Issue Creating Workflows in Standard Logic App Using User-Assigned Managed Identity (UAMI) .

Question

Issue Creating Workflows in Standard Logic App Using User-Assigned Managed Identity (UAMI) .

Utkarsh Rai 20 Microsoft Employee

Hi Team,

I’m working on setting up a Standard Logic App and encountering issues while creating workflows. I’ve disabled the “Allow storage account key access” setting on the associated storage account and intend to authenticate using a User-Assigned Managed Identity (UAMI) or System-Assigned Managed Identity (SAMI).

Below are the configuration settings I’ve added or updated in the Logic App’s application settings:

AzureWebJobsStorage__blobServiceUri

AzureWebJobsStorage__credentialType (set to managedIdentity)

AzureWebJobsStorage__managedIdentityResourceId

AzureWebJobsStorage__queueServiceUri

AzureWebJobsStorage__tableServiceUri

WEBSITE_NODE_DEFAULT_VERSION

WEBSITE_VNET_ROUTE_ALL

The UAMI has been assigned the following roles on the storage account:

Storage Blob Data Contributor

Storage Queue Data Contributor

Storage Table Data Contributor

Storage Blob Data Owner

Storage Account Contributor

Despite these configurations and permissions, I’m still encountering errors when trying to create or deploy workflows.

Could someone please advise if I’m missing any required permissions or configuration steps specific to storage access via managed identities in Standard Logic Apps?

Appreciate your support and insights.

Thanks, Utkarsh RaiHi Team,

I’m working on setting up a Standard Logic App and encountering issues while creating workflows. I’ve disabled the “Allow storage account key access” setting on the associated storage account and intend to authenticate using a User-Assigned Managed Identity (UAMI) or System-Assigned Managed Identity (SAMI).

Below are the configuration settings I’ve added or updated in the Logic App’s application settings:

AzureWebJobsStorage__blobServiceUri

AzureWebJobsStorage__credentialType (set to managedIdentity)

AzureWebJobsStorage__managedIdentityResourceId

AzureWebJobsStorage__queueServiceUri

AzureWebJobsStorage__tableServiceUri

WEBSITE_NODE_DEFAULT_VERSION

WEBSITE_VNET_ROUTE_ALL

The UAMI has been assigned the following roles on the storage account:

Storage Blob Data Contributor

Storage Queue Data Contributor

Storage Table Data Contributor

Storage Blob Data Owner

Storage Account Contributor

Despite these configurations and permissions, I’m still encountering access errors when trying to create or deploy workflows.

Error - System.Private.CoreLib: Access to the path 'C:\home\data\Functions\secrets\Sentinels' is denied.

Could someone please advise if I’m missing any required permissions or configuration steps specific to storage access via managed identities in Standard Logic Apps?

Appreciate your support and insights .

Krishna Chowdary Paricharla 2,155 Reputation points Microsoft External Staff Moderator

2025-08-06T19:51:24.84+00:00
Hello Utkarsh Rai •,

You're getting the error Access to the path 'C:\home\data\Functions\secrets\Sentinels' is denied, which is not directly caused by the managed identity or storage access settings, but by a file system access issue in the Logic App's runtime.

Your storage settings and managed identity roles look correct, assuming:

You're using AzureWebJobsStorage__credentialType = managedIdentity

You’ve not set managedIdentityResourceId for system-assigned identity

The UAMI/SAMI has data plane roles (e.g., Blob/Queue/Table Contributor) at the storage account level

The error likely comes from the Logic App runtime trying to write secrets locally and failing due to file system restrictions.

Recommendations to fix the issue:

Add this setting to explicitly define a writable path: "AzureFunctionsJobHost__SecretsPath": "D:\\home\\data\\Functions\\secrets" Ensure the App Service environment supports write access (especially if using custom containers or VNET). If WEBSITE_VNET_ROUTE_ALL = 1, make sure the Logic App can reach Azure Instance Metadata Service (IMDS) and Storage endpoints.

Confirm the identity also has Reader role on the resource group (optional but helpful for full access.
Krishna Chowdary Paricharla 2,155 Reputation points Microsoft External Staff Moderator

2025-08-07T00:53:11.36+00:00

Hello Utkarsh Rai •,

Thank you for posting your concern on Microsoft Q&A.

Could you please check the private message and provide the required details for troubleshooting the issue further.

Here is the reference link on how to access & data retention policy of private messages in Microsoft Q&A.
Krishna Chowdary Paricharla 2,155 Reputation points Microsoft External Staff Moderator

2025-08-07T23:50:12.8033333+00:00

Hello Utkarsh Rai •,

Just checking in to see if you've had a chance to review my previous response. Let me know if you have any additional questions
Krishna Chowdary Paricharla 2,155 Reputation points Microsoft External Staff Moderator

2025-08-09T02:39:14.9366667+00:00

Hello Utkarsh Rai •,
I wanted to follow up to see if you’ve had an opportunity to look over my earlier response. Please let me know if you have any further questions.

Accepted answer

0 additional answers

Your answer

Krishna Chowdary Paricharla 2,155 Reputation points Microsoft External Staff Moderator

2025-08-06T19:51:24.84+00:00

Hello Utkarsh Rai •,

You're getting the error Access to the path 'C:\home\data\Functions\secrets\Sentinels' is denied, which is not directly caused by the managed identity or storage access settings, but by a file system access issue in the Logic App's runtime.

Your storage settings and managed identity roles look correct, assuming:

You're using AzureWebJobsStorage__credentialType = managedIdentity

You’ve not set managedIdentityResourceId for system-assigned identity

The UAMI/SAMI has data plane roles (e.g., Blob/Queue/Table Contributor) at the storage account level

The error likely comes from the Logic App runtime trying to write secrets locally and failing due to file system restrictions.

Recommendations to fix the issue:

Add this setting to explicitly define a writable path: "AzureFunctionsJobHost__SecretsPath": "D:\\home\\data\\Functions\\secrets" Ensure the App Service environment supports write access (especially if using custom containers or VNET). If WEBSITE_VNET_ROUTE_ALL = 1, make sure the Logic App can reach Azure Instance Metadata Service (IMDS) and Storage endpoints.

Confirm the identity also has Reader role on the resource group (optional but helpful for full access.
Krishna Chowdary Paricharla 2,155 Reputation points Microsoft External Staff Moderator

2025-08-07T00:53:11.36+00:00

Hello Utkarsh Rai •,

Thank you for posting your concern on Microsoft Q&A.

Could you please check the private message and provide the required details for troubleshooting the issue further.

Here is the reference link on how to access & data retention policy of private messages in Microsoft Q&A.
Krishna Chowdary Paricharla 2,155 Reputation points Microsoft External Staff Moderator

2025-08-07T23:50:12.8033333+00:00

Hello Utkarsh Rai •,

Just checking in to see if you've had a chance to review my previous response. Let me know if you have any additional questions
Krishna Chowdary Paricharla 2,155 Reputation points Microsoft External Staff Moderator

2025-08-09T02:39:14.9366667+00:00

Hello Utkarsh Rai •,
I wanted to follow up to see if you’ve had an opportunity to look over my earlier response. Please let me know if you have any further questions.

Answer 1

Hello Utkarsh Rai

Disabling Storage Account Key Access is currently available only for Standard Logic Apps hosted within an App Service Environment v3 (ASE v3).

Not supported for:
- Standard Logic Apps on the Workflow Standard Plan (outside ASE)
- Consumption Logic Apps
Supported for:
- Standard Logic Apps deployed in ASE v3

Reason for this limitation: Logic Apps require access to an Azure Storage account for state management, runtime, and workflow persistence. In most hosting scenarios (such as Workflow Standard Plan or Consumption), storage account keys are necessary for operation. However, ASE v3 offers advanced network isolation and supports Managed Identity, which allows storage access without using account keys.

For ASE v3 deployments:

Set up a Managed Identity (either System-Assigned or User-Assigned) for your Logic App.
Grant the Managed Identity the necessary Azure RBAC roles (e.g., Storage Blob Data Contributor) on the Storage Account.
After confirming Managed Identity authentication, disable “Allow storage account key access” in the storage account settings.

References:

Hope this helps!

Share via

Issue Creating Workflows in Standard Logic App Using User-Assigned Managed Identity (UAMI) .

0 additional answers

Your answer