We’re trying to connect an Azure Function App (Isolated process) to an Azure Service Bus Queue using a Managed Identity, but we’re constantly hitting a error when function start.
Setup
Function App (.NET Isolated) Service Bus Queue: test-queue Trigger code:
[Function("ServiceBusTriggerProcessor")]
public async Task ServiceBusTriggerProcessor(
[ServiceBusTrigger("test-queue", Connection = "ServiceBusFullyQualifiedNamespace")] string messageBody,
FunctionContext context)
{
var logger = context.GetLogger("ServiceBusTriggerProcessor");
try
{
var deserializeModel = JsonConvert.DeserializeObject<object>(messageBody);
logger.LogInformation($"Service Bus message deserialized: {deserializeModel}");
}
catch (Exception ex)
{
logger.LogError($"Error in ServiceBusTriggerProcessor: {ex.Message}");
throw;
}
await Task.CompletedTask;
}
What we did so far (we tried both system assigned and user assigned but facing same issue)
Managed Identity Assigned the Function App’s MI to the Service Bus namespace. Roles added: Azure Service Bus Data Owner, Azure Service Bus Data Receiver, Azure Service Bus Data Sender. App Settings
Added:-
ServiceBusFullyQualifiedNamespace = <namespace>.servicebus.windows.net
AzureWebJobsServiceBus__fullyQualifiedNamespace = <namespace>.servicebus.windows.net
No connection string configured (since using MI).
Packages
Using Microsoft.Azure.Functions.Worker.Extensions.ServiceBus v5.15
Observed issue
Function app fails on startup with:
The listener for function 'Functions.ServiceBusTriggerProcessor' was unable to start.
We also tried passing a token manually (JWT), but that didn’t help either it shows below error in kudo console .
System.UnauthorizedAccessException: 401 Unauthorized
Has anyone faced this exact 401 issue with Function App + Service Bus + Managed Identity? I’m wondering if it’s enough to just use the Azure Service Bus Data Receiver role, or if having multiple roles can actually cause conflicts. Also curious if there are any hidden problem with the isolated worker + MI auth setup that we might be overlooking.
According to the documentation:
The connection property for the ServiceBusTrigger attribute should be: ServiceBusConnection
You should have an appsetting ServiceBusConnection__fullyQualifiedNamespace = your-servicebus-namespace.servicebus.windows.net
If you're using a user assigned identity, you need to add these appsettings:
ServiceBusConnection__credential = managedIdentity
ServiceBusConnection__clientId = <ClientId of User-assigned Managed Identity>
In your code, the name of the connection is ServiceBusFullyQualifiedNamespace so if you want to keep the connection name the same, you need to create these settings:
ServiceBusFullyQualifiedNamespace__fullyQualifiedNamespace
ServiceBusFullyQualifiedNamespace__credential
ServiceBusFullyQualifiedNamespace__clientId
General rule is:
<ConnectionName>__fullyQualifiedNamespace
<ConnectionName>__credential
<ConnectionName>__clientId