![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 33%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFA%3C/text%3E%3C/svg%3E)
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 16%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERG%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 28.999999999999996%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGK%3C/text%3E%3C/svg%3E)
Hi Felipe Agrela,
Apologies for the delayed response. I’ve reviewed your issue.
This problem typically occurs when the Deployment Center UI does not correctly bind the system-assigned managed identity, even though it is enabled and has appropriate ACR permissions. Group-based role assignments (like AcrPull) often do not resolve immediately or aren't interpreted properly by the Deployment Center during deployment.
Try the Below Workaround to resolve the issue:
Use Azure CLI to Explicitly Bind Identity and Assign Role
Confirm System-Assigned Identity Is Enabled
az functionapp identity show --name gcm-investmentsrqf-dev --resource-group <RsrGrpNme>
Ensure "principalId" is returned, it confirms the identity is enabled.
Assign AcrPull Role Directly to Identity
Avoid relying on group membership, assign the AcrPull role directly:
az acr show --name <acr-name> --query id --output tsv
az role assignment create --assignee <principal-id> --role AcrPull --scope <acr-resource-id>
Explicitly Enable Managed Identity for Deployment Center
az functionapp deployment container config --name gcm-investmentsrqf-dev --resource-group <RsrGrpNme> --enable-managed-identity true
Manually Set Image and Tag in Deployment Center
Managed Identity disables automatic population of image/tag fields. Manually enter:
- Image:
<acr-name>.azurecr.io/<image-name> - Tag:
latestor your specific tag
After completing the above steps:
- Refresh the Deployment Center in the Azure Portal
- Confirm the Identity is correctly shown
- Restart the Function App or trigger a deployment
- Monitor logs to verify that the container image is pulled successfully
For more details, please refer the following Microsoft documentation: Authenticate with ACR using managed identity, Configure container deployment (CLI), Assign roles using Azure CLI.
By following the steps above, the identity binding issue in the Deployment Center will be resolved, and your Function App should successfully pull images from Azure Container Registry.
Hope it helps!
Please do not forget to click "Accept the answer” and Yes wherever the information provided helps you, this can be beneficial to other community members.
If you have any other questions or still running into more issues, let me know in the "comments" and I would be happy to help you.