Remaining ROPC updates for Functions

Author: ggailey777

.openpublishing.redirection.json

@@ -530,6 +530,11 @@
       "redirect_url": "./azure-resource-manager/management/deployment-models",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/azure-functions/functions-add-output-binding-storage-queue-java.md",
+      "redirect_url": "/azure/azure-functions/functions-add-output-binding-storage-queue-cli?pivots=programming-language-java",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/azure-functions/create-first-function-arc-custom-container.md",
       "redirect_url": "/azure/azure-functions/functions-how-to-custom-container?pivots=azure-arc",

articles/azure-functions/durable/durable-functions-azure-storage-provider.md

@@ -106,7 +106,7 @@ The extra compression and blob operation steps for large messages can be expensi
 
 The queues, tables, and blobs used by Durable Functions are created in a configured Azure Storage account. The account to use can be specified using the `durableTask/storageProvider/connectionStringName` setting (or `durableTask/azureStorageConnectionStringName` setting in Durable Functions 1.x) in the **host.json** file.
 
-#### Durable Functions 2.x
+#### [Durable 2.x](#tab/durable-2x)
 
 ```json
 {
@@ -120,7 +120,7 @@ The queues, tables, and blobs used by Durable Functions are created in a configu
 }
 ```
 
-#### Durable Functions 1.x
+#### [Durable 1.x](#tab/durable-1x)
 
 ```json
 {
@@ -131,11 +131,15 @@ The queues, tables, and blobs used by Durable Functions are created in a configu
   }
 }
 ```
+---
 
-If not specified, the default `AzureWebJobsStorage` storage account is used. For performance-sensitive workloads, however, configuring a non-default storage account is recommended. Durable Functions uses Azure Storage heavily, and using a dedicated storage account isolates Durable Functions storage usage from the internal usage by the Azure Functions host.
+Keep in mind these considerations when choosing the storage account used by your Durable function app: 
 
-> [!NOTE]
-> Standard general purpose Azure Storage accounts are required when using the Azure Storage provider. All other storage account types are not supported. We highly recommend using legacy v1 general purpose storage accounts for Durable Functions. The newer v2 storage accounts can be significantly more expensive for Durable Functions workloads. For more information on Azure Storage account types, see the [Storage account overview](../../storage/common/storage-account-overview.md) documentation.
++ When not specified, the default `AzureWebJobsStorage` storage account is used. 
++ When possible, you should use Microsoft Entra authentication with managed identities to secure your storage account connection. For more information, see [Connections](../functions-reference.md#connections).
++ For performance-sensitive workloads, you should configure a storage account other than the default account (`AzureWebJobsStorage`). Durable Functions uses Azure Storage heavily, and using a dedicated storage account isolates Durable Functions storage usage from the internal usage by the Azure Functions host.
++ Standard general purpose Azure Storage accounts are required when using the Azure Storage provider. All other storage account types aren't currently supported. 
++ We highly recommend using legacy v1 general purpose storage accounts for Durable Functions. The newer v2 storage accounts can be significantly more expensive for Durable Functions workloads. For more information on Azure Storage account types, see the [Storage account overview](../../storage/common/storage-account-overview.md) documentation.
 
 ### Orchestrator scale-out
 
@@ -146,7 +150,7 @@ While activity functions can be scaled out infinitely by adding more VMs elastic
 
 The number of control queues is defined in the **host.json** file. The following example host.json snippet sets the `durableTask/storageProvider/partitionCount` property (or `durableTask/partitionCount` in Durable Functions 1.x) to `3`. Note that there are as many control queues as there are partitions.
 
-#### Durable Functions 2.x
+#### [Durable 2.x](#tab/durable-2x)
 
 ```json
 {
@@ -160,7 +164,7 @@ The number of control queues is defined in the **host.json** file. The following
 }
 ```
 
-#### Durable Functions 1.x
+#### [Durable 1.x](#tab/durable-1x)
 
 ```json
 {
@@ -171,6 +175,7 @@ The number of control queues is defined in the **host.json** file. The following
   }
 }
 ```
+---
 
 A task hub can be configured with between 1 and 16 partitions. If not specified, the default partition count is **4**.
 
@@ -211,7 +216,7 @@ Extended sessions is a [caching mechanism](durable-functions-perf-and-scale.md#i
 
 You can enable extended sessions by setting `durableTask/extendedSessionsEnabled` to `true` in the **host.json** file. The `durableTask/extendedSessionIdleTimeoutInSeconds` setting can be used to control how long an idle session will be held in memory:
 
-**Functions 2.0**
+### [Functions 2.x](#tab/functions-2x)
 ```json
 {
   "extensions": {

articles/azure-functions/durable/durable-functions-storage-providers.md

@@ -84,10 +84,10 @@ The Azure Storage provider is the default storage provider and doesn't require a
 
 The `connectionName` property in host.json is a reference to environment configuration which specifies how the app should connect to Azure Storage. It may specify:
 
-- The name of an application setting containing a connection string. To obtain a connection string, follow the steps shown at [Manage storage account access keys](../../storage/common/storage-account-keys-manage.md).
-- The name of a shared prefix for multiple application settings, together defining an [identity-based connection](#identity-based-connections).
+- The name of a shared prefix for multiple application settings, together defining an [identity-based connection](#identity-based-connections). Managed identities use Microsoft Entra authentication to provide the most secure connection to your storage account. 
+- The name of an application setting containing a connection string. To obtain a connection string, follow the steps shown at [Manage storage account access keys](../../storage/common/storage-account-keys-manage.md). 
 
-If the configured value is both an exact match for a single setting and a prefix match for other settings, the exact match is used. If no value is specified in host.json, the default value is "AzureWebJobsStorage".
+If the configured value is both an exact match for a single setting and a prefix match for other settings, the exact match is used. If no value is specified in host.json, the default value is `AzureWebJobsStorage`.
 
 ##### Identity-based connections 
 

articles/azure-functions/durable/durable-functions-webjobs-sdk.md

@@ -20,7 +20,7 @@ The chaining Durable Functions sample is available in a WebJobs SDK 2.x version:
 
 ## Prerequisites
 
-This article assumes you're familiar with the basics of the WebJobs SDK, C# class library development for Azure Functions, and Durable Functions. If you need an introduction to these topics, see the following resources:
+This article assumes you're familiar with the basics of the WebJobs SDK, C# class library development for Azure Functions, and Durable Functions. If you need an introduction to these concepts, see the following resources:
 
 * [Get started with the WebJobs SDK](../../app-service/webjobs-sdk-get-started.md)
 * [Create your first function using Visual Studio](../functions-create-your-first-function-visual-studio.md)
@@ -132,7 +132,7 @@ In a WebJobs SDK project, the method name of a function is the function name. Th
 
 ### HTTP trigger
 
-The WebJobs SDK does not have an HTTP trigger. The sample project's orchestration client uses a timer trigger:
+The WebJobs SDK doesn't have an HTTP trigger. The sample project's orchestration client uses a timer trigger:
 
 ```cs
 public static async Task CronJob(
@@ -199,7 +199,7 @@ This section provides an overview of how to run the [sample project](https://git
 
 1. Create a web app and a storage account.
 
-1. In the web app, save the storage connection string in an app setting named `AzureWebJobsStorage`.
+1. In the web app, save the storage connection information in an app setting named `AzureWebJobsStorage`. For the highest level of security, you should use a [managed identity connection](../../app-service/overview-managed-identity.md) to your storage account.
 
 1. Create an Application Insights resource, and use the **General** app type for it.
 
@@ -230,6 +230,9 @@ The main change introduced is the use of .NET Core instead of .NET Framework. To
         }
     ```
 
+    >[!IMPORTANT]  
+    >For the highest level of security, you should use a managed identity connection to your storage account. For more information, see [How to use managed identities for App Service and Azure Functions](../../app-service/overview-managed-identity.md).
+
 1. Change the `Main` method code to do this. Here's an example:
 
    ```cs

articles/azure-functions/durable/durable-functions-zero-downtime-deployment.md

@@ -51,9 +51,9 @@ Use the following procedure to set up this scenario.
 
 1. [Add deployment slots](../functions-deployment-slots.md#add-a-slot) to your function app for staging and production.
 
-1. For each slot, set the [AzureWebJobsStorage application setting](../functions-app-settings.md#azurewebjobsstorage) to the connection string of a shared storage account. This storage account connection string is used by the Azure Functions runtime to securely store the [functions' access keys](../security-concepts.md#function-access-keys).
+1. For each slot, set the [AzureWebJobsStorage application setting](../functions-app-settings.md#azurewebjobsstorage) to the connection of a shared storage account. This storage account connection is used by the Azure Functions runtime to securely store the [functions' access keys](../function-keys-how-to.md). For the highest level of security, you should use a [managed identity connection](../../app-service/overview-managed-identity.md) to your storage account.
 
-1. For each slot, create a new app setting, for example, `DurableManagementStorage`. Set its value to the connection string of different storage accounts. These storage accounts are used by the Durable Functions extension for [reliable execution](./durable-functions-orchestrations.md). Use a separate storage account for each slot. Don't mark this setting as a deployment slot setting.
+1. For each slot, create a new app setting, for example, `DurableManagementStorage`. Set its value to the connection string of different storage accounts. These storage accounts are used by the Durable Functions extension for [reliable execution](./durable-functions-orchestrations.md). Use a separate storage account for each slot. Don't mark this setting as a deployment slot setting. Again, managed identity-based connections are the most secure.
 
 1. In your function app's [host.json file's durableTask section](durable-functions-bindings.md#hostjson-settings), specify `connectionStringName` (Durable 2.x) or `azureStorageConnectionStringName` (Durable 1.x) as the name of the app setting you created in step 3.
 

articles/azure-functions/flex-consumption-how-to.md

@@ -1,7 +1,7 @@
 ---
 title: Create and manage function apps in a Flex Consumption plan
 description: "Learn how to create function apps hosted in the Flex Consumption plan in Azure Functions and how to modify specific settings for an existing function app."
-ms.date: 08/21/2024
+ms.date: 12/29/2024
 ms.topic: how-to
 ms.custom: build-2024, devx-track-azurecli, devx-track-extended-java, devx-track-js, devx-track-python, devx-track-ts, ignite-2024
 zone_pivot_groups: programming-languages-set-functions
@@ -331,6 +331,7 @@ A customized deployment source should meet this criteria:
 
 When configuring deployment storage authentication, keep these considerations in mind:
 
++ As a security best practice, you should use managed identities when connecting to Azure Storage from you apps. For more information, see [Connections](./functions-reference.md#connections). 
 + When you use a connection string to connect to the deployment storage account, the application setting that contains the connection string must already exist.
 + When you use a user-assigned managed identity, the provided identity gets linked to the function app. The `Storage Blob Data Contributor` role scoped to the deployment storage account also gets assigned to the identity.
 + When you use a system-assigned managed identity, an identity gets created when a valid system-assigned identity doesn't already exist in your app. When a system-assigned identity does exists, the `Storage Blob Data Contributor` role scoped to the deployment storage account also gets assigned to the identity.

articles/azure-functions/functions-add-output-binding-azure-sql-vs-code.md

@@ -1,7 +1,7 @@
 ---
 title: Connect Azure Functions to Azure SQL Database using Visual Studio Code
 description: Learn how to connect Azure Functions to Azure SQL Database by adding an output binding to your Visual Studio Code project.
-ms.date: 04/25/2024
+ms.date: 12/29/2024
 ms.topic: quickstart
 author: dzsquared
 ms.author: drskwier
@@ -46,6 +46,9 @@ More details on the settings for [Azure SQL bindings and trigger for Azure Funct
     |**Password**|Enter a password that meets the complexity requirements.|
     |**Allow Azure services and resources to access this server**|Select **Yes**.|
 
+    >[!IMPORTANT]
+    >This article currently shows how to connect to Azure SQL Database by using SQL Server authentication. For the best security, you should instead use managed identities for the Azure SQL Database connection. For more information, see the [Create an Azure SQL Database server with a user-assigned managed identity](/azure/azure-sql/database/authentication-azure-ad-user-assigned-managed-identity-create-server).
+
 1. Once the creation has completed, navigate to the database blade in the Azure portal, and, under **Settings**, select **Connection strings**. Copy the **ADO.NET** connection string for **SQL authentication**. Paste the connection string into a temporary document for later use.
 
     :::image type="content" source="./media/functions-add-output-binding-azure-sql-vs-code/adonet-connection-string.png" alt-text="Screenshot of copying the Azure SQL Database connection string in the Azure portal." border="true":::

articles/azure-functions/functions-add-output-binding-storage-queue-cli.md

@@ -1,7 +1,7 @@
 ---
 title: Connect Azure Functions to Azure Storage using command line tools
 description: Learn how to connect Azure Functions to an Azure Storage queue by adding an output binding to your command line project.
-ms.date: 04/25/2024
+ms.date: 12/29/2024
 ms.topic: quickstart
 ms.devlang: csharp
 # ms.devlang: csharp, java, javascript, powershell, python, typescript
@@ -34,7 +34,23 @@ Before you begin, you must complete the article, [Quickstart: Create an Azure Fu
 Before you begin, you must complete the article, [Quickstart: Create an Azure Functions project from the command line](create-first-function-cli-powershell.md). If you already cleaned up resources at the end of that article, go through the steps again to recreate the function app and related resources in Azure.  
 ::: zone-end   
 
-[!INCLUDE [functions-cli-get-storage-connection](../../includes/functions-cli-get-storage-connection.md)]
+### Retrieve the Azure Storage connection string
+
+>[!IMPORTANT]
+>This article currently shows how to connect to your Azure Storage account by using the connection string, which contains a shared secret key. Using a connection string makes it easier for you to verify data updates in the storage account. For the best security, you should instead use managed identities when connecting to your storage account. For more information, see [Connections](./functions-reference.md#connections) in the Developer Guide.
+
+Earlier, you created an Azure Storage account for function app's use. The connection string for this account is stored securely in app settings in Azure. By downloading the setting into the *local.settings.json* file, you can use the connection to write to a Storage queue in the same account when running the function locally.
+
+1. From the root of the project, run the following command, replace `<APP_NAME>` with the name of your function app from the previous step. This command overwrites any existing values in the file.
+
+    ```
+    func azure functionapp fetch-app-settings <APP_NAME>
+    ```
+
+1. Open *local.settings.json* file and locate the value named `AzureWebJobsStorage`, which is the Storage account connection string. You use the name `AzureWebJobsStorage` and the connection string in other sections of this article.
+
+> [!IMPORTANT]
+> Because the *local.settings.json* file contains secrets downloaded from Azure, always exclude this file from source control. The *.gitignore* file created with a local functions project excludes the file by default.
 
 ::: zone pivot="programming-language-csharp"  
 ## Register binding extensions