Share via

Managed Service Identity | Azure Function APP

AJITH KUMAR RAI 0 Reputation points
2024-02-29T11:05:23.95+00:00

Hi Team,

Now as per Microsoft recommendation we need connect storage account or any other resources by managed identity.

Here while creating function app or provisioning new function app, it is having two default app settings as mentioned below like

  1. AzureWebJobsStorage
  2. WEBSITE_CONTENTAZUREFILECONNECTIONSTRING

And one more thing while creating storage account triggers like below
how we can you use managed identity instead of StorageConnectionString.

public void Run([BlobTrigger("samples-workitems/{name}", Connection = "StorageConnectionString")]Stream myBlob, string name, ILogger log)

{ }

StorageConnectionString Is different from AzureWebJobsStorage__accountName How to overcome for above code and here we want to use managed identity,

JFYI: As per https://learn.microsoft.com/en-us/azure/azure-functions/functions-reference?tabs=blob&pivots=programming-language-csharp#connecting-to-host-storage-with-an-identity this article for latest function app we can specify just storage account name for this configuration "AzureWebJobsStorage__accountName" instead of "AzureWebJobsStorage" Is there way for this setting to use managed identity for this setting: WEBSITE_CONTENTAZUREFILECONNECTIONSTRING

Thanks, Ajith

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,930 questions
Azure Storage
Azure Storage
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,538 questions
Microsoft Security | Microsoft Identity Manager

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. MikeUrnun 9,777 Reputation points Moderator
    2024-03-06T08:43:42.93+00:00

    Hi @AJITH KUMAR RAI - Thanks for reaching out, and engaging us on the MS Q&A community.

    I looked into your question and can confirm that this isn't yet a supported configuration. The limitation is on the Azure Files side which is used by Consumption and EP plans for dynamic scaling.

    The following issue has more info on this matter: Managed identity support for WEBSITE_CONTENTAZUREFILECONNECTIONSTRING setting

    Please "Accept Answer" if the answer is helpful so that others in the community may benefit from your experience.

    0 comments
  2. Pinaki Ghatak 5,600 Reputation points Microsoft Employee Volunteer Moderator
    2024-04-22T08:20:15.2666667+00:00

    Hello @AJITH KUMAR RAI

    To use managed identity instead of StorageConnectionString, you can use the following code:

    public void Run([BlobTrigger("samples-workitems/{name}", Connection = "AzureWebJobsStorage")] Stream myBlob, string name, ILogger log) { }

    Here, you can replace the Connection parameter with the name of the app setting that contains the connection string for your storage account. You can use the app setting AzureWebJobsStorage to specify the storage account name and use managed identity to authenticate. Regarding the app setting WEBSITE_CONTENTAZUREFILECONNECTIONSTRING, you can use managed identity to authenticate by setting the value of this app setting to the connection string of your storage account that includes the ResourceId parameter.

    Here is an example of how to set the value of this app setting: DefaultEndpointsProtocol=https;AccountName=;EndpointSuffix=core.windows.net;ResourceId=/subscriptions/{YOUR-SUBSCRIPTION-ID}/resourceGroups/{YOUR-RESOURCE-GROUP-NAME}/providers/Microsoft.Storage/storageAccounts/{YOUR-ACCOUNT-NAME}

    I hope this helps.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.