In a function app, usually we use appsetting AzureWebJobsStorage to connect to storage. This blog shows you how to configure a function app using Azure Active Directory identities instead of secrets ...
Updated Jul 08, 2024
Version 3.0
Blog Post
2 MIN READ
Use managed identity instead of AzureWebJobsStorage to connect a function app to a storage account
Hi All,
vienltkidl Kuldeep_M Thanks for your responses and suggestions.
Please read through the below information. Need to raise exception for the below scenarios.
In order for MSI to work, we can’t use the app settings: WEBSITE_CONTENTAZUREFILECONNECTIONSTRING and WEBSITE_CONTENTSHARE. - https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fazure%2Fazure-functions%2Fstorage-considerations%3Ftabs%3Dazure-cli%23storage-account-connection-setting&data=05%7C02%7Cv-sivareddyd%40microsoft.com%7C954f4002d3b34d3af8d208dc9078c80c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638544095669850081%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=UbdAx2mbNybuRjt0ytl7vwlgyf3c3Yu5ivFT8cTJ50Q%3D&reserved=0. This is due to the fact that the settings are used to connect to the fileshare (SMB) of the storage account which doesn’t support Managed Identity Connection.
Once the settings are in place, there is no way to remove them and get the app back in a good state. This is due to some caching mechanism on the backend, which our PG is aware of and has a work-item in for.
The easiest way is to create a new function app without those app settings. If creating via ARM make sure to remove those settings first. Those app settings are only required for Consumption and Elastic Premium – App service plans. Since your app is running on an S1, it does not require them. So, when you create a new app, make sure you select dedicated and S1. (You could select the same app service plan as it is already created).
Thank you,
Siva
This documentation states that SMB fileshare actually supports managed identity. So is this blog post already outdated or is there still something (e.g. azure functions side support) that is missing for using managed identity?
https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overviewIdentity-based authentication isn't currently supported with Network File System (NFS) shares. However, it's available over SMB for both Windows and Linux clients.
Additionally Files rest API also seems to support Entra ID access management:
https://learn.microsoft.com/en-us/rest/api/storageservices/file-service-rest-api
Operations on the FileService and FileShare objects can also be done through the data plane. This is an artifact of Azure Files predating Azure Resource Manager. Although these APIs are fully supported, in most cases you should use the storage resource provider APIs to manage Azure Files for these reasons:
- Operations exposed through Azure Resource Manager use Microsoft Entra ID for authentication and authorization, so you can manage Azure Files by using role-based access control (RBAC). You can authorize your application or service to programmatically call these APIs with a Microsoft Entra service principal.
