Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,383 questions
Azure Function App Read-only on functions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 77%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Joey
0
Reputation points
How can I create a custom role in Azure that allows users to view Function App code in read-only mode? Currently, users with the built-in Reader role can see the Function App but get an error requiring write permissions when trying to view the actual function code. Looking for a solution that maintains read-only access while enabling code viewing.
I tried a bunch of things with custom roles but can't seem to get it working.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 22%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESE%3C/text%3E%3C/svg%3E)
Shireesha Eeraboina 1,240 Reputation points Microsoft Vendor2025-01-10T05:41:56.3833333+00:00 Hi @Joey,
Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.
Creating a custom role in Azure that allows users to view Function App code in read-only mode can be a bit tricky, but I can guide you through the process. Here's a step-by-step approach to achieve this:
Determine the Required Permissions:
First you need to grant read-only access to the Function App code. The specific permissions required are Microsoft.Web/sites/config/list/action and Microsoft.Web/sites/sourcecontrols/read.
Create the Custom Role:
You can create a custom role using the Azure portal, Azure PowerShell, Azure CLI, or the REST API. Here, I'll show you how to do it using the Azure portal.
Steps to Create the Custom Role in Azure Portal:
First go to the Azure portal and sign in with your credentials and then navigate to the subscription or resource group where you want to create the custom role and click on "Access control (IAM) Then Click on "+ Add" and select "Add custom role" here provide a name and description for your custom role, under "Permissions", click on "Add permissions". Search for Microsoft.Web/sites/config/list/action and Microsoft.Web/sites/sourcecontrols/read and add them to the role after that review the settings and click on "Create" to finalize the custom role.
Also please find the screenshot below for your reference:
Assign the Custom Role:
Once the custom role is created, you need to assign it to the users or groups who need read-only access to the Function App code.
For that go to the Function App in the Azure portal and Click on Access control (IAM) here Click on "+ Add" and select "Add role assignment" and choose the custom role you created and assign it to the desired users or groups.
Also please find the below screenshot for your reference:
By following these steps, you should be able to create a custom role that allows users to view Function App code in read-only mode without encountering write permission errors.
If this answers your query, do click
Accept AnswerandYesfor was this answer helpful. And, if you have any further query do let us know.Thankyou.
-
Joey 0 Reputation points
2025-01-10T13:42:12.5333333+00:00 Hi, thanks! I really appreciate the time you took to answer my question. Unfortunately, I still can't get it working by following your steps.
I created the custom role with the following permision and made sure the role is active.
After I added the test user account:
So the error about the write permissions needed is gone but I still get this one:
-
Shireesha Eeraboina 1,240 Reputation points Microsoft Vendor
2025-01-13T11:08:39.39+00:00 Hi @Joey ,
We apologize for the inconvenience you are experiencing. Please ensure you are following the process correctly, as the UI in the shared screenshots appears slightly different. For your reference, I have attached a screenshot showing where to assign the custom roles.
If you encounter any further issues, please provide a screenshot so we can assist you accordingly.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 50%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELM%3C/text%3E%3C/svg%3E)
Link McKinney 495 5 Reputation points2025-01-13T15:19:10.41+00:00 Hey Joey,
Is the goal to create a custom role to allow the others access to review the code? If so, I would think you should do that in the code repo rather than the function app. However, if you are set on trying to accomplish this, I would try using the App Service Editor and putting a read-only from that perspective rather than the Code + Test area.
By the way, if your code is compiled code (C#, Java) you will not be able to see the code from the portal anyways. ( App Service Editor, or the Code + Test area. )
I hope this helps you,
Link
-
Joey 0 Reputation points
2025-01-14T08:20:54.6866667+00:00 Hi, see my screenshots I am not sure what I am doing differently.
When I check the permissions of the user:
I keep getting the error: User is not authorized for this API.
I tried to create a bunch of roles with different roles but doesn't work. When I assign a write permission then it works.
-
Joey 0 Reputation points
2025-01-14T10:38:29.6066667+00:00 We are creating a lab where the students goes through a malicious function app and needs to answer some questions also some based on the code of the function in the app.
-
Link McKinney 495 5 Reputation points
2025-01-14T17:56:15.9+00:00 What is your authorization level set? I think if you are trying to access that dashboard, try setting your authorization level to Anonymous.
-
Shireesha Eeraboina 1,240 Reputation points Microsoft Vendor
2025-01-20T07:39:52.23+00:00 Hi @Joey ,
Just checking in to see if the above answer provided by @ Link McKinney 495 helped.
Can you please share the update on the issue so that we can be able to provide the solution. accordingly, also can you please share the error details.
-
Joey 0 Reputation points
2025-01-20T09:21:49.0433333+00:00 Hi, thanks for checking in. I tried the suggestion but it didn't work.
-
Shireesha Eeraboina 1,240 Reputation points Microsoft Vendor
2025-01-24T01:25:33.64+00:00 Hi @Joey ,
We sincerely apologize for the delay in response and appreciate your patience.
It seems like you're getting close to resolving the issue, but you're still seeing the error "User is not authorized for this API." Here are some suggestions to help you fix it:
- Make sure you have the necessary permissions, specifically
Microsoft.Web/sites/readandMicrosoft.Web/sites/functions/read, for both the Function App and its code. - Confirm that the custom role is assigned at the right level, ideally at the Function App level.
- Sometimes, it takes a little while for role assignments to take effect. Wait a few minutes and then try again.
- Ensure that the user has the correct role and that there are no conflicting higher-privilege roles, like Contributor or Owner.
- Check that users with the custom role can access the App Service Editor in read-only mode by enabling this option in the Function App settings.
- Verify that the user has the required permissions to access the Microsoft.Web API. If the Function App code is compiled, users may need to access the source repository (like GitHub or Azure Repos) directly, as the portal might not show the code.
Following these steps should help you resolve the authorization issue. If you have any questions or need more help, feel free to reach out.
- Make sure you have the necessary permissions, specifically
-
Shireesha Eeraboina 1,240 Reputation points Microsoft Vendor
2025-01-27T02:27:47.01+00:00 Hi @Joey ,
Following up to see if the above answer was helpful. If this answers your query, do click
Accept AnswerandYesfor was this answer helpful. And, if you have any further query do let us know. -
Link McKinney 495 5 Reputation points
2025-01-27T14:53:55.8+00:00 Hey team,
I believe there are a couple of things going on. If specific compile languages are used, you will not be able to view the code as stated before, however if you do use a supported language, it must be created in Azure portal or you need to set the setting below.
FUNCTION_APP_EDIT_MODE
I would create a new function from the azure portal using Python and then apply the setting above.
I found this answer from an obscure Q&A here: https://learn.microsoft.com/en-us/answers/questions/1082523/source-code-setup-for-azure-functions-and-run
-
Shireesha Eeraboina 1,240 Reputation points Microsoft Vendor
2025-01-28T09:02:57.8933333+00:00 Hi @Joey ,
I hope the above provided response is helpful, do let me know if you have any further questions on this.
-
Joey 0 Reputation points
2025-01-29T14:23:48.98+00:00 Thanks for your answer. Still getting the same error with a Powershell function app.
-
Shireesha Eeraboina 1,240 Reputation points Microsoft Vendor
2025-02-03T06:44:19.8733333+00:00 Hi @Joey,
Thanks for your patience on this.
To fulfill your requirement, as I mentioned earlier, you will need to create custom roles with the permission "Microsoft.Web/sites/config/list/action" to be able to view the functions. Additionally, you will need to try different supported permissions under ["Microsoft.web/site/*"]](https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/web-and-mobile#microsoftweb))"https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/web-and-mobile#microsoftweb)") until you find the one that works.
Also, we see there is an active feature request related to this https://feedback.azure.com/d365community/idea/ce829a4b-7981-ed11-a81b-000d3ae5ae95 I would suggest you to upvote and comment on it. Our engineering team will actively monitor these requests and work on it accordingly.
Hope this helps, let me know if you have any further questions on this.
-
Shireesha Eeraboina 1,240 Reputation points Microsoft Vendor
2025-02-04T05:05:22.44+00:00 Hi @Joey ,
Just checking in to see if the information above was helpful. If you have any further updates on this issue, please feel free to post them here.
Sign in to comment
Sign in to answer