Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
Function app with system assigned identity has developed issue where Keyvault references in Environment Variables no longer resolve
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 61%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDH%3C/text%3E%3C/svg%3E)
Del Hamilton
0
Reputation points
I've been working with a number of function apps over the past week, most have one or more environment variable values in the format "@Microsoft.KeyVault(VaultName={my-vault-name};SecretName={secret})". After working fine all last week, today two of the functions have run into an issue where they are unable to resolve these values and therefore the function apps crash. In the Environment variables portal blade of the function app there is the error icon and Key vault link - when pressed it shows the details and OtherReasons as the issue. I have, I think, carefully compared the function with others that are working correctly and they match exactly. In the Identity blade, I checked permissions and it confirms that the identity has the role "Key Vault Secrets User" to Keyvault. In Keyvault, In Keyvault, IAM, Role assignments, the function app identity is listed with the same role as other function apps where there is no issue.
I am at a loss to understand why this has just stopped working without any changes, that I'm aware of.
Azure Key Vault
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 65%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPK%3C/text%3E%3C/svg%3E)
Pravallika KV 17,025 Reputation points Microsoft External Staff Moderator2026-06-15T21:03:16.1166667+00:00 Hi @Del Hamilton ,
Thanks for reaching out to Microsoft Q&A.
This usually happens when Key Vault references stop resolving due to one of a few common issues, even if nothing changed.
Most often its either a temporary platform/identity token issue, a network restriction change on the Key Vault (firewall/private endpoint), or a stale Key Vault reference cache in the Function App.
Since your RBAC and managed identity look correct and other apps still work, follow below:
- Restart the affected Function Apps
- Confirm the Key Vault is still accessible from them (no recent networking/firewall changes)
- Check if the vault is using private endpoints or restricted access that might block only some apps
- Refresh or re-save the Key Vault references in app settings
If the reference isn't resolved properly, the app uses the literal reference string (for example
@Microsoft.KeyVault(...)) and that can cause runtime failures.In the Function App portal:
- Go to Application settings (or the Environment variables blade)
- Use Edit on one of the failing Key Vault reference settings
- The edit dialog should show status info / error details for that specific reference
If the syntax is invalid you won't see a recognized Key Vault status message; if it’s syntactically correct, the status/errors help pinpoint the cause. Also consider running the built-in detector:
- For Functions: Diagnose and solve problems =>Function app down or reporting errors =>Key Vault Application Settings Diagnostics
-
Del Hamilton 0 Reputation points
2026-06-15T21:18:13.9066667+00:00 In diagnostics, for Function app down..., everything has a green tick except the last box which has an exclamation and "Uncategorized issues found" which ties in with the OtherReasons summary error.
-
Del Hamilton 0 Reputation points
2026-06-16T08:27:06.6266667+00:00 Hi Pravallika,
In Key Vault Application Settings Diagnostics there are errors detected but reported as Uncategorised Issues Found. When editing the Environment variables there are no errors shown, the Keyvault reference and syntax are valid and unchanged from when it was working correctly all last week.
The Entra token must be valid as it is being used to obtain a token to access the Postgres database at runtime.
Moving the secret into the env variable parameter resolves the issue but that's not a secure long term solution.
Del
-
Del Hamilton 0 Reputation points
2026-06-16T10:42:42.4133333+00:00 I have also disabled the managed identity and then re-enabled it to create a new identity for the function app. I assigned the role Key Vault Secrets User to the identity in Key Vault. Still the issues persists.
-
Deleted
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 19%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESC%3C/text%3E%3C/svg%3E)
Samuel Crook 5 Reputation points2026-06-16T13:00:21.9866667+00:00 We're facing the same issue, we created a key vault and started referencing it about 2 weeks ago, its been working fine since then until yesterday, it ran sucessfully at 1AM BST 15/06/26 but then failed 1AM BST 16/06/26 with no changes. We've restarted the System Assigned Identity and reallocated to Secrets User, we've tried a new version of the secret and generating new secrets. It all looks like everything should be correct, but we're getting the "OtherReasons" status on the error.
We've just tried getting the secret through a different function app that wasn't originally connected to the key vault which has worked, but then it still doesn't work for the original function app that we wanted.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 21%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESA%3C/text%3E%3C/svg%3E)
Stephen A 0 Reputation points2026-06-16T15:54:28.7366667+00:00 We've got the same issue too. 3 environments with the same setup. The function app in each environment uses Key Vault references in App Settings. At ~5am UTC on 15/06/26 key vault references stopped resolving in one of the environments with the "OtherReasons" status code. No changes have been made to them for about a week.
For context, we're using Flex consumption with user assigned identities. Everything is within a VNET. The resources all have private endpoints. Microsoft.KeyVault is enabled on all subnets.
We have:
Forced a refresh of the values by using the "Pull reference values" and changing a value name.
Checked that our networking is setup correctly
Ensured the firewall isn't blocking any communication
The UAMI has the correct roles
The UMAI is linked to the Func app both as a user assigned identity and in the keyVaultReferenceIdentity property
The secrets all exist in the KV and all have values
Created a 2nd KV and tried to resolve a value (didn't work)
-
Pravallika KV 17,025 Reputation points Microsoft External Staff Moderator
2026-06-18T00:27:57.56+00:00 Hi @Del Hamilton , I will reproduce the same from my end and update you.
Sign in to comment
Sign in to answer