Share via

How to deploy using AzureFunctionApp@1 configured to use Managed Identity

Zackarias Montell 20 Reputation points
2025-08-08T07:36:48.41+00:00

We deploy multiple .net azure functions to linux runtime consumption plans in Azure. Yesterday we got an issue where one of our functions stopped working. Looking at the overview of the resource in the azure portal we saw a warning about a SAS-token that had expired, and a link to read more about this issue.

It states that we can either renew the token, or set the resource to use a managed identity to authorize access to the application package stored in a blob storage. Since the SAS-token is automatically generated by the deployment we don't want to alter it and instead tried giving the MI access to the storage account which we successfully did.

The issue that we're having is that the AzureFunctionApp@1 task that we are using to deploy the source code to the azure function is setting the WEBSITE_RUN_FROM_PACKAGE environment variable to a url with a SAS-token. This is fine for the first 1 year after the deploy, but we found that as long as the url contains a SAS-token it refuses to use the MI, even if the SAS-token is expired and a valid MI is configured with the correct permission. We validated this by editing the exipired url, removing the token from it, saving and restarting the function app, and it started working again.

However we cannot find a way to configure the task to omit the SAS-token.

Ideally we'd like an option for the WEBSITE_RUN_FROM_PACKAGE to not contain a SAS-token so that the MI is always used. Is that possible in any way?

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
0 comments
Accepted answer
  1. Sai Prabhu Naveen Parimi 3,235 Reputation points Microsoft External Staff Moderator
    2025-08-08T10:00:02.3966667+00:00

    Hello @Zackarias Montell

    You have correctly identified the root cause and confirmed that the Function App operates as expected when the SAS token is removed from WEBSITE_RUN_FROM_PACKAGE.

    As designed, if WEBSITE_RUN_FROM_PACKAGE contains a SAS URL, Azure Functions will prioritize the token and bypass the configured Managed Identity, even if it has the required permissions. This explains why your manual test—removing the SAS and restarting the app—resulted in the use of Managed Identity, which is the expected behavior.

    The Microsoft documentation describes how to use Managed Identity for package deployment, assuming manual management of the ZIP upload and app settings. However, when using Azure DevOps and the AzureFunctionApp@1 task, the task automatically uploads the package and sets WEBSITE_RUN_FROM_PACKAGE to a SAS-based URL, overriding the Managed Identity approach. Currently, there is no option in the task to prevent this.

    To utilize Managed Identity as documented, you can:

    1. Manually upload your ZIP package to a private container in your storage account (e.g., using az storage blob upload).
    2. Assign the Storage Blob Data Reader role to your Function App’s managed identity, scoped to the appropriate blob or container.
    3. Configure these application settings:
      • WEBSITE_RUN_FROM_PACKAGE: Set to the blob URI without a SAS token.
        • WEBSITE_RUN_FROM_PACKAGE_BLOB_MI_RESOURCE_ID: Leave blank or set to "SystemAssigned" for system-assigned identity, or provide the full resource ID for a user-assigned identity.
        1. Restart the Function App after updating the settings.

    This process mirrors your successful manual test and enables automated deployment without relying on a SAS token or the default AzureFunctionApp@1 behavior.

    References:

    Hope this helps!!

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.