# Secure Your Azure Functions: Use Managed Identity for AzureWebJobsStorage

When using an Azure Function app, it is necessary to connect it to a storage account, often referred to as Host storage. This storage is utilized by the Functions runtime, as well as by various triggers and bindings to coordinate between multiple running instances. It is also used for host logs and managing state, among other purposes. The Azure Function app establishes a connection to this storage account through the `AzureWebJobsStorage` configuration. By default, `AzureWebJobsStorage` is configured with a connection string to the storage account that uses an **account key**. However, this approach poses a security risk, as it requires careful management of key storage, key rotation, and other security considerations.

As a best practice, it is recommended to use *Azure Managed Identity* (often referred to as MSI) whenever possible when connecting to storage accounts and other Azure services. With managed identity, Azure automatically manages secure access to Azure resources without the need for providing explicit credentials in code or configuration.

This article guides you through the process of using managed identity for `AzureWebJobsStorage`. At a high level, the following steps are required:

1. Enable system-assigned managed identity for the function app.
    
2. Grant the function's identity access to the storage account.
    
3. Edit the `AzureWebJobsStorage` configuration.
    

### Enable system-assigned managed identity for the function app

1. In the Azure portal, navigate to the Azure Function app.
    
2. Select the **Identity** option from the menu blade.
    
3. On the **System assigned** tab, set the status to "**On**" and **Save** it.
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1700075505278/837551b6-cc5f-4a33-a532-7234a25c6173.png align="center")
    

### Grant the function's identity access to the storage account

Create a role assignment granting the system-assigned identity access to the storage account.

1. Navigate to the storage account that was created with the function app.
    
2. Select **Access Control (IAM)**. You can view and configure who has access to the resources from IAM.
    
3. Click **Add** and select **Add Role Assignment**.
    
4. Search for the '**Storage Blob Data Owner**' role, select it, and click **Next**.
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1700074195364/ecd11bea-713c-4ecd-a577-67b2f0b5bf7c.png align="center")
    
5. On the **Members** tab, under **Assign access to**, select **Managed Identity**.
    
6. Click **Select members** to open the identities side panel.
    
7. Choose the right **Subscription**, and in the managed identity selector, choose **Function App** from the **System-assigned managed identity** category.
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1700074365123/0b45bf24-860c-4f8f-9563-b6e8714b4fe8.png align="center")
    
8. The function app should appear in a list below the input fields. Click on the function app name, and it should now be part of the selected members section. Click **Select**.
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1700074663019/911ce561-59f0-4f57-be93-b38d2b82bcb1.png align="center")
    
9. Back on the **Add Role Assignment** page, click **Review + assign**. Review the changes, and then click **Review + assign**.
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1700074792788/abbbeaae-914b-4840-bdae-5de011753401.png align="center")
    

### Edit the 'AzureWebJobsStorage' configuration

Next, update your function app to use the system-assigned identity when connecting to the blob service.

1. Navigate to your function app, and under **Settings**, select **Configuration**.
    
2. Select the **Edit** button next to the **AzureWebJobsStorage** application setting.
    
3. Under **Name**, change the text from '**AzureWebJobsStorage**' to '**AzureWebJobsStorage\_\_accountName**' This modified setting instructs the host to use the identity instead of looking for a stored secret. Please note that the new setting uses `__` (double underscore), which is a special character in application settings.
    
4. Under **Value**, input your **storage account name**, i.e., replace the connection string with just the storage account name.
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1700074966971/a49f8ca7-d861-4d2d-a5e7-a9cabb76ec85.png align="center")
    
5. Select **OK**, and then click on **Save** &gt; **Continue** to save your changes.
    

You have now successfully configured the Azure function to connect to the storage account using managed identity instead of the storage connection string containing credentials.

## Final thoughts

In this article, we have looked at the essential steps to fortify the security of your Azure Functions when connecting to the host storage account. By embracing the best practice of utilizing Azure Managed Identity (MSI), we mitigate security risks associated with managing account keys and elevate the overall protection of our applications.

This article used the system-assigned managed identity of the function app to connect to the storage account, but even a user-assigned managed identity can be used while granting necessary access to the function & storage account. The use of Managed Identity streamlines the authentication process, eliminating the need for explicit credentials in your code or configurations.

Take charge of your application's security journey, and let Managed Identity be your trusted companion in the realm of Azure services.

Happy coding and stay secure!
