Bobi_Bao From the recommendation to use Microsoft.Azure.WebJobs.Extensions.DurableTask can I assume that everyone here is using the in-process model rather than the isolated model Microsoft.Azure.Functions.Worker.Extensions.DurableTask? 

Do we know if this solution is supported by the isolated model?  

EDIT: 2024-10-29 - It is working with the isolated model Microsoft.Azure.Functions.Worker.Extensions.DurableTask.

This setup remains incomplete until we can fully disable storage access keys. We need a solution where the storage account mandates the use of a managed identity rather than merely supporting it.

Currently, it's possible to configure managed identity access for tables, queues, and blobs, but this isn't the case for file access, which requires us to keep access keys enabled for the storage account.

I've seen references to different plans having varying requirements, but it's unclear how these translate to specific security settings. Is there a plan that enables a storage account configuration entirely without access keys? Any clarification or guidance on this would be greatly appreciated.

Bobi_Bao Saviour. Big Thank You. 

I was able to create the Azure function with Secured Blob storage account, but not configuring the existing one. I had to re-create the Function app and Storage account, this time I didn't use File Share as an option for Storage account. 

Hi dcarvallo ,

Please see below comments.

In order for MSI to work, we can’t use the app settings: WEBSITE_CONTENTAZUREFILECONNECTIONSTRING and WEBSITE_CONTENTSHARE. - Storage considerations for Azure Functions | Microsoft Learn. This is due to the fact that the settings are used to connect to the fileshare (SMB) of the storage account which doesn’t support Managed Identity Connection.

Thanks.

I got an error message after disabling SAS key access, specifically after doing the authentication with Microsoft Identity:
https://myapp.azurewebsites.net/.auth/login/aad/callback
I'm using "AzureWebJobsStorage__accountName" 

---

Should be AzureWebJobsStorage__accountName not accountname (uppercase N). Case sensitivity matters on linux.

Hi All,

vienltkidl Kuldeep_M Thanks for your responses and suggestions.

Please read through the below information.  Need to raise exception for the below scenarios.

In order for MSI to work, we can’t use the app settings: WEBSITE_CONTENTAZUREFILECONNECTIONSTRING and WEBSITE_CONTENTSHARE. - Storage considerations for Azure Functions | Microsoft Learn. This is due to the fact that the settings are used to connect to the fileshare (SMB) of the storage account which doesn’t support Managed Identity Connection.

Once the settings are in place, there is no way to remove them and get the app back in a good state. This is due to some caching mechanism on the backend, which our PG is aware of and has a work-item in for.

The easiest way is to create a new function app without those app settings. If creating via ARM make sure to remove those settings first. Those app settings are only required for Consumption and Elastic Premium – App service plans. Since your app is running on an S1, it does not require them. So, when you create a new app, make sure you select dedicated and S1. (You could select the same app service plan as it is already created).

Amit_Kekan 

Thank you,

Siva

These steps are not working for many people after having to disable the "Access Keys" on storage account. I request Bobi_Bao to please find the necessary missing steps and update the document.
Our team is also stuck with similar issues with our Function Apps.

Referring to AnushaGarg comment, my function app is running fine with the System Managed Identity. Just follow these straightforward steps:

1. Set the system identity to "ON" for "myfunctionapp."
2. Go to the IAM settings of "MyStorageAccount" and assign the Storage Blob Data Contributor role to "myfunctionapp."
3. Rename the key from AzureWebjobStorage to AzureWebJobStorage__blobURI and set the value to "https://MyStorageAccount.blob.core.windows.net/." Microsoft Azure Functions Reference
4. Disable "Allow storage account key access."

Now, the only issue I have is with the deployment and Kudu trace logs. CI/CD is throwing the following exception:

Can anyone provide a solution for this? We are not allowed to enable the "Allow storage account key access." However, when we enable account key access, the CI/CD deployment for the function app succeeds.