Description
When using Azure Function App with VNET integration and forced tunneling, Managed Identity token acquisition fails unless the undocumented property
outboundVnetRouting.managedIdentityTraffic is explicitly set to false.
This property is not consistently documented and its default behavior is unclear, leading to broken Managed Identity authentication in secure network designs.
Scenario
- Azure Function App
- System-assigned Managed Identity enabled
- Regional VNET Integration
- outboundVnetRouting.allTraffic = true
- Subnet has UDR (e.g. 0.0.0.0/0 → NVA / Firewall)
Expected behavior
Managed Identity token issuance should work as long as IMDS is reachable (as per existing documentation).
Actual behavior
Managed Identity token issuance fails unless:
outboundVnetRouting.managedIdentityTraffic = false
is explicitly set.
When set to false, token acquisition works immediately without any other changes.
Observed errors
- ManagedIdentityCredential authentication unavailable
- Failed to acquire MSI token
- Timeouts when calling IMDS / IDENTITY_ENDPOINT
- SQL / Key Vault authentication failures that appear unrelated to networking
Description
When using Azure Function App with VNET integration and forced tunneling, Managed Identity token acquisition fails unless the undocumented property
outboundVnetRouting.managedIdentityTrafficis explicitly set to false.This property is not consistently documented and its default behavior is unclear, leading to broken Managed Identity authentication in secure network designs.
Scenario
Expected behavior
Managed Identity token issuance should work as long as IMDS is reachable (as per existing documentation).
Actual behavior
Managed Identity token issuance fails unless:
outboundVnetRouting.managedIdentityTraffic = falseis explicitly set.
When set to
false, token acquisition works immediately without any other changes.Observed errors