| author | mattchenderson |
|---|---|
| ms.author | mahender |
| ms.service | azure-app-service |
| ms.subservice | web-apps |
| ms.topic | include |
| ms.date | 06/28/2024 |
You can configure Azure Blob Storage to authorize requests with Microsoft Entra ID. This configuration means that instead of generating a SAS key with an expiration, you can instead rely on the application's managed identity. By default, the app's system-assigned identity is used. If you wish to specify a user-assigned identity, you can set the WEBSITE_RUN_FROM_PACKAGE_BLOB_MI_RESOURCE_ID app setting to the resource ID of that identity. The setting can also accept SystemAssigned as a value, which is equivalent to omitting the setting.
To enable the package to be fetched using the identity:
-
Ensure that the blob is configured for private access.
-
Grant the identity the Storage Blob Data Reader role with scope over the package blob. See Assign an Azure role for access to blob data for details on creating the role assignment.
-
Set the
WEBSITE_RUN_FROM_PACKAGEapplication setting to the blob URL of the package. This URL is usually of the formhttps://{storage-account-name}.blob.core.windows.net/{container-name}/{path-to-package}or similar. -
If you wish to specify a user-assigned identity, you can set the
WEBSITE_RUN_FROM_PACKAGE_BLOB_MI_RESOURCE_IDapp setting to the resource ID of that identity. The setting can also accept "SystemAssigned" as a value, although this is the same as omitting the setting altogether. A resource ID is a standard representation for a resource in Azure. For a user-assigned managed identity, that is going to be/subscriptions/subid/resourcegroups/rg-name/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity-name. The resource ID of a user-assigned managed identity can be obtained in the Settings -> Properties -> ID for the user assigned managed identity.