Azure App Service and Functions team Blog

The latest from the App Service and Functions engineering teams

Announcing General Availability and Sovereign Cloud Support of Managed Service Identity for App Service and Azure Functions

Securing access between resources is an important part of modern cloud architectures, and we want to make that as simple as possible in Azure. Managed Service Identity (MSI) lets you securely connect to AAD-protected resources without needing to manage or rotate any secrets. If you need to work with a service that doesn’t support AAD, MSI makes it easy to work with Azure Key Vault for secure secret management. This gives you secure access to resources without your application needing any bootstrapping secrets.

Today, we are pleased to announce that App Service and Azure Functions support of MSI is now generally available! We are also lighting up support in Azure China, Azure Germany, and Azure Government. Users in those sovereign clouds can get started with the APIs today, and updates to the portal, CLI, and PowerShell for those environments will become available over the next few weeks.

You can get started using MSI today using any app in App Service and Azure Functions by checking out our documentation. Be sure to also check out the new preview support in Visual Studio for using Key Vault with Connected Services. While Key Vault is the most common use case, MSI has also proven a powerful tool for automation tasks, allowing you to easily start working with Azure Resource Manager APIs. You can also connect directly to a variety of services including Azure SQL and Azure Service Bus.

Please note that App Service on Linux and Web App for Containers do not yet support MSI. We are working on this and look forward to giving Linux users the same great turnkey identity story soon.

UX behavior change

If you used the feature during preview, you may have noticed that turning MSI off in the portal, CLI, or PowerShell actually just set an app setting: WEBSITE_DISABLE_MSI. This app setting disables the local token service but does not remove the identity itself. Going forward, the “off” indication will change the identity type to “None” which will also remove the identity from AAD. The WEBSITE_DISABLE_MSI app setting will no longer be affected by the enablement/disablement behaviors. We encourage users to move away from this setting if possible, as your site will now show MSI as “on” even if this setting is present. CLI and PowerShell commands will be updated in the coming weeks to remove the preview tag and reflect this behavior change.

Try it out!

We’re very excited to make our MSI support generally available. It’s an extremely powerful tool that dramatically simplifies connecting your application to other resources. Give it a try, and please be sure to share your feedback. As always, you can reach us in the Forums (App Service, Functions) or on UserVoice (App Service, Functions).