Setting a storage account's "Allow storage account key access" to disabled breaks function deployments.

Question

Setting a storage account's "Allow storage account key access" to disabled breaks function deployments.

Demougin, Matthew W 25

I've been requested to disable storage account key access on a set of storage accounts. Doing so results in an inability to deploy the azure function that is connected to the storage account.

When the account is set to enable storage account key access it works.

User's image

When I switch to Disabled, it breaks:

User's image

It has the following error:

User's image

This URL leads to User's image

because disable also disconnects the storage account and function

User's image

It's hard for me to believe that this combination simply doesn't work in Azure. Any help getting this setup would be greatly appreciated.

Thanks!

Silvia Wibowo 6,046 Reputation points Microsoft Employee Volunteer Moderator

2025-03-10T22:49:25.77+00:00

Hi @Demougin, Matthew W , I understand that you have a requirement to disable storage account keys. However, your Azure Functions stop working when you disable storage account keys.

By default, function apps configure the AzureWebJobsStorage connection as a connection string stored in the AzureWebJobsStorage application setting, but you can also configure AzureWebJobsStorage to use an identity-based connection without a secret.

Caution: Other components in Functions rely on AzureWebJobsStorage for default behaviors. You should not move it to an identity-based connection if you are using older versions of extensions that do not support this type of connection, including triggers and bindings for Azure Blobs, Event Hubs, and Durable Functions. Similarly, AzureWebJobsStorage is used for deployment artifacts when using server-side build in Linux Consumption, and if you enable this, you will need to deploy via an external deployment package.

In addition, your function app might be reusing AzureWebJobsStorage for other storage connections in their triggers, bindings, and/or function code. Make sure that all uses of AzureWebJobsStorage are able to use the identity-based connection format before changing this connection from a connection string.

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
Syed Aaqid Ali 580 Reputation points Microsoft External Staff Volunteer Moderator

2025-03-11T00:39:43.7233333+00:00

Hi Demougin, Matthew W,

I hope the answer provided by Silvia Wibowo is helpful. Kindly let me know if you have any questions.

Moreover, When Allow storage account key access is disabled, any requests to the account that are authorized with Shared Key, including shared access signatures (SAS), will be denied.

For more information see https://learn.microsoft.com/en-us/azure/storage/common/shared-key-authorization-prevent?tabs=portal

Please do not forget to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.
Demougin, Matthew W 25 Reputation points

2025-03-11T15:54:00.16+00:00

According to the guide you sent me, the only thing I should need to do to make this work is grant the roles to the function app in the storage account, and switch to the _accountName variable, both of which I've done. Any ideas on why that isn't sufficient? Is it because I'm using the hierarchical namespace as a datalake possibly?
Silvia Wibowo 6,046 Reputation points Microsoft Employee Volunteer Moderator

2025-03-11T21:10:46.05+00:00
Hi @Demougin, Matthew W , please clarify:

What role(s) did you assign to Azure Function's managed identity?

Did you use system-assigned managed identity?

Did you set app settings for AzureWebJobsStorage__blobServiceUri?

As you mentioned you use HNS-enabled Azure Blob storage, did you enable Access control lists (ACLs) in Azure Data Lake Storage?

Did you try setting Common properties for identity-based connections?
Syed Aaqid Ali 580 Reputation points Microsoft External Staff Volunteer Moderator

2025-03-11T22:50:04.02+00:00
Demougin, Matthew W, adding to Silvia, to access blob data in the Azure storage with Microsoft Entra credentials, a user/Identity must have the following role assignments:

A data access role, such as Storage Blob Data Reader or Storage Blob Data Contributor

The Azure Resource Manager Reader role, at a minimum

When you assign roles, it can take up to 10 minutes for changes to take effect. If you set the appropriate allow permissions to access data via Microsoft Entra ID and are unable to access the data, for example you're getting an "AuthorizationPermissionMismatch" error. Be sure to allow enough time for the permissions changes you made in Microsoft Entra ID to replicate and be sure that you don't have any deny assignments that block your access, see Understand Azure deny assignments.

For more information check Authorize access to blobs using Microsoft Entra ID and Assign an Azure role for access to blob data
Syed Aaqid Ali 580 Reputation points Microsoft External Staff Volunteer Moderator

2025-03-12T21:08:23.5633333+00:00

Hello Demougin, Matthew W,

Checking to see whether you have resolved the issue with the solution provided above, or if you need any further assistance, please let us know.
Syed Aaqid Ali 580 Reputation points Microsoft External Staff Volunteer Moderator

2025-03-13T18:32:58.3333333+00:00

Hi Demougin, Matthew W,

I wanted to follow up and see if the solution proposed helped (pointed you in the right direction) > please do not forget to “up-vote”. which might be beneficial to other community members reading this thread. And, if you have any further queries do let us know.
Demougin, Matthew W 25 Reputation points

2025-03-13T20:18:04.07+00:00

Hello, unfortunately I've not been able to attempt any further solutions, but hope to get back to this early next week. Thank you.
Demougin, Matthew W 25 Reputation points

2025-03-17T16:53:00.6766667+00:00

Hello, I still have not gotten this to work. I was looking at:

https://learn.microsoft.com/en-us/azure/azure-functions/functions-reference?tabs=eventgrid&pivots=programming-language-python#common-properties-for-identity-based-connections

I saw this bit:

When running in a Consumption or Elastic Premium plan, your app uses the WEBSITE_AZUREFILESCONNECTIONSTRING and WEBSITE_CONTENTSHARE settings when connecting to Azure Files on the storage account used by your function app. Azure Files doesn't support using managed identity when accessing the file share. For more information, see Azure Files supported authentication scenarios

I'm interpreting this as meaning if I'm running an Elastic Premium plan (which I am), this configuration simply does not work. Is that correct?
Loknathsatyasaivarma Mahali 2,665 Reputation points Microsoft External Staff Moderator

2025-03-17T21:10:15.8866667+00:00

Hello Demougin, Matthew W,

Yes, you are correct when using an Elastic Premium plan or Consumption plan for Azure Functions, you cannot use managed identity for accessing Azure Files. Specifically, the settings WEBSITE_AZUREFILESCONNECTIONSTRING and WEBSITE_CONTENTSHARE are used in these plans for connecting to Azure Files, and Azure Files does not support using managed identities in this context.

So, in your case, if your Azure Functions app is on an Elastic Premium plan, you won’t be able to use managed identity to authenticate to Azure Files directly. Instead, you must rely on other forms of authentication, like using connection strings or a storage account key.
Silvia Wibowo 6,046 Reputation points Microsoft Employee Volunteer Moderator

2025-03-17T23:18:49.19+00:00

Hi @Demougin, Matthew W , you mentioned you have HNS-enabled Azure Blob storage. If that's accurate, then you wouldn't worry about "Azure Files doesn't support using managed identity when accessing the file share."

Is it Azure Blob or Azure Files that you're using with Azure Function?
Demougin, Matthew W 25 Reputation points

2025-03-18T13:26:39.0133333+00:00

It's an Azure Blob Storage with HNS enabled. But, I know that the function deploys website files to the files directory so I don't know how the two interact if the files cannot be read without the access key.
Syed Aaqid Ali 580 Reputation points Microsoft External Staff Volunteer Moderator

2025-03-20T20:10:14.32+00:00

Hi @Demougin, Matthew W,

Based on my understanding of your comment, it appears that you are utilizing an ADLS Gen2 account, where the function is responsible for deploying website files to a specific directory. If this is the case, you can manage access to the container or directories by leveraging Access Control Lists (ACLs) or Managed Identity. For more details, refer to the documentation on Access control lists (ACLs) in Azure Data Lake Storage.

However, if your Azure Functions app communicates with Azure File Storage using Access Keys and you intend to switch to a different authorization method, such as Managed Identity, you will not be able to authenticate directly to Azure Files using Managed Identity. In this case, you will need to rely on alternative authentication methods, such as using connection strings or a storage account key.
Demougin, Matthew W 25 Reputation points

2025-03-21T12:40:14.8333333+00:00

The only connection strings I'm familiar with involve shared access keys, which I'm trying to move away from. Is there a different connection string authentication type available?

Accepted answer

0 additional answers

Your answer

Silvia Wibowo 6,046 Reputation points Microsoft Employee Volunteer Moderator

2025-03-10T22:49:25.77+00:00

Hi @Demougin, Matthew W , I understand that you have a requirement to disable storage account keys. However, your Azure Functions stop working when you disable storage account keys.

By default, function apps configure the AzureWebJobsStorage connection as a connection string stored in the AzureWebJobsStorage application setting, but you can also configure AzureWebJobsStorage to use an identity-based connection without a secret.

Caution: Other components in Functions rely on AzureWebJobsStorage for default behaviors. You should not move it to an identity-based connection if you are using older versions of extensions that do not support this type of connection, including triggers and bindings for Azure Blobs, Event Hubs, and Durable Functions. Similarly, AzureWebJobsStorage is used for deployment artifacts when using server-side build in Linux Consumption, and if you enable this, you will need to deploy via an external deployment package.

In addition, your function app might be reusing AzureWebJobsStorage for other storage connections in their triggers, bindings, and/or function code. Make sure that all uses of AzureWebJobsStorage are able to use the identity-based connection format before changing this connection from a connection string.

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
Syed Aaqid Ali 580 Reputation points Microsoft External Staff Volunteer Moderator

2025-03-11T00:39:43.7233333+00:00

Hi Demougin, Matthew W,

I hope the answer provided by Silvia Wibowo is helpful. Kindly let me know if you have any questions.

Moreover, When Allow storage account key access is disabled, any requests to the account that are authorized with Shared Key, including shared access signatures (SAS), will be denied.

For more information see https://learn.microsoft.com/en-us/azure/storage/common/shared-key-authorization-prevent?tabs=portal

Please do not forget to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.
Demougin, Matthew W 25 Reputation points

2025-03-11T15:54:00.16+00:00

According to the guide you sent me, the only thing I should need to do to make this work is grant the roles to the function app in the storage account, and switch to the _accountName variable, both of which I've done. Any ideas on why that isn't sufficient? Is it because I'm using the hierarchical namespace as a datalake possibly?
Silvia Wibowo 6,046 Reputation points Microsoft Employee Volunteer Moderator

2025-03-11T21:10:46.05+00:00

Hi @Demougin, Matthew W , please clarify:

What role(s) did you assign to Azure Function's managed identity?

Did you use system-assigned managed identity?

Did you set app settings for AzureWebJobsStorage__blobServiceUri?

As you mentioned you use HNS-enabled Azure Blob storage, did you enable Access control lists (ACLs) in Azure Data Lake Storage?

Did you try setting Common properties for identity-based connections?
Syed Aaqid Ali 580 Reputation points Microsoft External Staff Volunteer Moderator

2025-03-11T22:50:04.02+00:00

Demougin, Matthew W, adding to Silvia, to access blob data in the Azure storage with Microsoft Entra credentials, a user/Identity must have the following role assignments:

A data access role, such as Storage Blob Data Reader or Storage Blob Data Contributor

The Azure Resource Manager Reader role, at a minimum

When you assign roles, it can take up to 10 minutes for changes to take effect. If you set the appropriate allow permissions to access data via Microsoft Entra ID and are unable to access the data, for example you're getting an "AuthorizationPermissionMismatch" error. Be sure to allow enough time for the permissions changes you made in Microsoft Entra ID to replicate and be sure that you don't have any deny assignments that block your access, see Understand Azure deny assignments.

For more information check Authorize access to blobs using Microsoft Entra ID and Assign an Azure role for access to blob data
Syed Aaqid Ali 580 Reputation points Microsoft External Staff Volunteer Moderator

2025-03-12T21:08:23.5633333+00:00

Hello Demougin, Matthew W,

Checking to see whether you have resolved the issue with the solution provided above, or if you need any further assistance, please let us know.
Syed Aaqid Ali 580 Reputation points Microsoft External Staff Volunteer Moderator

2025-03-13T18:32:58.3333333+00:00

Hi Demougin, Matthew W,

I wanted to follow up and see if the solution proposed helped (pointed you in the right direction) > please do not forget to “up-vote”. which might be beneficial to other community members reading this thread. And, if you have any further queries do let us know.
Demougin, Matthew W 25 Reputation points

2025-03-13T20:18:04.07+00:00

Hello, unfortunately I've not been able to attempt any further solutions, but hope to get back to this early next week. Thank you.
Demougin, Matthew W 25 Reputation points

2025-03-17T16:53:00.6766667+00:00

Hello, I still have not gotten this to work. I was looking at:

https://learn.microsoft.com/en-us/azure/azure-functions/functions-reference?tabs=eventgrid&pivots=programming-language-python#common-properties-for-identity-based-connections

I saw this bit:

When running in a Consumption or Elastic Premium plan, your app uses the WEBSITE_AZUREFILESCONNECTIONSTRING and WEBSITE_CONTENTSHARE settings when connecting to Azure Files on the storage account used by your function app. Azure Files doesn't support using managed identity when accessing the file share. For more information, see Azure Files supported authentication scenarios

I'm interpreting this as meaning if I'm running an Elastic Premium plan (which I am), this configuration simply does not work. Is that correct?
Loknathsatyasaivarma Mahali 2,665 Reputation points Microsoft External Staff Moderator

2025-03-17T21:10:15.8866667+00:00

Hello Demougin, Matthew W,

Yes, you are correct when using an Elastic Premium plan or Consumption plan for Azure Functions, you cannot use managed identity for accessing Azure Files. Specifically, the settings WEBSITE_AZUREFILESCONNECTIONSTRING and WEBSITE_CONTENTSHARE are used in these plans for connecting to Azure Files, and Azure Files does not support using managed identities in this context.

So, in your case, if your Azure Functions app is on an Elastic Premium plan, you won’t be able to use managed identity to authenticate to Azure Files directly. Instead, you must rely on other forms of authentication, like using connection strings or a storage account key.
Silvia Wibowo 6,046 Reputation points Microsoft Employee Volunteer Moderator

2025-03-17T23:18:49.19+00:00

Hi @Demougin, Matthew W , you mentioned you have HNS-enabled Azure Blob storage. If that's accurate, then you wouldn't worry about "Azure Files doesn't support using managed identity when accessing the file share."

Is it Azure Blob or Azure Files that you're using with Azure Function?
Demougin, Matthew W 25 Reputation points

2025-03-18T13:26:39.0133333+00:00

It's an Azure Blob Storage with HNS enabled. But, I know that the function deploys website files to the files directory so I don't know how the two interact if the files cannot be read without the access key.
Syed Aaqid Ali 580 Reputation points Microsoft External Staff Volunteer Moderator

2025-03-20T20:10:14.32+00:00

Hi @Demougin, Matthew W,

Based on my understanding of your comment, it appears that you are utilizing an ADLS Gen2 account, where the function is responsible for deploying website files to a specific directory. If this is the case, you can manage access to the container or directories by leveraging Access Control Lists (ACLs) or Managed Identity. For more details, refer to the documentation on Access control lists (ACLs) in Azure Data Lake Storage.

However, if your Azure Functions app communicates with Azure File Storage using Access Keys and you intend to switch to a different authorization method, such as Managed Identity, you will not be able to authenticate directly to Azure Files using Managed Identity. In this case, you will need to rely on alternative authentication methods, such as using connection strings or a storage account key.
Demougin, Matthew W 25 Reputation points

2025-03-21T12:40:14.8333333+00:00

The only connection strings I'm familiar with involve shared access keys, which I'm trying to move away from. Is there a different connection string authentication type available?

Answer 1

Silvia Wibowo 6,046 Microsoft Employee Volunteer Moderator

Hi @Demougin, Matthew W , based on your statement, I understand that your Azure Functions:

Uses Azure Blob Storage with HNS enabled.
Deploys website files to Azure Files.

#1 use case: HNS-enabled Azure Blob Storage supports authentication based on managed identity.

#2 use case: Azure Files doesn't support using managed identity when accessing the file share. It needs to use storage account connection string, which is based on storage account keys.

Because of #2, you need to configure an exception in MDFC (Microsoft Defender for Cloud) that all storage accounts related to Azure Functions that uses Azure Files, need to allow access to storage account keys. That's a requirement for Azure Files to work.

Demougin, Matthew W 25 Reputation points

2025-03-24T11:37:42.99+00:00

Sounds good. Thank you
Syed Aaqid Ali 580 Reputation points Microsoft External Staff Volunteer Moderator

2025-03-24T23:36:14.2233333+00:00

Hi Demougin, Matthew W,

Checking, if the solution provided by Silvia is helpful or require further assistance?

Please do not forget to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.
Syed Aaqid Ali 580 Reputation points Microsoft External Staff Volunteer Moderator

2025-03-25T21:32:03.2266667+00:00

Hi Demougin, Matthew W,

I wanted to follow up and see if the solution proposed helped (pointed you in the right direction) > please do not forget to “up-vote”. which might be beneficial to other community members reading this thread. And, if you have any further queries do let us know.

Share via

Setting a storage account's "Allow storage account key access" to disabled breaks function deployments.

0 additional answers

Your answer