Was Sie Gutes mit uns verbinden können

FunctionApps to KeyVault authorization using ManagedIdentities

Centralizing storage of application secrets in Azure Key Vault allows to control their distribution. It reduces chances that secrets may be accidentally leaked because there is no longer needed to store security information in application and to make this information part of the code.

For example, an application may need to connect to a database. Instead of storing the connection string in the code, it is better to store it securely in Key Vault.

To authenticate to Azure Key Vault is possible to use shared secret or a certificate, but they should be stored in configuration files or code which make it not so secure. To make access to the Key Vault more secure is possible to use managed identity and AD authentication.

Configuration steps

  • To get access to Key Vault from function application and to read keys and secrets using user-assigned managed identity, first of all a user-assigned managed identity must be created.
  • Then it must be assigned to the function application at Identity settings to grant app rights to use this identity.
  •  At the next step by the Key Vault application at Access Policies, needed permissions for manipulating with the Key Vault data must be granted to user-assigned managed identity.
  • At the end, AzureServicesAuthConnectionString with user-assigned managed identity ClientId must be added into Application settings of function application [2].


  1. Using AzureServicesAuthConnectionString, function requests authorization token from active directory.
  2. Active directory validates received in connection string user-assigned managed identity and if it was successfully validated, sends authorization token as a response.
  3. Function sends request with authentication token to KeyVault.
    1. KeyVault automatically sends request to active directory to validate token.
    2. Active directory validates token and send response.
  4. If token was successfully validated by active directory and managed identity has permission for requested action (for example to read secret), KeyVault executes this action (sends secret to the function).


  1. https://docs.microsoft.com/en-us/azure/key-vault/key-vault-overview
  2. https://docs.microsoft.com/en-us/azure/key-vault/service-to-service-authentication
  3. https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=dotnet
  4. https://www.c-sharpcorner.com/article/azure-key-vault/



© QUIBIQ GmbH · Impressum · Datenschutz