How to create Azure Function App based on Flex consumption plan with least privileges?

Question

How to create Azure Function App based on Flex consumption plan with least privileges?

Nandakumar, Abhijith 20

I have a contributor role and user access administrator role on the scope of a resource group. I have a reader role for the subscription of this resource group.

I am trying to create an Azure Function App based on Flexible consumption plan. The authentication type chosen for the function app is managed identity. But it is giving me insufficient permissions error even if the above two roles cover up all the necessary roles as per the Microsoft docs.

https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#prerequisites

What is the least privileged role that I should be having so that I do have necessary permissions to create such a function app?

User's image

Rakesh Mishra 4,110 Reputation points Microsoft External Staff Moderator

2025-11-11T17:10:47.9433333+00:00

Hi @Nandakumar, Abhijith , following up to see if you had a chance to check my previous response and if it was helpful. Please do let me know if you're still facing the issue and need any further assistance on this.
Pravallika KV 4,195 Reputation points Microsoft External Staff Moderator

2025-11-14T11:01:07.6866667+00:00

Hi @Nandakumar, Abhijith , following up to see if you had a chance to check my previous response and if it was helpful. Please do let me know if you're still facing the issue and need any further assistance on this.
Pravallika KV 4,195 Reputation points Microsoft External Staff Moderator

2025-11-17T05:46:35.0166667+00:00

Hi @Nandakumar, Abhijith, following up to see if you had a chance to check my previous response and if it was helpful. Please do let me know if you're still facing the issue and need any further assistance on this.
Pravallika KV 4,195 Reputation points Microsoft External Staff Moderator

2025-11-18T04:59:29.6366667+00:00
Hi @Nandakumar, Abhijith ,

As you are assigning the managed identity to function app, you need owner access at subscription level, or you need to follow below steps.

Ask your Entra ID Admin to either:- Enable Application Developer directory role for you

or

Enable tenant setting:

Azure AD => User Settings => App registrations =>

“Users can create app registrations” = YES

or

Admin can enable the identity after you create the Function App

(Function App => Identity => System assigned => ON)

As an alternative:

You can follow below steps to assign managed identity to Azure function app:

Create function app(ignore authentication)

Create a User assigned managed identity.

Navigate to function app=>Identity=>Add user assigned managed identity.

Open Storage account=>Access role(IAM)=>add role assignment=> assign Storage Account contributor role to Functionapp's managed identity.

In Function app=>Environment Variables=>Add below App settings YAML
AzureWebJobsStorage__accountName: <STORAGE_ACCOUNT_NAME> AzureWebJobsStorage__credential: managedidentity AzureWebJobsStorage__blobServiceUri:https://mystorageaccount.blob.core.windows.net, AzureWebJobsStorage__queueServiceUri:https://mystorageaccount.queue.core.windows.net AzureWebJobsStorage__tableServiceUri:https://mystorageaccount.table.core.windows.net

Now, you will be able to connect functionapp with storage account using managed identity.
Pravallika KV 4,195 Reputation points Microsoft External Staff Moderator

2025-11-18T05:04:18.78+00:00

Hi @Nandakumar, Abhijith ,

following up to see if you had a chance to check the above response and if it was helpful. Please do let me know if you're still facing the issue and need any further assistance on this.
Pravallika KV 4,195 Reputation points Microsoft External Staff Moderator

2025-11-19T06:35:44.14+00:00

Hi @Nandakumar, Abhijith, following up to see if you had a chance to check the above response and if it was helpful. Please do let me know if you're still facing the issue and need any further assistance on this.

Answer accepted by question author

1 additional answer

Your answer

Rakesh Mishra 4,110 Reputation points Microsoft External Staff Moderator

2025-11-11T17:10:47.9433333+00:00

Hi @Nandakumar, Abhijith , following up to see if you had a chance to check my previous response and if it was helpful. Please do let me know if you're still facing the issue and need any further assistance on this.
Pravallika KV 4,195 Reputation points Microsoft External Staff Moderator

2025-11-14T11:01:07.6866667+00:00

Hi @Nandakumar, Abhijith , following up to see if you had a chance to check my previous response and if it was helpful. Please do let me know if you're still facing the issue and need any further assistance on this.
Pravallika KV 4,195 Reputation points Microsoft External Staff Moderator

2025-11-17T05:46:35.0166667+00:00

Hi @Nandakumar, Abhijith, following up to see if you had a chance to check my previous response and if it was helpful. Please do let me know if you're still facing the issue and need any further assistance on this.
Pravallika KV 4,195 Reputation points Microsoft External Staff Moderator

2025-11-18T04:59:29.6366667+00:00

Hi @Nandakumar, Abhijith ,

As you are assigning the managed identity to function app, you need owner access at subscription level, or you need to follow below steps.

Ask your Entra ID Admin to either:- Enable Application Developer directory role for you

or

Enable tenant setting:

Azure AD => User Settings => App registrations =>

“Users can create app registrations” = YES

or

Admin can enable the identity after you create the Function App

(Function App => Identity => System assigned => ON)

As an alternative:

You can follow below steps to assign managed identity to Azure function app:

Create function app(ignore authentication)

Create a User assigned managed identity.

Navigate to function app=>Identity=>Add user assigned managed identity.

Open Storage account=>Access role(IAM)=>add role assignment=> assign Storage Account contributor role to Functionapp's managed identity.

In Function app=>Environment Variables=>Add below App settings YAML
AzureWebJobsStorage__accountName: <STORAGE_ACCOUNT_NAME> AzureWebJobsStorage__credential: managedidentity AzureWebJobsStorage__blobServiceUri:https://mystorageaccount.blob.core.windows.net, AzureWebJobsStorage__queueServiceUri:https://mystorageaccount.queue.core.windows.net AzureWebJobsStorage__tableServiceUri:https://mystorageaccount.table.core.windows.net

Now, you will be able to connect functionapp with storage account using managed identity.
Pravallika KV 4,195 Reputation points Microsoft External Staff Moderator

2025-11-18T05:04:18.78+00:00

Hi @Nandakumar, Abhijith ,

following up to see if you had a chance to check the above response and if it was helpful. Please do let me know if you're still facing the issue and need any further assistance on this.
Pravallika KV 4,195 Reputation points Microsoft External Staff Moderator

2025-11-19T06:35:44.14+00:00

Hi @Nandakumar, Abhijith, following up to see if you had a chance to check the above response and if it was helpful. Please do let me know if you're still facing the issue and need any further assistance on this.

Answer 1

Hi @Nandakumar, Abhijith ,

Thanks for reaching out to Microsoft Q&A.

As you are assigning the managed identity to function app, you need permissions at Entra level which will be assigned by Entra admin

Your Entra ID Admin should grant below permissions:

Enable Application Developer directory role for you

or

Enable tenant setting:

Azure AD => User Settings => App registrations =>

“Users can create app registrations” = YES

or

Admin can enable the identity after you create the Function App

(Function App => Identity => System assigned => ON)

As an alternative:

You can follow below steps to assign managed identity to Azure function app:

Create function app(ignore authentication)
Create a User assigned managed identity.
Navigate to function app=>Identity=>Add user assigned managed identity.
Open Storage account=>Access role(IAM)=>add role assignment=> assign Storage Account contributor role to Functionapp's managed identity.
In Function app=>Environment Variables=>Add below App settings YAML

YAML

   AzureWebJobsStorage__accountName: <STORAGE_ACCOUNT_NAME>    AzureWebJobsStorage__credential: managedidentity    AzureWebJobsStorage__blobServiceUri:https://mystorageaccount.blob.core.windows.net,    AzureWebJobsStorage__queueServiceUri:https://mystorageaccount.queue.core.windows.net    AzureWebJobsStorage__tableServiceUri:https://mystorageaccount.table.core.windows.net

Now, you will be able to connect functionapp with storage account using managed identity.

Here's the official MSDOC for enabling managed identity in function app after creation. https://learn.microsoft.com/en-us/azure/azure-functions/functions-identity-based-connections-tutorial

Update: As discussed, we have conveyed the feedback to respective document team.

Hope it helps!

Please do not forget to click "Accept the answer” and Yes, this can be beneficial to other community members.

User's image

If you have any other questions, let me know in the "comments" and I would be happy to help you.

Answer 2

Hi @Nandakumar, Abhijith ,

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

Please refer below roles required for different actions.

Action	Role
Create MI	Managed Identity Contributor
List or read MI	Managed Identity Operator or Managed Identity Contributor
Delete	Managed Identity Contributor

Reference: https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/manage-user-assigned-managed-identities-azure-portal#create-a-user-assigned-managed-identity

Share via

How to create Azure Function App based on Flex consumption plan with least privileges?

1 additional answer

Your answer