This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.
In a function app, usually we use appsetting AzureWebJobsStorage to connect to storage. This blog shows you how to configure a function app using Azure Active Directory identities instead of secrets or connection strings, where possible. Using identities helps you avoid accidentally leaking sensitive secrets and can provide better visibility into how data is accessed.
This will not work if the storage account is in a sovereign cloud or has a custom DNS.
Below are the steps to do configuration.
1. Enable system assigned identity in your function app and save it.
2. Give storage access to your function app. Search for Storage Blob Data Owner, select it.
3. If you configure a blob-triggered function app, repeat the step 2 to add Storage Account Contributor and Storage Queue Data Contributor roles which will be used for blob trigger.
4. Return to Access Control (IAM), click Role assignments, search for your function app name to confirm the roles are added successfully.
5. Navigate to your function app. Select Configuration and edit AzureWebJobsStorage. Change the name to AzureWebJobsStorage__accountname. Change the value to your storage account name. (The new setting uses a double underscore (__), which is a special character in application settings.)
6. Delete the previous AzureWebJobsStorage. Then you will find your function app still works fine.