How to use Managed Identity with visual studio user for connecting Cosmos/Storage with Azure Function

Mulchandani, Nitin 26 Reputation points
2021-06-28T17:00:44.267+00:00

I am trying out couple of examples, which talks about using connecting Cosmos and Azure function with using access keys and other example talks about using Function with Azure storage without using Access keys, which are mentioned below

1) Using Cosmos DB with Azure function
https://learn.microsoft.com/en-us/azure/cosmos-db/managed-identity-based-authentication

2) Using Storage with Azure Function

https://learn.microsoft.com/en-us/azure/storage/common/storage-auth-aad-msi

Both the example are working fine, when I try to deploy in Azure, but when I try to run these examples locally they don't work.

In both the examples I get 401 unauthorized. In my visual studio I have added the user through Tools -> Options -> Azure Service Authentication and same user is added a contributor for the above examples

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,370 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Siva-kumar-selvaraj 15,631 Reputation points
    2021-06-30T16:00:09.633+00:00

    Hello anonymous user,

    Thanks for reaching out.

    You can't use Managed Identity locally because the security boundary of the managed identity is the Azure resource to which it is attached to. For example, the security boundary for a Virtual Machine with managed identities for Azure resources enabled, is the Virtual Machine. Any code running on that VM, is able to call the managed identities for Azure resources endpoint and request tokens. It is the similar experience with other resources that support managed identities for Azure resources.

    To know more about What are managed identities for Azure resources? refer: https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview

    Alternative you can register app (service principal) in Azure AD to authentication and acquire a token to access Azure resources through visual studio where code is running locally.

    Access keys from an Azure Cosmos DB account with AAD Application:
    https://learn.microsoft.com/en-us/azure/cosmos-db/certificate-based-authentication
    Access to blob and queue data with AAD Application:
    https://learn.microsoft.com/en-us/azure/storage/common/storage-auth-aad-app?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&tabs=dotnet

    Hope this helps

    ------
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    3 people found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.