Azure MSI: Connect Using PowerShell Or .NET?

Managed Service Identity (MSI) was introduced last year. Since then quite a few articles have been written about it:

  1. Use a Windows VM Managed Service Identity (MSI) to access Azure Key Vault:
  2. Azure SQL authentication with a Managed Service Identity

MSI gives your code an automatically managed identity for authenticating to Azure services, so that you can keep credentials out of your code.

To enable MSI, for most services it can be done using PowerShell / ARM templates / Portal.

Enabling and configuring MSI is usually performed in 3 steps

  1. Enable MSI for the source resource
  2. Grant the application spn access to another target resource
  3. Add MSI authentication to the code hosted on the source resource

Example using Azure functions can be found in github.

I was surprised though to find out that connecting to Azure SQL using PowerShell with MSI does not work when hosted in a function app.

Also included in the visual studio solution is the function app running in PowerShell. It fails to log into Azure SQL server with the following error:

Exception while executing function: Functions.dm_pdw_exec_sessions. Microsoft.Azure.WebJobs.Script: PowerShell script error. System.Management.Automation: Exception calling "Open" with "0" argument(s): "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.". .Net SqlClient Data Provider: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON

At this point I suspect impersonation is working correctly with IIS hosting the function app

2 thoughts on “Azure MSI: Connect Using PowerShell Or .NET?

  1. MWilliamson

    piro – I think that if you add a backslash to the resource URI then you’ll resolve your issue. I saw your code on StackOverflow and if you change your $sqlTokeURI from this:

    $sqlTokenURI = “https://database.windows.net&api-version=2017-09-01”

    to this:

    $sqlTokenURI = “https://database.windows.net/&api-version=2017-09-01”

    Then you’ll have success!

  2. Christian Jacob

    I have the same problem. I followed this article to get things up and running: http://azurecorner.com/using-managed-service-identity-in-azure-functions-to-access-azure-sql-database/ and because using the ConfigurationManager the way described to retrieve the Sql Connection String does not work in my Azure Functions projekt generated using VS 2017 with dotnetcore 2.x, I followed this article to also get this also working: https://blog.jongallant.com/2018/01/azure-function-config/

    The funny thing is:
    When starting the Azure Functions project locally on my dev machine running in the Azure Emulator, it simply works –> Even connecting to the production Azure Sql Database hosted on Azure in the cloud!

    When publishing the project to the cloud and running from the portal, I also get the login error you mention in your article and I just cannot find out why.

    Do you have any hint?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: