[Solved] Azure Function Enable Managed Identity and Powershell Funciton Report Error: ERROR: ManagedIdentityCredential authentication failed

Problem Description

Write a Powershell Function, log in to China Azure and get Azure AD User information, but found that [Error] ERROR: ManagedIdentityCredential authentication failed: An unexpected error occured while fetching the AAD Token. Please contact support with this provided Correlation IdStatus: 500 (Internal Server Error).


problem analysis

Analyze the cause of the error. This is because there is an error when logging in with Powershell. Considering that you are currently logged in to Azure in China, when you log in with Connect-AzAccount, you want to specify -Environment as AzureChinaCloud.

The PowerShell Function App automatically adds the profile.ps1 file to the root directory  . The default file content is:

# Azure Functions profile.ps1
# This profile.ps1 will get executed every "cold start" of your Function App. 
# "cold start" occurs when:
# * A Function App starts up for the very first time 
# * A Function App starts up after being de-allocated due to inactivity
# You can define helper functions, run commands, or specify environment variables 
# NOTE: any variables defined that are not environment variables will get reset after the first execution

# Authenticate with Azure PowerShell using MSI. 
# Remove this if you are not planning on using MSI or Azure PowerShell. 
if ( $env:MSI_SECRET ) {
    Disable -AzContextAutosave -Scope Process | Out- Null
    Connect -AzAccount- Identity

# Uncomment the next line to enable legacy AzureRm alias in Azure PowerShell. 
# Enable-AzureRmAlias

# You can also define functions or aliases that can be referenced in any of your PowerShell functions.
It can be seen that the default Connect-AzAccount -Identity does not specify Environment, so when Function runs, it will connect to Global Azure by default, so ManagedIdentityCredential authentication failed will appear.

PS : If Managed Identity is not enabled, $env:MSI_SECRET is False and the code in profile.ps1 will not be executed.



On the Function App page, click App Service Editor, and modify the profile.ps1 file.


Connect-AzAccount -Environment AzureChinaCloud -Identity



The screenshot of the operation is as follows:

After modification, go back to the Function –> Code + Test page, and the test problem disappears.

using namespace System.Net

# Input bindings are passed in via param block. 
param ( $Request , $TriggerMetadata )

# Write to the Azure Functions log stream. 
Write-Host " PowerShell HTTP trigger function processed a request. " 
Write -Host $env:MSI_SECRET 
# Interact with query parameters or the body of the request. 
$name = $Request .Query.Name
 if ( -not  $name ) {
     $name = $Request .Body.Name

$body = " This HTTP triggered function executed successfully. Pass a name in the query string or in the request body for a personalized response. "

if ( $name ) {
     $body = " Hello, $name. This HTTP triggered function executed successfully. "
# login in to azure china 
Connect-AzAccount -Environment AzureChinaCloud - identity
 # get User information 
Get-AzADUser -First 2 -Select 'City' - AppendSelected

# Associate values ​​to output bindings by calling 'Push-OutputBinding'.Push 
-OutputBinding -Name Response -Value ([HttpResponseContext]@ {
    StatusCode = [HttpStatusCode]:: OK
    Body = $body 

Note: In order for Connect-AzAccount to run successfully, you need to add ‘Az’ = ‘7.*’ in requirements.psd1, so that the instance of Function App installs the Az module. Of course, if you need other Powershell modules in Function, you can add them here.

# This file enables modules to be automatically managed by the Functions service. 
# See https://aka.ms/functionsmanageddependency for additional information.
@ {
     # For latest supported version, go to 'https://www.powershellgallery.com/packages/Az'. 
    # To use the Az module in your function app, please uncomment the line below. 
    'Az' = '7. * '

Similar Posts:

Leave a Reply

Your email address will not be published. Required fields are marked *