Uredi

Configure managed identity for Durable Task Scheduler

Durable Task Scheduler uses managed identity for authentication. You can use either a user-assigned or system-assigned managed identity. User-assigned identities are recommended because they aren't tied to the lifecycle of the app and can be reused after the app is deprovisioned.

This article covers two ways to configure managed identity:

  • Quick setup — A single CLI command that automates role assignment, identity attachment, and environment variable configuration.
  • Manual setup — Step-by-step instructions for full control over each configuration step.

Prerequisites

Durable Task Scheduler RBAC roles

You can grant the following Durable Task Scheduler related roles to an identity:

Role Description
Durable Task Data Contributor Role for all data access operations. This role is a superset of all other roles.
Durable Task Worker Role used by worker applications to interact with the Durable Task Scheduler. Assign this role if your app is used only for processing orchestrations, activities, and entities.
Durable Task Data Reader Role to read all Durable Task Scheduler data. Assign this role if you only need to list orchestrations and read entity payloads.

Note

Most apps require the Durable Task Data Contributor role.

Quick setup with az durabletask scheduler attach

The az durabletask scheduler attach command automates role assignment, identity attachment, and environment variable configuration in a single command.

The following example attaches a scheduler to a Function App using a user-assigned managed identity with the Durable Task Data Contributor role:

az durabletask scheduler attach \
  --resource-group RESOURCE_GROUP_NAME \
  --name SCHEDULER_NAME \
  --task-hub-name TASKHUB_NAME \
  --role-type contributor \
  --target /subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOURCE_GROUP_NAME/providers/Microsoft.Web/sites/FUNCTION_APP_NAME \
  --identity /subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOURCE_GROUP_NAME/providers/Microsoft.ManagedIdentity/userAssignedIdentities/IDENTITY_NAME

For a Container App:

az durabletask scheduler attach \
  --resource-group RESOURCE_GROUP_NAME \
  --name SCHEDULER_NAME \
  --task-hub-name TASKHUB_NAME \
  --role-type contributor \
  --target /subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOURCE_GROUP_NAME/providers/Microsoft.App/containerApps/CONTAINER_APP_NAME \
  --identity /subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOURCE_GROUP_NAME/providers/Microsoft.ManagedIdentity/userAssignedIdentities/IDENTITY_NAME

Note

If you omit the --identity parameter, the command uses the system-assigned managed identity instead.

For more information, see az durabletask scheduler attach.

Manual setup

If you need granular control over each step, follow the manual instructions below to assign RBAC, attach the identity, and configure environment variables individually.

Assign role-based access control (RBAC) to a managed identity resource

  1. Create a user-assigned managed identity

    az identity create -g RESOURCE_GROUP_NAME -n IDENTITY_NAME

  2. Set the assignee to identity resource created

    assignee=$(az identity show --name IDENTITY_NAME --resource-group RESOURCE_GROUP_NAME --query 'clientId' --output tsv)

  3. Set the scope. Use task hub scope for least-privilege access. Use scheduler scope only if the identity needs access to all task hubs in a scheduler.

    Task hub scope (recommended)

    scope="/subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOURCE_GROUP_NAME/providers/Microsoft.DurableTask/schedulers/SCHEDULER_NAME/taskHubs/TASKHUB_NAME"

    Scheduler scope (all task hubs)

    scope="/subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOURCE_GROUP_NAME/providers/Microsoft.DurableTask/schedulers/SCHEDULER_NAME"

  4. Grant access. Run the following command to create the role assignment and grant access.

    az role assignment create \
  --assignee "$assignee" \
  --role "Durable Task Data Contributor" \
  --scope "$scope"

    Expected output

    The following output example shows a developer identity assigned with the Durable Task Data Contributor role on the scheduler level:

    {
  "condition": null,
  "conditionVersion": null,
  "createdBy": "YOUR_DEVELOPER_CREDENTIAL_ID",
  "createdOn": "2024-12-20T01:36:45.022356+00:00",
  "delegatedManagedIdentityResourceId": null,
  "description": null,
  "id": "/subscriptions/YOUR_SUBSCRIPTION_ID/resourceGroups/YOUR_RESOURCE_GROUP/providers/Microsoft.DurableTask/schedulers/YOUR_DTS_NAME/providers/Microsoft.Authorization/roleAssignments/ROLE_ASSIGNMENT_ID",
  "name": "ROLE_ASSIGNMENT_ID",
  "principalId": "YOUR_DEVELOPER_CREDENTIAL_ID",
  "principalName": "YOUR_EMAIL",
  "principalType": "User",
  "resourceGroup": "YOUR_RESOURCE_GROUP",
  "roleDefinitionId": "/subscriptions/YOUR_SUBSCRIPTION/providers/Microsoft.Authorization/roleDefinitions/ROLE_DEFINITION_ID",
  "roleDefinitionName": "Durable Task Data Contributor",
  "scope": "/subscriptions/YOUR_SUBSCRIPTION/resourceGroups/YOUR_RESOURCE_GROUP/providers/Microsoft.DurableTask/schedulers/YOUR_DTS_NAME",
  "type": "Microsoft.Authorization/roleAssignments",
  "updatedBy": "YOUR_DEVELOPER_CREDENTIAL_ID",
  "updatedOn": "2024-12-20T01:36:45.022356+00:00"
}

Note

The following instruction shows a role assignment scoped to a specific task hub. If you need access to all task hubs in a scheduler, perform the assignment on the scheduler level.

  1. Create a user-assigned managed identity.

  2. Navigate to the Durable Task Scheduler resource in the portal.

  3. Select a task hub name.

  4. In the left menu, select Access control (IAM).

  5. Select Add to add a role assignment.

    Screenshot of the adding the role assignment on the Access Control pane in the portal.

  6. Search for and select Durable Task Data Contributor. Select Next.

    Screenshot of selecting the Durable Task Data Contributor role assignment in the portal.

  7. On the Members tab, for Assign access to, select Managed identity.

  8. For Members, select + Select members.

  9. In the Select managed identities pane, expand the Managed identity drop-down and select User-assigned managed identity.

    Screenshot of selecting the user-assigned managed identity type you're going to use in the portal.

  10. Pick the user-managed identity previously created and select Select.

  11. Select Review + assign to finish assigning the role.

Assign managed identity to your app

Now that the identity has the required RBAC to access Durable Task Scheduler, you need to assign it to your app.

  1. Get resource ID of the managed identity.

    resource_id=$(az resource show --resource-group RESOURCE_GROUP_NAME --name IDENTITY_NAME --resource-type Microsoft.ManagedIdentity/userAssignedIdentities --query id --output tsv)

  2. Assign the identity to app.

    az functionapp identity assign --resource-group RESOURCE_GROUP_NAME --name FUNCTION_APP_NAME --identities "$resource_id"

  1. From your app in the portal, select Settings > Identity.

  2. Select the User assigned tab.

  3. Select + Add, then pick the identity created in the last section. Select Add.

    Screenshot of adding the user-assigned managed identity to your function app in the portal.

Add environment variables to your app

Add the following two environment variables to your app:

Environment variable Value Example
DURABLE_TASK_SCHEDULER_CONNECTION_STRING Endpoint=<SCHEDULER_ENDPOINT>;Authentication=ManagedIdentity;ClientID=<IDENTITY_CLIENT_ID> Endpoint=https://myscheduler.westus2.durabletask.io;Authentication=ManagedIdentity;ClientID=00000000-0000-0000-0000-000000000000
TASKHUB_NAME The name of the task hub my-task-hub

Note

If you use system-assigned identity, omit the ClientID parameter from the connection string: "Endpoint=<SCHEDULER_ENDPOINT>;Authentication=ManagedIdentity".

  1. Get the required information for the connection string.

    Get the scheduler endpoint:

    az durabletask scheduler show --resource-group RESOURCE_GROUP_NAME --name SCHEDULER_NAME --query 'properties.endpoint' --output tsv

    Get the client ID of the managed identity:

    az identity show --name IDENTITY_NAME --resource-group RESOURCE_GROUP_NAME --query 'clientId' --output tsv

  2. Set both environment variables on your app.

    az functionapp config appsettings set \
  --resource-group RESOURCE_GROUP_NAME \
  --name FUNCTION_APP_NAME \
  --settings \
    DURABLE_TASK_SCHEDULER_CONNECTION_STRING="Endpoint=<SCHEDULER_ENDPOINT>;Authentication=ManagedIdentity;ClientID=<IDENTITY_CLIENT_ID>" \
    TASKHUB_NAME="<TASKHUB_NAME>"

  1. Get the required information for the connection string.

    To get your scheduler endpoint, navigate to the Overview tab of your scheduler resource and find Endpoint in the Essentials section.

    To get your managed identity client ID, navigate to the Overview tab of your managed identity resource and find Client ID in the Essentials section.

    Screenshot of the managed identity overview page showing the Client ID location in the Azure portal.

  2. Navigate to your app in the portal.

  3. In the left menu, select Settings > Environment variables.

  4. Add an environment variable named DURABLE_TASK_SCHEDULER_CONNECTION_STRING with the value Endpoint=<SCHEDULER_ENDPOINT>;Authentication=ManagedIdentity;ClientID=<IDENTITY_CLIENT_ID>.

  5. Add an environment variable named TASKHUB_NAME with the name of your task hub.

  6. Select Apply, then Confirm to save the variables.

Related content

  • Last updated on