This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 93%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Hello,
I am testing Azure Functions to execute a PowerShell script
The AZ Function performs storage operations (copy/move/delete).
The service principal is used for auth of services (AZ Function/Storage)
The Storage firewall is enabled, Az Function Public IPs are whitelisted on the storage firewall and working well with Environment-A
The Azure Function executes well in one of the Environment-A, but the problem occurs in Environment-B.
The configuration is similar and in place,
Troubleshooting:
As the Storage firewall is enabled in Environment-A and Environment-B,
We changed the Firewall to allow all networks and it worked as Environment-A,
and when selecting the option "Enabled from selected VNET and IPs" we are facing the issue as the image attached, the AZ Function IPs are whitelisted.
Thanks
Gaurav
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 36%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
@Singh Gaurav
I am reaching out to see if you have any further questions. If so, please let us know and we will be glad to assist further. If the below answer was helpful, please make sure to Accept it as answer as it helps other members in the community. Thank you!
We noticed your have rated low on one of the answer as not helpful. Thank you for taking time to share feedback.
Requesting you to check recent answer provided by SaiKishor-MSFT to see if that is helpful.
We are here to help you and strive to make your experience better and greatly value your feedback. If the answer is helpful, request you to take a resurvey.
Looking forward to your reply. Much appreciate your feedback!
We noticed your have rated low on one of the answer as not helpful. Thank you for taking time to share feedback.
Requesting you to check recent answer provided by SaiKishor-MSFT to see if that is helpful.
We are here to help you and strive to make your experience better and greatly value your feedback. If the answer is helpful, request you to take a resurvey.
Looking forward to your reply. Much appreciate your feedback!
Based on the error message, it seems the issue is with the authorization. I believe there is a problem in the service principal configuration, can you double check that part and post results here.
Verified the service principal configuration and it all looks good, observing the same issue.
@Singh, Gaurav
This error message indicates that the Azure Function is not authorized to access the storage account. This could be because the Azure Function's managed identity is not granted the required permissions on the storage account.
To fix this issue, you can grant the Azure Function's managed identity the required permissions on the storage account using the Azure portal or Azure PowerShell.
Alternatively, you can use the following Azure PowerShell cmdlets to grant the Azure Function's managed identity the required permissions on the storage account:
$storageAccount = Get-AzStorageAccount -ResourceGroupName "myresourcegroup" -Name "mystorageaccount" $functionApp = Get-AzFunctionApp -ResourceGroupName "myresourcegroup" -Name "myfunctionapp" $roleAssignment = New-AzRoleAssignment -ObjectId $functionApp.Identity.PrincipalId -RoleDefinitionName "Storage Blob Data Contributor" -Scope $storageAccount.Id
After granting the required permissions, try accessing the storage account again from the Azure Function to see if the issue is resolved.
Please let us know if you have any more questions and we will be glad to assist you further. Thank you!
Remember:
Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
Want a reminder to come back and check responses? Here is how to subscribe to a notification.
We will be using service principal
we are using service principal configuration for this setup.
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
@Gaurav Thanks for the update! I am reaching out to you offline to further troubleshoot this issue. Thanks!
@Singh, Gaurav After some research, I was able to confirm that Azure Functions uses private IPs when traversing the same region within Azure and uses Public IPs when traversing inter-region. Therefore, using Public IPs to control access will not work at this time.
Alternate solutions would be-
Hope this helps. Please let us know if you have any more questions and we will be glad to assist you further. Thank you!