Azure App Service: User-Assigned Managed Identity not automatically configured in Deployment Center via Bicep

Question

Azure App Service: User-Assigned Managed Identity not automatically configured in Deployment Center via Bicep

Konstantinos Anagnostou 20

Hi,

I am deploying an Azure App Service using Bicep (Infrastructure as Code). I am assigning a User-Assigned Managed Identity (UMI) to the App Service, and I expect the Deployment Center to automatically use this UMI for pulling container images from my Azure Container Registry.

However, even though the UMI is correctly assigned to the App Service (I can verify this in the "Identity" blade), the Deployment Center does not automatically select the UMI. I have to manually select the UMI (from the dropdown) in the Deployment Center's "Registry Settings" and save it for the App Service to function correctly.

This manual step defeats the purpose of using Infrastructure as Code. I need a way to configure the Deployment Center's UMI selection through Bicep. In the following code snippet I have the relevant properties only.

resource resAppService 'Microsoft.Web/sites@2024-04-01' = {
  name: appServiceName
  location: location
  kind: appServiceKind
  identity: {
    type: 'UserAssigned'
    userAssignedIdentities: {
      ‘${userManagedIdentityId}': {}
    }
  }
  properties: {
      siteConfig: {
        acrUserManagedIdentityID: userManagedIdentityId  // This seems to be ignored for Deployment Center
      }
    }
}

I'm using the acrUserManagedIdentityID property in the siteConfig, which seems like it should do the trick, but it doesn't. The UMI is assigned to the App Service, but the Deployment Center doesn't pick it up automatically.

Has anyone else encountered this? Is there a way to configure the Deployment Center's UMI selection through Bicep? I'm trying to avoid any manual steps after the deployment.

I've looked through the Bicep documentation, but I haven't found a clear solution. Any help or pointers would be greatly appreciated!

Kantamsetti Aslesha 80 Reputation points Microsoft External Staff

2025-03-13T12:02:04.0533333+00:00
Hi @Konstantinos Anagnostou

Automate the Setting Using Azure CLI.

Since Bicep does not fully configure Deployment Center, you can add a post-deployment automation step to explicitly set the UMI:

az webapp config container set --name <app-service-name> \ --resource-group <resource-group> \ --acr-use-managed-identity true \ --acr-user-managed-identity <user-managed-identity-id>

This ensures that the App Service correctly picks up the UMI for ACR authentication without requiring a manual step in Deployment Center.
Kantamsetti Aslesha 80 Reputation points Microsoft External Staff

2025-03-14T07:08:42.33+00:00

Hi @Konstantinos Anagnostou
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.

1 answer

Your answer

Kantamsetti Aslesha 80 Reputation points Microsoft External Staff

2025-03-13T12:02:04.0533333+00:00

Hi @Konstantinos Anagnostou

Automate the Setting Using Azure CLI.

Since Bicep does not fully configure Deployment Center, you can add a post-deployment automation step to explicitly set the UMI:

az webapp config container set --name <app-service-name> \ --resource-group <resource-group> \ --acr-use-managed-identity true \ --acr-user-managed-identity <user-managed-identity-id>

This ensures that the App Service correctly picks up the UMI for ACR authentication without requiring a manual step in Deployment Center.
Kantamsetti Aslesha 80 Reputation points Microsoft External Staff

2025-03-14T07:08:42.33+00:00

Hi @Konstantinos Anagnostou
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.

Answer 1

Hello

It is possible by setting the acrUseManagedIdentityCreds property
siteConfig: { acrUseManagedIdentityCreds: true acrUserManagedIdentityID: 'string'}

Here is a tutorial with the steps: https://learn.microsoft.com/en-us/azure/app-service/tutorial-custom-container?pivots=container-linux#configure-app-service-to-deploy-the-image-from-the-registry

Here are the specific commands

Grant the managed identity permission to access the container registry:

az role assignment create --assignee <principal-id> --scope /subscriptions/<subscription-id>/resourceGroups/myResourceGroup/providers/Microsoft.ContainerRegistry/registries/<registry-name> --role "AcrPull"

Configure your app to use the managed identity to pull from Azure Container Registry

az resource update --ids /subscriptions/<subscription-id>/resourceGroups/myResourceGroup/providers/Microsoft.Web/sites/<app-name>/config/web --set properties.acrUseManagedIdentityCreds=TrueThis is now possible by setting the acrUseManagedIdentityCreds property

Here is a tutorial with the steps: https://learn.microsoft.com/en-us/azure/app-service/tutorial-custom-container?pivots=container-linux#configure-app-service-to-deploy-the-image-from-the-registry

Here are the specific commands

Grant the managed identity permission to access the container registry:

az role assignment create --assignee <principal-id> --scope /subscriptions/<subscription-id>/resourceGroups/myResourceGroup/providers/Microsoft.ContainerRegistry/registries/<registry-name> --role "AcrPull"

Configure your app to use the managed identity to pull from Azure Container Registry

az resource update --ids /subscriptions/<subscription-id>/resourceGroups/myResourceGroup/providers/Microsoft.Web/sites/<app-name>/config/web --set properties.acrUseManagedIdentityCreds=True

https://stackoverflow.com/questions/61912570/how-to-authenticate-with-azure-acr-from-azure-container-app-service

Share via

Azure App Service: User-Assigned Managed Identity not automatically configured in Deployment Center via Bicep

1 answer

Your answer