Function app using user assigned managed identity in backend but showing System managed identity in environment variables

Question

The issue is that in function apps we are using Environment variables which sourced from a key vault using a user assigned managed identity. System assigned managed identities have been turned off, however the environment variables still show that the system assigned managed identity is being used to access the key vault.

 

The Function Apps:

·       Are using User Managed Identities

·       Are NOT using System Assigned Identities.

·       Are configured to use the User Managed Identity for Key Vault Secret lookup

o   ie: "keyVaultReferenceIdentity": "/subscriptions/6705ce6c-074a-417f-bbe0-9a92f3452d51/resourceGroups/RBGKew-PROD-D365CE-Application-UKS-RG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/RBGKew-PROD-D365CE-FunctionApps-UKS-ID-001",

They are successfully retrieving the secrets, but the portal still indicates it is using SystemAssigned Identity when it is now.

As a work around we tried to manually update the key vault Identity with below command using PowerShell. The command ran successfully but UI didn't change yet. 

Update-AzFunctionApp -Name 'rbgkewprodd365cecardpayuksfa01' -ResourceGroupName 'RBGKew-PROD-D365CE-Application-UKS-RG' -IdentityType UserAssigned -IdentityID '/subscriptions/6705ce6c-074a-417f-bbe0-9a92f3452d51/resourceGroups/RBGKew-PROD-D365CE-Application-UKS-RG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/RBGKew-PROD-D365CE-FunctionApps-UKS-ID-001' -Force

Answer 1

Hi Narendar,

The issue you're describing, where the Azure portal incorrectly indicates that a System Assigned Managed Identity is being used instead of a User Assigned Managed Identity, can be caused by a few factors. Here's a step-by-step approach to troubleshoot and resolve this issue:

1.Clear and Redeploy Configuration:

• Clear the current identity configuration and redeploy the settings to force an update.
• You can use the Azure CLI to remove the existing User Managed Identity and reassign it:

az webapp identity remove --name rbgkewprodd365cecardpayuksfa01 --resource-group RBGKew-PROD-D365CE-Application-UKS-RG --identities "" 

2. Check for Portal UI Cache Issues:

• Sometimes, the Azure Portal UI might have caching issues. Try logging out and logging back into the Azure Portal or using a different browser/incognito mode to see if the changes are reflected.

3. Contact Azure Support:

• If the issue persists after trying the above steps, consider reaching out to Azure Support for further assistance. They can provide deeper insights and potentially identify backend issues.

Kindly check and let us know , if any further questions , please let us know

please accept answer if it works for you

Thanks

Deepanshu

Answer 2

Hi Narendra,

What you are seeing is normal (even though it is incorrect). In my experience the portal shows "System assigned managed identity" regardless of whether you are using System or User-assigned managed identity.

When using user-assigned managed identity the important difference is you need to set keyVaultReferenceIdentity, which you have already done.

If you are still concerned that somehow it is using system-assigned managed identity even though you've turned it off, you can turn on audit logging on your key vault and verify in logs that user-assigned identity is being used.

Please click Accept Answer and upvote if the above was helpful.

Thanks.

-TP