to use shared memory to improve throughput. Enable shared memory when your Python function app is hitting memory bottlenecks.
Key | Sample value |
---|---|
FUNCTIONS_WORKER_SHARED_MEMORY_DATA_TRANSFER_ENABLED | 1 |
With this setting enabled, you can use the DOCKER_SHM_SIZE setting to set the shared memory size. To learn more, see Shared memory.
Used to customize the Java virtual machine (JVM) used to run your Java functions when running on a Premium plan or Dedicated plan. When running on a Consumption plan, instead use languageWorkers__java__arguments
. For more information, see Customize JVM.
Used to customize the Java virtual machine (JVM) used to run your Java functions when running on a Consumption plan. This setting does increase the cold start times for Java functions running in a Consumption plan. For a Premium or Dedicated plan, instead use JAVA_OPTS
. For more information, see Customize JVM.
Controls the managed dependencies background update period for PowerShell function apps, with a default value of 7.00:00:00
(weekly).
Each PowerShell worker process initiates checking for module upgrades on the PowerShell Gallery on process start and every MDMaxBackgroundUpgradePeriod
after that. When a new module version is available in the PowerShell Gallery, it's installed to the file system and made available to PowerShell workers. Decreasing this value lets your function app get newer module versions sooner, but it also increases the app resource usage (network I/O, CPU, storage). Increasing this value decreases the app's resource usage, but it can also delay delivering new module versions to your app.
Key | Sample value |
---|---|
MDMaxBackgroundUpgradePeriod | 7.00:00:00 |
To learn more, see Dependency management.
Specifies how often each PowerShell worker checks whether managed dependency upgrades have been installed. The default frequency is 01:00:00
(hourly).
After new module versions are installed to the file system, every PowerShell worker process must be restarted. Restarting PowerShell workers affects your app availability as it can interrupt current function execution. Until all PowerShell worker processes are restarted, function invocations can use either the old or the new module versions. Restarting all PowerShell workers completes within MDNewSnapshotCheckPeriod
.
Within every MDNewSnapshotCheckPeriod
, the PowerShell worker checks whether or not managed dependency upgrades have been installed. When upgrades have been installed, a restart is initiated. Increasing this value decreases the frequency of interruptions because of restarts. However, the increase might also increase the time during which function invocations could use either the old or the new module versions, nondeterministically.
Key | Sample value |
---|---|
MDNewSnapshotCheckPeriod | 01:00:00 |
To learn more, see Dependency management.
The period of time after a previous managed dependency upgrade check before another upgrade check is started, with a default of 1.00:00:00
(daily).
To avoid excessive module upgrades on frequent Worker restarts, checking for module upgrades isn't performed when any worker has already initiated that check in the last MDMinBackgroundUpgradePeriod
.
Key | Sample value |
---|---|
MDMinBackgroundUpgradePeriod | 1.00:00:00 |
To learn more, see Dependency management.
This setting lets you override the base URL of the Python Package Index, which by default is https://pypi.org/simple
. Use this setting when you need to run a remote build using custom dependencies. These custom dependencies can be in a package index repository compliant with PEP 503 (the simple repository API) or in a local directory that follows the same format.
Key | Sample value |
---|---|
PIP_INDEX_URL | http://my.custom.package.repo/simple |
To learn more, see pip
documentation for --index-url
and using Custom dependencies in the Python developer reference.
The value for this setting indicates an extra index URL for custom packages for Python apps, to use in addition to the --index-url
. Use this setting when you need to run a remote build using custom dependencies that are found in an extra package index. Should follow the same rules as --index-url
.
Key | Sample value |
---|---|
PIP_EXTRA_INDEX_URL | http://my.custom.package.repo/simple |
To learn more, see pip
documentation for --extra-index-url
and Custom dependencies in the Python developer reference.
A continuous deployment setting that tells the Kudu deployment service the folder in a connected repository to location the deployable project.
Key | Sample value |
---|---|
PROJECT | WebProject/WebProject.csproj |
The configuration is specific to Python function apps. It defines the prioritization of module loading order. By default, this value is set to 0
.
Key | Value | Description |
---|---|---|
PYTHON_ISOLATE_WORKER_DEPENDENCIES | 0 |
Prioritize loading the Python libraries from internal Python worker's dependencies, which is the default behavior. Third-party libraries defined in requirements.txt might be shadowed. |
PYTHON_ISOLATE_WORKER_DEPENDENCIES | 1 |
Prioritize loading the Python libraries from application's package defined in requirements.txt. This prevents your libraries from colliding with internal Python worker's libraries. |
Enables debug-level logging in a Python function app. A value of 1
enables debug-level logging. Without this setting or with a value of 0
, only information and higher-level logs are sent from the Python worker to the Functions host. Use this setting when debugging or tracing your Python function executions.
When debugging Python functions, make sure to also set a debug or trace logging level in the host.json file, as needed. To learn more, see How to configure monitoring for Azure Functions.
The configuration is specific to Python function apps. Setting this to 1
allows the worker to load in Python worker extensions defined in requirements.txt. It enables your function app to access new features provided by third-party packages. It can also change the behavior of function load and invocation in your app. Ensure the extension you choose is trustworthy as you bear the risk of using it. Azure Functions gives no express warranties to any extensions. For how to use an extension, visit the extension's manual page or readme doc. By default, this value sets to 0
.
Key | Value | Description |
---|---|---|
PYTHON_ENABLE_WORKER_EXTENSIONS | 0 |
Disable any Python worker extension. |
PYTHON_ENABLE_WORKER_EXTENSIONS | 1 |
Allow Python worker to load extensions from requirements.txt. |
Specifies the maximum number of threads that a Python language worker would use to execute function invocations, with a default value of 1
for Python version 3.8
and below. For Python version 3.9
and above, the value is set to None
. This setting doesn't guarantee the number of threads that would be set during executions. The setting allows Python to expand the number of threads to the specified value. The setting only applies to Python functions apps. Additionally, the setting applies to synchronous functions invocation and not for coroutines.
Key | Sample value | Max value |
---|---|---|
PYTHON_THREADPOOL_THREAD_COUNT | 2 | 32 |
This setting is currently in preview.
This setting controls logging from the Azure Functions scale controller. For more information, see Scale controller logs.
Key | Sample value |
---|---|
SCALE_CONTROLLER_LOGGING_ENABLED | AppInsights:Verbose |
The value for this key is supplied in the format <DESTINATION>:<VERBOSITY>
, which is defined as follows:
Property | Description |
---|---|
<DESTINATION> |
The destination to which logs are sent. Valid values are AppInsights and Blob .When you use AppInsights , ensure that the Application Insights is enabled in your function app.When you set the destination to Blob , logs are created in a blob container named azure-functions-scale-controller in the default storage account set in the AzureWebJobsStorage application setting. |
<VERBOSITY> |
Specifies the level of logging. Supported values are None , Warning , and Verbose .When set to Verbose , the scale controller logs a reason for every change in the worker count, and information about the triggers that factor into those decisions. Verbose logs include trigger warnings and the hashes used by the triggers before and after the scale controller runs. |
Tip
Keep in mind that while you leave scale controller logging enabled, it impacts the potential costs of monitoring your function app. Consider enabling logging until you have collected enough data to understand how the scale controller is behaving, and then disabling it.
Controls remote build behavior during deployment. When SCM_DO_BUILD_DURING_DEPLOYMENT
is set to true
, the project is built remotely during deployment.
Key | Sample value |
---|---|
SCM_DO_BUILD_DURING_DEPLOYMENT | true |
Controls the timeout, in seconds, when connected to streaming logs. The default value is 7200 (2 hours).
Key | Sample value |
---|---|
SCM_LOGSTREAM_TIMEOUT | 1800 |
The above sample value of 1800
sets a timeout of 30 minutes. For more information, see Enable streaming execution logs in Azure Functions.
Connection string for storage account where the function app code and configuration are stored in event-driven scaling plans. For more information, see Storage account connection setting.
Key | Sample value |
---|---|
WEBSITE_CONTENTAZUREFILECONNECTIONSTRING | DefaultEndpointsProtocol=https;AccountName=... |
This setting is required for Consumption and Elastic Premium plan apps running on both Windows and Linux. It's not required for Dedicated plan apps, which aren't dynamically scaled by Functions.
Changing or removing this setting can cause your function app to not start. To learn more, see this troubleshooting article.
Azure Files doesn't support using managed identity when accessing the file share. For more information, see Azure Files supported authentication scenarios.
Important
WEBSITE_CONTENTOVERVNET is a legacy app setting that has been replaced by the vnetContentShareEnabled site property.
A value of 1
enables your function app to scale when you have your storage account restricted to a virtual network. You should enable this setting when restricting your storage account to a virtual network. Only required when using WEBSITE_CONTENTSHARE
and WEBSITE_CONTENTAZUREFILECONNECTIONSTRING
. To learn more, see Restrict your storage account to a virtual network.
Key | Sample value |
---|---|
WEBSITE_CONTENTOVERVNET | 1 |
This app setting is required on the Elastic Premium and Dedicated (App Service) plans (Standard and higher). Not supported when running on a Consumption plan.
Note
You must take special care when routing to the content share in a storage account shared by multiple function apps in the same plan. For more information, see Consistent routing through virtual networks in the Storage considerations article.
The name of the file share that Functions uses to store function app code and configuration files. This content is required by event-driven scaling plans. Used with WEBSITE_CONTENTAZUREFILECONNECTIONSTRING
. Default is a unique string generated by the runtime, which begins with the function app name. For more information, see Storage account connection setting.
Key | Sample value |
---|---|
WEBSITE_CONTENTSHARE | functionapp091999e2 |
This setting is required for Consumption and Premium plan apps on both Windows and Linux. It's not required for Dedicated plan apps, which aren't dynamically scaled by Functions.
The share is created when your function app is created. Changing or removing this setting can cause your function app to not start. To learn more, see this troubleshooting article.
The following considerations apply when using an Azure Resource Manager (ARM) template or Bicep file to create a function app during deployment:
WEBSITE_CONTENTSHARE
value for the main function app or any apps in slots, unique share values are generated for you. Not setting WEBSITE_CONTENTSHARE
is the recommended approach for an ARM template deployment.WEBSITE_CONTENTSHARE
value to a predefined value, such as when you use a secured storage account in a virtual network. In this case, you must set a unique share name for the main function app and the app for each deployment slot. In the case of a storage account secured by a virtual network, you must also create the share itself as part of your automated deployment. For more information, see Secured deployments.WEBSITE_CONTENTSHARE
a slot setting.WEBSITE_CONTENTSHARE
, the value must follow this guidance for share names.Sets the DNS server used by an app when resolving IP addresses. This setting is often required when using certain networking functionality, such as Azure DNS private zones and private endpoints.
Key | Sample value |
---|---|
WEBSITE_DNS_SERVER | 168.63.129.16 |
Controls whether Brotli encoding is used for compression instead of the default gzip compression. When WEBSITE_ENABLE_BROTLI_ENCODING
is set to 1
, Brotli encoding is used; otherwise gzip encoding is used.
Disables caching when deploying function apps using Azure Resource Manager (ARM) templates.
Key | Sample value |
---|---|
WEBSITE_FUNCTIONS_ARMCACHE_ENABLED | 0 |
The maximum number of instances that the app can scale out to. Default is no limit.
Important
This setting is in preview. An app property for function max scale out has been added and is the recommended way to limit scale out.
Key | Sample value |
---|---|
WEBSITE_MAX_DYNAMIC_APPLICATION_SCALE_OUT | 5 |
Windows only.
Sets the version of Node.js to use when running your function app on Windows. You should use a tilde (~) to have the runtime use the latest available version of the targeted major version. For example, when set to ~18
, the latest version of Node.js 18 is used. When a major version is targeted with a tilde, you don't have to manually update the minor version.
Key | Sample value |
---|---|
WEBSITE_NODE_DEFAULT_VERSION | ~18 |
When performing a slot swap on a function app running on a Premium plan, the swap can fail when the dedicated storage account used by the app is network restricted. This failure is caused by a legacy application logging feature, which is shared by both Functions and App Service. This setting overrides that legacy logging feature and allows the swap to occur.
Key | Sample value |
---|---|
WEBSITE_OVERRIDE_STICKY_DIAGNOSTICS_SETTINGS | 0 |
Add WEBSITE_OVERRIDE_STICKY_DIAGNOSTICS_SETTINGS
with a value of 0
to all slots to make sure that legacy diagnostic settings don't block your swaps. You can also add this setting and value to just the production slot as a deployment slot (sticky) setting.
By default, the version settings for function apps are specific to each slot. This setting is used when upgrading functions by using deployment slots. This prevents unanticipated behavior due to changing versions after a swap. Set to 0
in production and in the slot to make sure that all version settings are also swapped. For more information, see Upgrade using slots.
Key | Sample value |
---|---|
WEBSITE_OVERRIDE_STICKY_EXTENSION_VERSIONS | 0 |
Enables your function app to run from a package file, which can be locally mounted or deployed to an external URL.
Key | Sample value |
---|---|
WEBSITE_RUN_FROM_PACKAGE | 1 |
Valid values are either a URL that resolves to the location of an external deployment package file, or 1
. When set to 1
, the package must be in the d:\home\data\SitePackages
folder. When you use zip deployment with WEBSITE_RUN_FROM_PACKAGE
enabled, the package is automatically uploaded to this location. In preview, this setting was named WEBSITE_RUN_FROM_ZIP
. For more information, see Run your functions from a package file.
When you deploy from an external package URL, you must also manually sync triggers. For more information, see Trigger syncing.
The WEBSITE_CONTENTAZUREFILECONNECTIONSTRING and WEBSITE_CONTENTSHARE settings have extra validation checks to ensure that the app can be properly started. Creation of application settings fail when the function app can't properly call out to the downstream Storage Account or Key Vault due to networking constraints or other limiting factors. When WEBSITE_SKIP_CONTENTSHARE_VALIDATION is set to 1
, the validation check is skipped; otherwise the value defaults to 0
and the validation takes place.
Key | Sample value |
---|---|
WEBSITE_SKIP_CONTENTSHARE_VALIDATION | 1 |
If validation is skipped and either the connection string or content share isn't valid, the app won't be able to start properly. In this case, functions return HTTP 500 errors. For more information, see Troubleshoot error: "Azure Functions Runtime is unreachable"
Read-only. Name of the current deployment slot. The name of the production slot is Production
.
Key | Sample value |
---|---|
WEBSITE_SLOT_NAME | Production |
Allows you to set the timezone for your function app.
Key | OS | Sample value |
---|---|---|
WEBSITE_TIME_ZONE | Windows | Eastern Standard Time |
WEBSITE_TIME_ZONE | Linux | America/New_York |
The default time zone used with the CRON expressions is Coordinated Universal Time (UTC). To have your CRON expression based on another time zone, create an app setting for your function app named WEBSITE_TIME_ZONE
.
The value of this setting depends on the operating system and plan on which your function app runs.
Operating system | Plan | Value |
---|---|---|
Windows | All | Set the value to the name of the desired time zone as given by the second line from each pair given by the Windows command tzutil.exe /L |
Linux | Premium Dedicated |
Set the value to the name of the desired time zone as shown in the tz database. |
Note
WEBSITE_TIME_ZONE
and TZ
are not currently supported when running on Linux in a Consumption plan. In this case, setting WEBSITE_TIME_ZONE
or TZ
can create SSL-related issues and cause metrics to stop working for your app.
For example, Eastern Time in the US (represented by Eastern Standard Time
(Windows) or America/New_York
(Linux)) currently uses UTC-05:00 during standard time and UTC-04:00 during daylight time. To have a timer trigger fire at 10:00 AM Eastern Time every day, create an app setting for your function app named WEBSITE_TIME_ZONE
, set the value to Eastern Standard Time
(Windows) or America/New_York
(Linux), and then use the following NCRONTAB expression:
"0 0 10 * * *"
When you use WEBSITE_TIME_ZONE
the time is adjusted for time changes in the specific timezone, including daylight saving time and changes in standard time.
Indicates whether to use a specific cold start optimization when running on the Consumption plan. Set to 0
to disable the cold-start optimization on the Consumption plan.
Key | Sample value |
---|---|
WEBSITE_USE_PLACEHOLDER | 1 |
Indicates whether to use a specific cold start optimization when running .NET isolated worker process functions on the Consumption plan. Set to 0
to disable the cold-start optimization on the Consumption plan.
Key | Sample value |
---|---|
WEBSITE_USE_PLACEHOLDER_DOTNETISOLATED | 1 |
Important
WEBSITE_VNET_ROUTE_ALL is a legacy app setting that has been replaced by the vnetRouteAllEnabled site setting.
Indicates whether all outbound traffic from the app is routed through the virtual network. A setting value of 1
indicates that all application traffic is routed through the virtual network. You'll need this setting when configuring Regional virtual network integration in the Elastic Premium and Dedicated hosting plans. It's also used when a virtual network NAT gateway is used to define a static outbound IP address.
Key | Sample value |
---|---|
WEBSITE_VNET_ROUTE_ALL | 1 |
Indicates whether the /home
directory is shared across scaled instances, with a default value of true
. You should set this to false
when deploying your function app in a container.
Some configurations must be maintained at the App Service level as site settings, such as language versions. These settings are managed in the portal, by using REST APIs, or by using Azure CLI or Azure PowerShell. The following are site settings that could be required, depending on your runtime language, OS, and versions:
Indicates whether the image is obtained from an Azure Container Registry instance using managed identity authentication. A value of true
requires that managed identity be used, which is recommended over stored authentication credentials as a security best practice.
Indicates the managed identity to use when obtaining the image from an Azure Container Registry instance. Requires that AcrUseManagedIdentityCreds
is set to true
. These are the valid values:
Value | Description |
---|---|
system |
The system assigned managed identity of the function app is used. |
<USER_IDENTITY_RESOURCE_ID> |
The fully qualified resource ID of a user-assigned managed identity. |
The identity that you specify must be added to the ACRPull
role in the container registry. For more information, see Create and configure a function app on Azure with the image.
On a function app running in a Dedicated (App Service) plan, the Functions runtime goes idle after a few minutes of inactivity, a which point only requests to an HTTP trigger wakes up your function app. To make sure that your non-HTTP triggered functions run correctly, including Timer trigger functions, enable Always On for the function app by setting the alwaysOn
site setting to a value of true
.
Determines whether the built-in administrator (/admin
) endpoints in your function app can be accessed. When set to false
(the default), the app allows requests to endpoints under /admin
when those requests present a master key in the request. When true
, /admin
endpoints can't be accessed, even with a master key.
This property cannot be set for apps running on the Linux Consumption SKU, and it cannot be set for apps running on version 1.x of Azure Functions. If you are using version 1.x, you must first migrate to version 4.x.
For function apps running on Linux, linuxFxVersion
indicates the language and version for the language-specific worker process. This information is used, along with FUNCTIONS_EXTENSION_VERSION
, to determine which specific Linux container image is installed to run your function app. This setting can be set to a predefined value or a custom image URI.
This value is set for you when you create your Linux function app. You might need to set it for ARM template and Bicep deployments and in certain upgrade scenarios.
You can use the following Azure CLI command to see a table of current linuxFxVersion
values, by supported Functions runtime version:
az functionapp list-runtimes --os linux --query "[].{stack:join(' ', [runtime, version]), LinuxFxVersion:linux_fx_version, SupportedFunctionsVersions:to_string(supported_functions_versions[])}" --output table
The previous command requires you to upgrade to version 2.40 of the Azure CLI.
When you create and maintain your own custom linux container for your function app, the linuxFxVersion
value is instead in the format DOCKER|<IMAGE_URI>
, as in the following example:
linuxFxVersion = "DOCKER|contoso.com/azurefunctionsimage:v1.0.0"
This indicates the registry source of the deployed container. For more information, see Working with containers and Azure Functions.
Important
When creating your own containers, you are required to keep the base image of your container updated to the latest supported base image. Supported base images for Azure Functions are language-specific and are found in the Azure Functions base image repos.
The Functions team is committed to publishing monthly updates for these base images. Regular updates include the latest minor version updates and security fixes for both the Functions runtime and languages. You should regularly update your container from the latest base image and redeploy the updated version of your container.
Sets the specific version of .NET for C# functions. For more information, see Update your function app in Azure.
Sets the specific version of PowerShell on which your functions run. For more information, see Changing the PowerShell version.
When running locally, you instead use the FUNCTIONS_WORKER_RUNTIME_VERSION
setting in the local.settings.json file.
Apps running in a Premium plan use a file share to store content. The name of this content share is stored in the WEBSITE_CONTENTSHARE
app setting and its connection string is stored in WEBSITE_CONTENTAZUREFILECONNECTIONSTRING
. To route traffic between your function app and content share through a virtual network, you must also set vnetContentShareEnabled
to true
. Enabling this site property is a requirement when restricting your storage account to a virtual network in the Elastic Premium and Dedicated hosting plans.
Note
You must take special care when routing to the content share in a storage account shared by multiple function apps in the same plan. For more information, see Consistent routing through virtual networks in the Storage considerations article.
This site property replaces the legacy WEBSITE_CONTENTOVERVNET
setting.
Functions supports function apps running in Linux containers. To connect and pull from a container registry inside a virtual network, you must set vnetImagePullEnabled
to true
. This site property is supported in the Elastic Premium and Dedicated hosting plans. The Flex Consumption plan doesn't rely on site properties or app settings to configure Networking. For more information, see Flex Consumption plan deprecations.
Indicates whether all outbound traffic from the app is routed through the virtual network. A setting value of true
indicates that all application traffic is routed through the virtual network. Use this setting when configuring Regional virtual network integration in the Elastic Premium and Dedicated plans. It's also used when a virtual network NAT gateway is used to define a static outbound IP address. For more information, see Configure application routing.
This site setting replaces the legacy WEBSITE_VNET_ROUTE_ALL setting.
In the Flex Consumption plan, these site properties and application settings are deprecated and shouldn't be used when creating function app resources:
Setting/property | Reason |
---|---|
ENABLE_ORYX_BUILD |
Replaced by the remoteBuild parameter when deploying in Flex Consumption |
FUNCTIONS_EXTENSION_VERSION |
App Setting is set by the backend. A value of ~1 can be ignored. |
FUNCTIONS_WORKER_RUNTIME |
Replaced by name in properties.functionAppConfig.runtime |
FUNCTIONS_WORKER_RUNTIME_VERSION |
Replaced by version in properties.functionAppConfig.runtime |
FUNCTIONS_MAX_HTTP_CONCURRENCY |
Replaced by scale and concurrency's trigger section |
FUNCTIONS_WORKER_PROCESS_COUNT |
Setting not valid |
FUNCTIONS_WORKER_DYNAMIC_CONCURRENCY_ENABLED |
Setting not valid |
SCM_DO_BUILD_DURING_DEPLOYMENT |
Replaced by the remoteBuild parameter when deploying in Flex Consumption |
WEBSITE_CONTENTAZUREFILECONNECTIONSTRING |
Replaced by functionAppConfig's deployment section |
WEBSITE_CONTENTOVERVNET |
Not used for networking in Flex Consumption |
WEBSITE_CONTENTSHARE |
Replaced by functionAppConfig's deployment section |
WEBSITE_DNS_SERVER |
DNS is inherited from the integrated virtual network in Flex |
WEBSITE_MAX_DYNAMIC_APPLICATION_SCALE_OUT |
Replaced by maximumInstanceCount in properties.functionAppConfig.scaleAndConcurrency |
WEBSITE_NODE_DEFAULT_VERSION |
Replaced by version in properties.functionAppConfig.runtime |
WEBSITE_RUN_FROM_PACKAGE |
Not used for deployments in Flex Consumption |
WEBSITE_SKIP_CONTENTSHARE_VALIDATION |
Content share is not used in Flex Consumption |
WEBSITE_VNET_ROUTE_ALL |
Not used for networking in Flex Consumption |
properties.alwaysOn |
Not valid |
properties.containerSize |
Renamed as instanceMemoryMB |
properties.ftpsState |
FTPS not supported |
properties.isReserved |
Not valid |
properties.IsXenon |
Not valid |
properties.javaVersion |
Replaced by version in properties.functionAppConfig.runtime |
properties.LinuxFxVersion |
Replaced by properties.functionAppConfig.runtime |
properties.netFrameworkVersion |
Replaced by version in properties.functionAppConfig.runtime |
properties.powerShellVersion |
Replaced by version in properties.functionAppConfig.runtime |
properties.siteConfig.functionAppScaleLimit |
Renamed as maximumInstanceCount |
properties.siteConfig.preWarmedInstanceCount |
Renamed as alwaysReadyInstances |
properties.use32BitWorkerProcess |
32-bit not supported |
properties.vnetBackupRestoreEnabled |
Not used for networking in Flex Consumption |
properties.vnetContentShareEnabled |
Not used for networking in Flex Consumption |
properties.vnetImagePullEnabled |
Not used for networking in Flex Consumption |
properties.vnetRouteAllEnabled |
Not used for networking in Flex Consumption |
properties.windowsFxVersion |
Not valid |
Learn how to update app settings
Events
Take the Microsoft Learn Challenge
19 Nov, 23 - 10 Jan, 23
Ignite Edition - Build skills in Microsoft Azure and earn a digital badge by January 10!
Register nowTraining
Learning path
Implement finance and operations apps - Training
Plan and design your project methodology to successfully implement finance and operations apps with FastTrack services, data management and more.
Documentation
Configure function app settings in Azure Functions
Learn how to configure function app settings in Azure Functions.
How to disable functions in Azure Functions
Learn how to disable and enable functions in Azure Functions.
Azure Functions runtime versions overview
Azure Functions supports multiple versions of the runtime. Learn the differences between them and how to choose the one that's right for you.