This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello everyone,
Currently I'm trying to configure a very simple Function App using PowerShell that takes a JSON body payload with 2 parameters, a resource group name and a location, then it creates a resource group with that information.
The problem that I have is that whenever I try to use a user assigned managed identity it doesn't work, but it works when I use a system assigned managed identity, I already enabled the identity in the Function App but I might be missing something else, this is the output that I get when I try to use the UAMI:
2023-04-12T13:36:59Z [Warning] WARNING: Unable to acquire token for tenant 'organizations'
2023-04-12T13:37:00Z [Error] ERROR: ManagedIdentityCredential authentication failed: Service request failed. Status: 400 (Bad Request) Content: {"statusCode":400,"message":"Unable to load the proper Managed Identity.","correlationId":"9a0d90c9-8734-478a-97d3-70c657629d50"}
I saw this answer on StackOverflow that suggests configuring environment variables but I'm not sure what am I supposed to replace <CONNECTION NAME PREFIX> with and I'm not sure if I have to call these variables into my PowerShell code. In general I'm not quite sure what to do with this information.
Any help is really appreciated it.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 33%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
@Ariel Gonzalez
<CONNECTION_NAME_PREFIX> is the value of your connection property in the trigger or binding definition. No need to call this in the powershell code, just try to add the app settings
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 90%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIA%3C/text%3E%3C/svg%3E)
I had to set AZURE_CLIENT_ID in app_settings to make this work.
The terraform code for this was:
resource "azurerm_user_assigned_identity" "function_app_main" {
location = azurerm_resource_group.main.location
name = "function_app_main"
resource_group_name = azurerm_resource_group.main.name
}
resource "azurerm_linux_function_app" "main" {
/* ... elided ... */
app_settings = {
AZURE_CLIENT_ID = azurerm_user_assigned_identity.function_app_main.client_id
}
}
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 14.000000000000002%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENP%3C/text%3E%3C/svg%3E)
Adding the AZURE_CLIENT_ID to the function's environment variables fixed it for me as well, thank you @Iwan Aucamp
Bumping up thread, does anyone know what could be happening? Any insights would be very appreciated
Any Function App expert around here that can point me in the right direction?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 64%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)
I had the same error but found out I was using the wrong Subscription Id in the function app.
I was using development Subscription Id instead of production Subscription Id.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 88%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAB%3C/text%3E%3C/svg%3E)
Ran into the same issue and have no clue what the problem could be? On the Configuration/AppSettings page my KeyVault-Reference has a green tick and presents "user assigned managed identity" as identity and "Resolved" as status so it seems to be configured correctly from my perspective but as soon as the trigger fires the function encounters and logs an error { "statusCode":400,"message":"Unable to load the proper Managed Identity.", ... }
What could be the problem here?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 53%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVV%3C/text%3E%3C/svg%3E)
Same as Iwan, I had to add the AZURE_CLIENT_ID in the environment variables. The value for this is set to the Application ID of the Service Principle [Enterprise Application] of the UAMI being used. After this my auth was successful. I believe this one extra step has to be done only in the case of using UAMI