Assign System Managed Identity to Azure Function Apps with PowerShell

Introduction

Managing identities in the cloud is crucial for ensuring secure access to resources. Azure provides a robust solution with Managed Identities, which can be assigned to Azure services like Function Apps, eliminating the need for managing credentials manually. By using PowerShell, you can automate the assignment of System Managed Identities to your Azure Function Apps, streamlining the process and enhancing security. This blog will guide you through the steps to assign a System Managed Identity to an Azure Function App using a PowerShell script.

Use Cases

1. Secure Resource Access: Grant your Function App secure access to Azure resources like Key Vault, Storage Accounts, and more without handling credentials.
2. Automated Identity Management: Integrate this script into CI/CD pipelines for automated identity management during deployments.
3. Environment-Specific Configurations: Assign identities to Function Apps in different environments (development, staging, production) to maintain consistent security practices.
4. Compliance and Security: Ensure compliance with security policies by using managed identities for all Function App deployments.

Current Approaches

Typically, assigning a System Managed Identity to an Azure Function App is done manually through the Azure portal. This involves navigating to the Function App, enabling the Managed Identity, and then configuring the necessary permissions. While this approach works, it is not scalable for multiple Function Apps or environments. Automating this process using PowerShell ensures consistency, saves time, and reduces the risk of human error.

Step 1. Prepare Your Environment

Ensure you have the Azure CLI installed and you are authenticated to your Azure subscription. You can download and install the Azure CLI from here.

Login using the below command in PowerShell.

az login

Step 2. Execute the PowerShell Script

Run the below Script by passing the parameters Resource Group Name, Function App Name, Subscription Id.

Function Assign-SystemManagedIdentityFunctionApp {
    #Parameters - FunctionAppName, ResourceGroupName, SubscriptionId, Slot
    [CmdletBinding()]
    param (
      #FunctionApp Name
      [Parameter(Mandatory = $true)]
      [ValidateNotNullOrEmpty()]
      [String]$FunctionAppName,
  
      #ResourceGroup Name
      [Parameter(Mandatory = $true)]
      [ValidateNotNullOrEmpty()]
      [String]$ResourceGroupName,
  
      #Subscription Id
      [Parameter(Mandatory = $true)]
      [ValidateNotNullOrEmpty()]
      [String]$SubscriptionId,
  
      #Slot
      [Parameter(Mandatory = $false)]
      [String]$Slot
  
    )
    Write-Host "##[debug] -----Starting Assign-SystemManagedIdentityFunctionApp-----" -ForegroundColor Cyan
    Write-Host "##[command] Parameters" -ForegroundColor Yellow
    "_"*10
    # Get the command name
    $CommandName = $PSCmdlet.MyInvocation.InvocationName;
    # Get the list of parameters for the command
    $ParameterList = (Get-Command -Name $CommandName).Parameters;
  
    # Grab each parameter value, using Get-Variable
    foreach ($Parameter in $ParameterList) {
      Get-Variable -Name $Parameter.Values.Name -ErrorAction SilentlyContinue;
      #Get-Variable -Name $ParameterList;
    }
  
    #Set Subscription
    Write-Host "Setting Subscription"
    az account set -s $SubscriptionId
  
    try {
        Write-Host "Assigning System Managed Identity for functionapp:$FunctionAppName in $Slot Slot"
        az webapp identity assign -g $ResourceGroupName -n $FunctionAppName
      Write-Host "##[debug] -----Completed Assign-SystemManagedIdentityFunctionApp-----" -ForegroundColor Cyan
    }
    catch [Exception] {
      write-host $_.Exception.Message
      Write-Host "`nError in Line: " $_.InvocationInfo.Line
      Write-Host "`nError in Line Number: "$_.InvocationInfo.ScriptLineNumber
      Write-Host "`nError Item Name: "$_.Exception.ItemName
      throw $_.Exception.Message
    } 
  }

  Assign-SystemManagedIdentityFunctionApp -FunctionAppName "samplefunc-rg" -ResourceGroupName "sample-rg"  -SubscriptionId "6ba2dfac-9ebd" 

This will output.

Step 3. Validate in Azure Portal

• Validate whether Identity is assigned to Function App or not in Azure Portal
• Navigate to Function App -> Left Menu -> Identity
  

Conclusion

Automating the assignment of System Managed Identities to Azure Function Apps using PowerShell enhances security and efficiency in managing access to Azure resources. This method ensures that identities are consistently applied across different environments and reduces the risk associated with manual processes. By integrating this script into your deployment pipelines, you can streamline your workflows and focus on developing robust, secure applications.