App Registration Authentication (Preview) - Impact on Managed Identity Integration among function apps

Question

App Registration Authentication (Preview) - Impact on Managed Identity Integration among function apps

Pesala, Nikitha 20

Question:

We are implementing a Managed Identity for secure service-to-service communication between two Azure Function Apps. Our setup involves:

Function App A (Caller):

• System-Assigned Managed Identity enabled

• Timer-triggered function requesting JWT tokens

Function App B (Callee):

• Azure AD Authentication configured via Authentication blade in function app

• HTTP-triggered function validating JWT tokens

Configuration Process:

Navigate to Authentication blade → Add identity provider → Microsoft
Create new app registration (Single tenant)
Require authentication with HTTP 401 for unauthenticated requests
Use Application ID URI as audience in caller's token requests

User's image

Concern: When we open app registration after the above process The Authentication blade shows (Preview) status in the Azure Portal.

Questions:

Will the preview status of the Authentication blade affect the reliability or functionality of our Managed Identity authentication flow?
Are there any known limitations or potential issues when using preview Authentication features with System-Assigned Managed Identity?
Is this configuration considered production-ready, or should we implement an alternative approach for production workloads?

Current Flow: Caller uses DefaultAzureCredential → Requests token with Application ID URI scope → Includes JWT as Bearer token → Callee validates via Azure AD authentication.

Please advise if the preview status impacts this implementation or if there are recommended best practices for production environments.

Reference link: Managed identity for Authentication among Azure Function App / App Services

Rakesh Mishra 9,340 Reputation points Microsoft External Staff Moderator

2025-11-28T12:25:37.2366667+00:00

Hi @Pesala, Nikitha , following up to see if you had a chance to check my previous response and if it was helpful. Please do let me know if you're still facing the issue and need any further assistance on this.

Please accept as Yes if the answer is helpful so that it can help others in the community.

Answer accepted by question author

0 additional answers

Your answer

Rakesh Mishra 9,340 Reputation points Microsoft External Staff Moderator

2025-11-28T12:25:37.2366667+00:00

Hi @Pesala, Nikitha , following up to see if you had a chance to check my previous response and if it was helpful. Please do let me know if you're still facing the issue and need any further assistance on this.

Please accept as Yes if the answer is helpful so that it can help others in the community.

Answer 1

Hi @Pesala, Nikitha ,

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

1. Will the preview Authentication blade affect the reliability or functionality of our Managed Identity authentication flow?

No, the managed identity runtime (system-assigned/user-assigned), its service principal/token behavior and access model are platform features and are not changed by a portal UI being in preview.
Portal/Blade changes affect management UX only; the runtime token issuance and SDK behavior (for example when your app calls IMDS / DefaultAzureCredential) remain the same.

2. Any known limitations or potential issues when using preview Authentication features with system-assigned managed identity?

There are no inherent functional limits to the managed identity itself just because an authentication blade is preview — but preview features can have limited capabilities, regional rollouts, and may change before GA. Treat preview UI features as unstable for automation.
Practical risks: documentation may lag, support may be best-effort for preview features, and UI workflows can change — so scripts/runbooks that depend on a preview UI could break.
Verification steps you should run (non-prod) to be safe: ensure the MI service principal exists, request a token from the MI endpoint (IMDS/SDK), and validate RBAC access — these validate the auth flow independently of the portal UI.

3. Production readiness — is this configuration production-ready, or should we use an alternative for production workloads?

Short answer: Use the managed identity feature in production, but don’t rely on preview UI features as your only path for production configuration or automation.

Use managed identities in production, the capability itself is GA and intended for production use (recommended pattern to avoid secrets).
Don’t rely exclusively on a Preview portal workflow for production automation or critical runbooks. For production, provision/configure/automate via GA-supported methods (ARM templates, CLI, PowerShell, REST) or the GA portal blades.

Recommended production checklist:

Provision and assign the system-assigned managed identity (ARM/CLI/Portal GA blade).
Grant RBAC to the MI (Storage, Key Vault, etc.) and verify access with a token request from the app.
Use SDKs that support managed identity token acquisition (Azure.Identity / DefaultAzureCredential) and add runtime tests in staging.
Avoid building automation that depends only on a preview portal workflow — use supported APIs/ARM/CLI for automation.

Pesala, Nikitha 20 Reputation points

2025-11-26T14:06:36.6466667+00:00

Hi Rakesh Mishra,

Thank you for the clarification. Let me be more specific about my concern regarding the App Registration Authentication blade (Preview).

My Workflow:

Function App B → Authentication blade → Add identity provider → Microsoft

This creates an App Registration in Azure AD

I go to Azure AD → App registrations → My created app

I extract the Application ID URI from "Expose an API" blade (e.g., api://xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx)

However, I notice: When I'm in the App Registration, the "Authentication" blade shows "(Preview)" status.

My Specific Concern:

• I'm NOT using the Authentication blade in the App Registration

• I'm ONLY using the "Expose an API" blade to get the Application ID URI

• But I'm concerned that since the Authentication blade in App Registration is in Preview, it might affect the overall App Registration stability or the Application ID URI format
Rakesh Mishra 9,340 Reputation points Microsoft External Staff Moderator

2025-11-26T16:31:46.7166667+00:00

Hi @Pesala, Nikitha , no, it will not impact. The Authentication (Preview) blade is a portal/management experience. It does not alter the underlying application object or service principal that controls runtime auth.

If you do not want or like the new UI, you can switch back to old as highlighted below.

Expose an API is authoritative for Application ID URI — the Application ID URI is created/visible under Expose an API; reading it there is the correct source of truth. Preview blade won’t change the App ID URI format

Share via

App Registration Authentication (Preview) - Impact on Managed Identity Integration among function apps

1. Will the preview Authentication blade affect the reliability or functionality of our Managed Identity authentication flow?

2. Any known limitations or potential issues when using preview Authentication features with system-assigned managed identity?

3. Production readiness — is this configuration production-ready, or should we use an alternative for production workloads?

Recommended production checklist:

0 additional answers

Your answer