From the Azure Function code perspective, it does not matter which storage account you use. The access operations will be the same.
Here is the PowerShell code:
# Connect to Microsoft Azure
Connect-AzAccount -Identity
# Create a context object using Entra ID credentials
$ctx = New-AzStorageContext -StorageAccountName $saName -UseConnectedAccount
# Get a list of all containers
$containers = Get-AzStorageContainer -Context $ctx
To perform a login, just use the "-Identity" flag, which will pick up the managed identity.
So, the first answer is definitely yes.
The second one...
There are complications related to the DNS name of the storage account. Microsoft uses ".blob.core.windows.net" DNS zone for the blob service of publicly available storage accounts, ".file.core.windows.net" for file service, and so on.
Your request to st0rag3acc0unt.blob.core.windows.net will be resolved to a publicly accessible IP address via public DNS.
When you make your storage account private, you will have to create a private endpoint for every service in use: blob, file, queue, table...
And then, you will have to create a private DNS zone for every service and record the storage account name in this private DNS zone.
Basically, your record in the private DNS zone should resolve the same name, "st0rag3acc0unt.blob.core.windows.net" to the private IP address of the private endpoint.
All of that means your function app code will not have any clue that it's working with a private service. And that is exactly how the function app works in my example.
Therefore, the answer is no, it does not. (However, to make it working smoothly, you will have to put some efforts to building that DNS and network infrastructure.)
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
I have two questions regarding Azure Function App access to a storage account using system-assigned managed identity and RBAC:
Public Storage Account:
Private VNet and Storage Account:
Essentially, I'm trying to understand the scope of the system-assigned managed identity's access from within the function app's execution environment.
These are pretty good questions!
From the Azure Function code perspective, it does not matter which storage account you use. The access operations will be the same.
Here is the PowerShell code:
Here is a link to the code in repo
To perform a login, just use the "-Identity" flag, which will pick up the managed identity.
So, the first answer is definitely yes.
The second one...
There are complications related to the DNS name of the storage account. Microsoft uses ".blob.core.windows.net" DNS zone for the blob service of publicly available storage accounts, ".file.core.windows.net" for file service, and so on.
Your request to st0rag3acc0unt.blob.core.windows.net will be resolved to a publicly accessible IP address via public DNS.
When you make your storage account private, you will have to create a private endpoint for every service in use: blob, file, queue, table...
And then, you will have to create a private DNS zone for every service and record the storage account name in this private DNS zone.
Basically, your record in the private DNS zone should resolve the same name, "st0rag3acc0unt.blob.core.windows.net" to the private IP address of the private endpoint.
All of that means your function app code will not have any clue that it's working with a private service. And that is exactly how the function app works in my example.
Therefore, the answer is no, it does not. (However, to make it working smoothly, you will have to put some efforts to building that DNS and network infrastructure.)