azure function ManagedIdentity request exception during GetToken

Question

azure function ManagedIdentity request exception during GetToken

Patrick 0

Since 28. April some of our azure functions suddenly started to get the following exception when calling the system-assigned ManagedIdentity getToken endpoint using the ManagedIdentityCredentials class.

ManagedIdentityCredential authentication unavailable. Multiple attempts failed to obtain a token from the managed identity endpoint.

The error does not occur always, in our development environment it occurs in 1 out of 10 requests. Playing around with the retry policy (as suggested by the error message) did not fix the problem.

Azure.Identity.CredentialUnavailableException: ManagedIdentityCredential authentication unavailable. Multiple attempts failed to obtain a token from the managed identity endpoint. ---> MSAL.NetCore.4.67.2.0.MsalServiceException: ErrorCode: managed_identity_request_failed Microsoft.Identity.Client.MsalServiceException: Retry failed after 6 tries. Retry settings can be adjusted in ClientOptions.Retry or by configuring a custom retry policy in ClientOptions.RetryPolicy. (An attempt was made to access a socket in a way forbidden by its access permissions. (169.254.169.254:80))

Multiple azure functions that are untouched since multiple months show this behaviour as well as newly created ones.

Expected behavior: ManagedIdentityCredential should successfully get the token and proceed with execution.

Actual behavior: The token cant be aquired leading to an exception and a failed operation.

Reproduction Steps

We use Azure.DigitalTwins.Core 1.4.0 to get data from the Azure Digital Twins service. The DigitalTwinsClient is registered as singleton and gets an instance of ManagedIdentityCredential as TokenCredential new DigitalTwinsClient(new Uri(url), new ManagedIdentityCredential(), ... Later on the client.GetDigitalTwin method is called which triggers the getToken

Environment

Details regarding our DEV environment:

Azure function(s):

.net 8 isolated
32bit
using system assigned managed identity

OS:

Windows
Location: West Europe
Runtime version: 4.1038.300.25164

App service plan:

Pricing: Y1
Zone redundant: Disabled
Consumption

2 answers

Your answer

Answer 1

Hi, this is not an issue with your code; it’s actually a platform bug that was introduced at the end of April. Specifically, it affects Windows Functions running in Consumption or Y1 plans on 32-bit. What happens is that the process responsible for exposing the Managed Identity endpoint (the sidecar that listens on 127.0.0.1) sometimes starts too late, or doesn’t start at all.

When this process fails, the IDENTITY_ENDPOINT environment variable ends up missing. At that point, the SDK (ManagedIdentityCredential) tries to fall back to IMDS by calling <removed address>, but since this IP is blocked on Windows App Service, you get the typical "socket in a way forbidden..." exception.

This is a known issue, already being tracked on GitHub in issues #10189 and #10238 for the Functions runtime.

If you want to confirm whether you're hitting this exact problem, you can open Kudu (Console) while the error is happening and simply run echo %IDENTITY_ENDPOINT%. If it returns empty, you’re indeed facing this specific bug.

The easiest way to get around it is to switch your app to run in 64-bit mode — in that configuration, the sidecar always starts correctly. Alternatively, moving the app to a Linux Consumption or Premium plan also avoids the issue, since Linux directly uses IMDS and doesn’t rely on this sidecar process. There’s also a patch rolling out: if you update your FUNCTIONS_EXTENSION_VERSION to ~4.1045 or newer, that should fix the problem as well. In the meantime, adding some retry logic can help mitigate the symptoms, even if it doesn’t solve the root cause.

As general advice, it’s a good idea to reuse a single instance of DigitalTwinsClient or HttpClient per process, to avoid exhausting available ports, and make sure Always On is enabled if you're using Dedicated or Premium plans. Lastly, I’d recommend keeping an eye on Azure Service Health and the GitHub thread to follow the official progress on the fix.

Once you switch to 64-bit (or to Linux), token requests should go back to 100% success and the exception will disappear.

Let me know if you need help applying the workaround.

Patrick 0 Reputation points

2025-05-14T14:39:42.5866667+00:00

Thank you very much for the information, this topic has been on my mind for far too long.

I switched multiple functions to 64bit and so far the error has not occurred again

Is there a general recommendation whether .net 8+ isolated functions should be run in 32 or 64bit?

Would it be an idea to run all functions in 64 bit or would that increase the memory consumption considerably?

Thanks !
Loknathsatyasaivarma Mahali 2,740 Reputation points Microsoft External Staff Moderator

2025-05-16T13:34:40.1833333+00:00

Hello Patrick,

For .NET 8+ isolated Azure Functions, it is recommended to run in 64-bit mode rather than 32-bit. Running in 64-bit ensures better performance, supports larger memory allocations, and avoids issues such as increased cold start times and memory limitations inherent to 32-bit (which is capped at 2 GB). You can configure this using the Azure CLI by setting --use-32bit-worker-process to false. For more details, refer to the official Microsoft documentation: Isolated Process Guide and In-Process vs Isolated Differences.
Patrick 0 Reputation points

2025-05-21T07:15:54.29+00:00

Hey,

Unfortunately, the problem with the managed identity remained even after the switch to 64bit.

Any more advice?

And because cold starts have been mentioned, timeouts during cold start exceptions are also occurring more frequently. (https://github.com/Azure/azure-functions-dotnet-worker/issues/2610)

Thanks !
Patrick 0 Reputation points

2025-06-17T09:16:34.6166667+00:00

Hey @Michele Ariis @Loknathsatyasaivarma Mahali

The error still occurs after switching to 64 bit (runtime version: 4.1040.200.25278)

I also checked the IDENTITY_ENDPOINT environment variable

It is set to a 127.0.0.1:something, butI still get the same error and calls IMDS via http://169.254.169.254/

Any more ideas?

It regularly disrupts our processes ...

Answer 2

Suresh Chikkam 2,135 Microsoft External Staff Moderator

Hi Patrick,

If you’ve already moved your Azure Functions to 64-bit and are still seeing Managed Identity errors, the next thing to try is updating your function app to the latest version of the Azure Functions runtime. In the Azure Portal, set FUNCTIONS_EXTENSION_VERSION to the newest value available, for example ~4.1045 or higher. After making this change, make sure to restart your function app completely. A full restart is important to load the new runtime and properly set up Managed Identity.

If updating and restarting don’t fix it, consider switching your function app to a Premium plan (like EP1). Premium plans keep your app running all the time and usually avoid these Managed Identity issues and cold start delays.

Also, check your function app’s configuration for any special networking settings, like VNet integration or outbound restrictions. Sometimes these settings can block access to the Managed Identity endpoint and cause token errors.

If you do these steps and the problem still happens, try logging the values of IDENTITY_ENDPOINT and IDENTITY_HEADER when your function starts. If those values are missing, it shows there’s an Azure platform problem with Managed Identity for the app instance.

Patrick 0 Reputation points

2025-05-26T06:47:39.91+00:00

Setting the FUNCTIONS_EXTENSION_VERSION to ~4.1045 did not modify the runtime version that is visible in the overview. Multiple restarts and even redeploys did not change anything.

Could it be that this version is not available in my region (west europe) currently?
Bodapati Harish 820 Reputation points Microsoft External Staff Moderator

2025-05-26T14:26:30.05+00:00

Hello Patrick,

Thanks for the update, Yes, it’s very likely that version ~4.1045 hasn’t rolled out to the West Europe region yet. These updates are released in phases across regions, so the new version may not be available there at the moment ,after restarts or redeploys.

You can monitor it over the next few days and retry once it becomes available.
Patrick 0 Reputation points

2025-06-16T08:13:40.8633333+00:00

Hey @Suresh Chikkam and @Bodapati Harish

The issue is still occuring regularly and the version ~4.1045 is still not available in region west europe...

The environment variables get set properly, but the managed identity class still calls IMDS and fails randomly.

Any ideas how to continue with this error ?

It regularly disrupts our processes and became very annoying in the meantime.
Bodapati Harish 820 Reputation points Microsoft External Staff Moderator

2025-06-27T10:05:38.98+00:00
Hello Patrick,

The error ManagedIdentityCredential authentication unavailable… (169.254.169.254:80) happens because on 32-bit Windows Consumption/Y1 plans the little sidecar that serves the local identity endpoint sometimes never starts. the SDK then falls back to IMDS at 169.254.169.254, which is blocked in the Windows sandbox, so token calls randomly fail.

switch your Function App to 64-bit Windows (Configuration > General settings > Platform > 64-bit) or move to Linux Consumption or a Premium plan (EP1+)—these environments either launch the sidecar reliably or bypass it altogether.

if you can’t leave 32-bit right now, add this at startup to wait for the sidecar and retry token fetch:

var start = DateTime.UtcNow; while (string.IsNullOrEmpty(Environment.GetEnvironmentVariable("IDENTITY_ENDPOINT")) && DateTime.UtcNow - start < TimeSpan.FromSeconds(30)) await Task.Delay(500); int attempts = 0; while (true) { try { return await digitalTwinsClient.GetDigitalTwinAsync("myTwinId"); } catch (CredentialUnavailableException) when (attempts++ < 5) { await Task.Delay(TimeSpan.FromSeconds(Math.Pow(2, attempts))); } }

once West Europe gets runtime ~4.1045+ you’ll see that version in the portal and the intermittent failures will stop.
Patrick 0 Reputation points

2025-06-27T10:58:13.5+00:00

@Bodapati Harish Thanks for the info

However, its incorrect

As mentioned above, I switched all functions to 64bit and the problem still persists.

I also checked the IDENTITY_ENDPOINT environment variable. It is set to a 127.0.0.1:something, but still get the same error and calls IMDS via http://169.254.169.254/

Can you tell me when the runtime version ~4.1045+ will be available in west europe ?

Share via

azure function ManagedIdentity request exception during GetToken

Reproduction Steps

Environment

2 answers

Your answer