System-assigned identity
If we don’t want to use to store any credentials in code, we can use a system assigned managed identity which is restricted to one per resource and is tied to the lifecycle of this resource. We can grant permissions to the managed identity by using Azure role-based access control (Azure RBAC). Also, the managed identity is authenticated with Azure AD.
We can assign via PowerShell : Run the Update-AzFunctionApp -IdentityType command to create a system-assigned identity for a function app.
Update-AzFunctionApp -Name $functionAppName -ResourceGroupName $resourceGroupName -IdentityType SystemAssigned
User-assigned identity
We can assign via PowerShell : If not created, run the script to create a managed service identity.
Install-Module -Name Az.ManagedServiceIdentity -AllowPrerelease $userAssignedIdentity = New-AzUserAssignedIdentity -Name $userAssignedIdentityName -ResourceGroupName <group-name>
Finally, Run the Update-AzFunctionApp -IdentityType UserAssigned -IdentityId command to assign the identity in Functions.
Update-AzFunctionApp -Name <app-name> -ResourceGroupName <group-name> -IdentityType UserAssigned -IdentityId $userAssignedIdentity.Id
Remark : Rather remove the managed identity via PowerShell. PowerShell only offers the functionality to remove all identities, we cannot remove by name !
# Update an existing function app to have IdentityType "None". Update-AzFunctionApp -Name $functionAppName -ResourceGroupName $resourceGroupName -IdentityType None