Final working draft

Author: ggailey777

.openpublishing.publish.config.json

@@ -70,7 +70,7 @@
         },
         {
             "path_to_root": "azure_cli_scripts",
-            "url": "https://github.com/Azure-Samples/azure-cli-samples",
+            "url": "https://github.com/ggailey777/azure-cli-samples",
             "branch": "master",
             "branch_mapping": {}
         },

articles/azure-functions/create-first-function-cli-csharp.md

@@ -137,14 +137,11 @@ To learn more, see [Azure Functions HTTP triggers and bindings](./functions-bind
 
 [!INCLUDE [functions-create-azure-resources-cli](../../includes/functions-create-azure-resources-flex-cli.md)]
 
-4. Create the function app in Azure:
+7. Create the function app in Azure:
     <!---Replace tabs when PowerShell cmdlets support Flex Consumption plans.
     ### [Azure CLI](#tab/azure-cli)
     -->
-    ```azurecli
-    userId=$(az identity show --name func-host-storage-user --resource-group AzureFunctionsQuickstart-rg --query 'id' -o tsv)
-    az functionapp create --resource-group AzureFunctionsQuickstart-rg --flexconsumption-location <REGION> --runtime dotnet-isolated --runtime-version 8.0 --assign-identity $userId --deployment-storage-auth-type UserAssignedIdentity --deployment-storage-auth-value $userId  --name <APP_NAME> --storage-account <STORAGE_NAME>
-    ```
+    :::code language="azurecli" source="~/azure_cli_scripts/azure-functions/create-function-app-flex-plan-identities/create-function-app-flex-plan-identities.md" range="37-39":::
 
     The [az functionapp create](/cli/azure/functionapp#az-functionapp-create) command creates the function app in Azure.
     <!---
@@ -158,28 +155,24 @@ To learn more, see [Azure Functions HTTP triggers and bindings](./functions-bind
 
     ---
     -->
-    In this example, replace `<STORAGE_NAME>` with the name of the account you used in the previous step, replace `<REGION>` with your region, and replace `<APP_NAME>` with a globally unique name appropriate to you. The `<APP_NAME>` is also the default DNS domain for the function app.
+    In this example, replace these placholders:
 
-    This command creates a function app running in your specified language runtime on Linux in the [Flex Consumption Plan](flex-consumption-plan.md), which is free for the amount of usage you incur here. The command also creates an associated Azure Application Insights instance in the same resource group, with which you can monitor your function app and view logs. For more information, see [Monitor Azure Functions](functions-monitoring.md). The instance incurs no costs until you activate it.
+    + `<STORAGE_NAME>`: the name of the account you used in the previous step.
+    + `<REGION>`: your region. 
+    + `<APP_NAME>`: a globally unique name appropriate to you. The `<APP_NAME>` is also the default DNS domain for the function app.
+    + `<USER_NAME>`: the name of the user-assigned managed identity.
+    + `<LANGUAGE>`: use `dotnet-isolated`.
+    + `<LANGUAGE_VERSION>`: use `8.0`.
 
-## Update application settings
+    This command creates a function app running in your specified language runtime on Linux in the [Flex Consumption Plan](flex-consumption-plan.md), which is free for the amount of usage you incur here. The command also creates an associated Azure Application Insights instance in the same resource group, with which you can monitor your function app and view logs. For more information, see [Monitor Azure Functions](functions-monitoring.md). The instance incurs no costs until you activate it.
 
-To enable the Functions host to connect to the default storage account using shared secrets, you must replace the `AzureWebJobsStorage` connection string setting with an equivalent setting that uses the user-assigned managed identity to connect to the storage account.
+8. Add your user-assigned managed identity to the [Monitoring Metrics Publisher](../role-based-access-control/built-in-roles/monitor#monitoring-metrics-publisher) role in your Application Insights instance:
 
-1. Remove the existing `AzureWebJobsStorage` connection string setting:
+    :::code language="azurecli" source="~/azure_cli_scripts/azure-functions/create-function-app-flex-plan-identities/create-function-app-flex-plan-identities.md" range="42-44":::
 
-    ```azurecli    
-    az functionapp config appsettings delete --name `<APP_NAME>` --resource-group AzureFunctionsQuickstart-rg --setting-names AzureWebJobsStorage 
-    ```
+    The [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create) command adds your user to the role. The resource ID of your Application Insights instance is obtained by using [az monitor app-insights component show](/cli/azure/monitor/app-insights/component#az-monitor-app-insights-component-show).
 
-    The [az functionapp config appsettings delete](/cli/azure/functionapp/config/appsettings#az-functionapp-config-appsettings-delete) command removes this setting from your app.
-
-1. Add equivalent settings, with an `AzureWebJobsStorage__` prefix, that define a user-assigned managed identity connection to the default storage account:
- 
-    ```azurecli
-    clientId=$(az identity show --name func-host-storage-user --resource-group AzureFunctionsQuickstart-rg --query 'clientId' -o tsv)
-    az functionapp config appsettings set --name `<APP_NAME>` --resource-group AzureFunctionsQuickstart-rg --settings AzureWebJobsStorage__accountName=<STORAGE_NAME> AzureWebJobsStorage__credential=managedidentity AzureWebJobsStorage__clientId=$clientId
-    ```
+[!INCLUDE [functions-update-app-settings-flex-cli](../../includes/functions-update-app-settings-flex-cli.md)]
      
 At this point, the Functions host is able to connect to the storage account securely using managed identities. You can now deploy your project code to the Azure resources
 

includes/functions-create-azure-resources-flex-cli.md

@@ -38,13 +38,15 @@ Use the following commands to create these items. Both Azure CLI and PowerShell
     ---
     -->
 
+1. If you haven't already done so, install the Application Insights extension:
+
+    :::code language="azurecli" source="~/azure_cli_scripts/azure-functions/create-function-app-flex-plan-identities/create-function-app-flex-plan-identities.md" range="12":::
+
 1. Create a resource group named `AzureFunctionsQuickstart-rg` in your chosen region:
     <!---
     ### [Azure CLI](#tab/azure-cli)-->
     
-    ```azurecli
-    az group create --name AzureFunctionsQuickstart-rg --location <REGION>
-    ```
+    :::code language="azurecli" source="~/azure_cli_scripts/azure-functions/create-function-app-flex-plan-identities/create-function-app-flex-plan-identities.md" range="15":::
  
     The [az group create](/cli/azure/group#az-group-create) command creates a resource group. In the above command, replace `<REGION>` with a region near you that supports the Flex Consumption plan. Use an available region code returned from the [az functionapp list-flexconsumption-locations](/cli/azure/functionapp#az-functionapp-list-flexconsumption-locations) command.
     <!---
@@ -63,9 +65,7 @@ Use the following commands to create these items. Both Azure CLI and PowerShell
     <!---
     ### [Azure CLI](#tab/azure-cli)
     -->
-    ```azurecli
-    az storage account create --resource-group AzureFunctionsQuickstart-rg --sku Standard_LRS --allow-blob-public-access false --allow-shared-key-access false --name <STORAGE_NAME> --location <REGION> 
-    ```
+    :::code language="azurecli" source="~/azure_cli_scripts/azure-functions/create-function-app-flex-plan-identities/create-function-app-flex-plan-identities.md" range="18-19":::
 
     This [az storage account create](/cli/azure/storage/account#az-storage-account-create) command creates a storage account. 
     <!---
@@ -79,28 +79,17 @@ Use the following commands to create these items. Both Azure CLI and PowerShell
 
     ---
     -->
+
     In this example, replace `<STORAGE_NAME>` with a name that is appropriate to you and unique in Azure Storage. Names must contain three to 24 characters numbers and lowercase letters only. `Standard_LRS` specifies a general-purpose account, which is [supported by Functions](../articles/azure-functions/storage-considerations.md#storage-account-requirements). This new account can only be accessed by using Micrososft Entra-authenticated identities that have been granted permissions to specific resources. 
 
 1. Create a user-assigned managed identity, then capture and parse the returned JSON properties of the object using `jq`: 
 
-    ```azurecli
-    # Create a user-assigned managed identity.
-    output=$(az identity create --name func-host-storage-user --resource-group AzureFunctionsQuickstart-rg --location <REGION> --query "{userId:id, principalId: principalId, clientId: clientId}" -o json)
-    
-    # Use jq to parse the JSON and assign the properties to variables.
-    userId=$(echo $output | jq -r '.userId')
-    principalId=$(echo $output | jq -r '.principalId')
-    clientId=$(echo $output | jq -r '.clientId')
-    ```
+    :::code language="azurecli" source="~/azure_cli_scripts/azure-functions/create-function-app-flex-plan-identities/create-function-app-flex-plan-identities.md" range="22-23,26-28":::
 
     If you don't have the `jq` utility in your local Bash shell, it's available in Azure Cloud Shell. The [az identity create](/cli/azure/identity#az-identity-create) command creates a new identity in the resource group named `func-host-storage-user`. The returned `principalId` is used to assign permissions to this new identity in the default storage account by using the [`az role assignment create`](/cli/azure/role/assignment#az-role-assignment-create) command. The [`az storage account show`](/cli/azure/storage/account#az-storage-account-show) command is used to obtain the storage account ID. 
 
 1. Grant to the new identity the required access in the default storage account by using the built-in `Storage Blob Data Owner` role:
 
-    ```azurecli
-    # Get the storage ID and create a role assignment (Storage Blob Data Owner) for the UAMI in storage.
-    storageId=$(az storage account show --resource-group AzureFunctionsQuickstart-rg --name <STORAGE_NAME> --query 'id' -o tsv)
-    az role assignment create --assignee-object-id $principalId --assignee-principal-type ServicePrincipal --role "Storage Blob Data Owner" --scope $storageId
-    ```
+    :::code language="azurecli" source="~/azure_cli_scripts/azure-functions/create-function-app-flex-plan-identities/create-function-app-flex-plan-identities.md" range="31-33":::
 
     In this example, replace `<STORAGE_NAME>` and `<REGION>` with your default storage account name and region, respectively. 

includes/functions-update-app-settings-flex-cli.md

@@ -0,0 +1,21 @@
+---
+author: ggailey777
+ms.service: azure-functions
+ms.topic: include
+ms.date: 05/15/2025
+ms.author: glenga
+---
+
+## Update application settings
+
+To enable the Functions host to connect to the default storage account using shared secrets, you must replace the `AzureWebJobsStorage` connection string setting with a complex setting, prefixed with `AzureWebJobsStorage`, that uses the user-assigned managed identity to connect to the storage account.
+
+1. Remove the existing `AzureWebJobsStorage` connection string setting:
+
+    :::code language="azurecli" source="~/azure_cli_scripts/azure-functions/create-function-app-flex-plan-identities/create-function-app-flex-plan-identities.md" range="52" :::
+
+    The [az functionapp config appsettings delete](/cli/azure/functionapp/config/appsettings#az-functionapp-config-appsettings-delete) command removes this setting from your app.
+
+1. Add equivalent settings, with an `AzureWebJobsStorage__` prefix, that define a user-assigned managed identity connection to the default storage account:
+ 
+    :::code language="azurecli" source="~/azure_cli_scripts/azure-functions/create-function-app-flex-plan-identities/create-function-app-flex-plan-identities.md" range="47-51" :::