Fix Azure Functions + Service Bus documentation to use managed identity (#906)

* Initial plan

* Update Azure Functions and Service Bus docs for managed identity

- Add Flex Consumption plan examples with managed identity
- Show AzureWebJobsStorage__accountName pattern
- Add Service Bus trigger with managed identity examples
- Include Python v2 model examples
- Update SDK patterns to prefer managed identity
- Add comprehensive role assignment examples

Co-authored-by: kvenkatrajan <102772054+kvenkatrajan@users.noreply.github.com>

* Complete managed identity documentation update

- All reference files validated successfully
- Code review completed with no issues
- Security scan confirms documentation-only changes

Co-authored-by: kvenkatrajan <102772054+kvenkatrajan@users.noreply.github.com>

* Add integration test for Python Function App with Service Bus trigger

- Added test in azure-functions-deploy test group
- Tests full end-to-end flow: azure-prepare, azure-validate, azure-deploy
- Validates deployment links are generated
- Uses the exact prompt from the reported issue

Co-authored-by: kvenkatrajan <102772054+kvenkatrajan@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: kvenkatrajan <102772054+kvenkatrajan@users.noreply.github.com>

Author: Copilot

plugin/skills/azure-prepare/references/services/functions/bicep.md

@@ -1,6 +1,124 @@
 # Functions Bicep Patterns
 
-## Basic Resource
+## Flex Consumption (Recommended)
+
+**Use Flex Consumption for new deployments with managed identity (no connection strings).**
+
+```bicep
+resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
+  name: '${resourcePrefix}func${uniqueHash}'
+  location: location
+  sku: { name: 'Standard_LRS' }
+  kind: 'StorageV2'
+  properties: {
+    minimumTlsVersion: 'TLS1_2'
+    allowBlobPublicAccess: false
+    allowSharedKeyAccess: false  // Enforce managed identity
+  }
+}
+
+resource blobService 'Microsoft.Storage/storageAccounts/blobServices@2023-01-01' = {
+  parent: storageAccount
+  name: 'default'
+}
+
+resource deploymentContainer 'Microsoft.Storage/storageAccounts/blobServices/containers@2023-01-01' = {
+  parent: blobService
+  name: 'deploymentpackage'
+}
+
+resource appInsights 'Microsoft.Insights/components@2020-02-02' = {
+  name: 'appi-${uniqueHash}'
+  location: location
+  kind: 'web'
+  properties: {
+    Application_Type: 'web'
+  }
+}
+
+resource functionAppPlan 'Microsoft.Web/serverfarms@2024-04-01' = {
+  name: 'plan-${uniqueHash}'
+  location: location
+  sku: {
+    name: 'FC1'
+    tier: 'FlexConsumption'
+  }
+  properties: {
+    reserved: true
+  }
+}
+
+resource functionApp 'Microsoft.Web/sites@2024-04-01' = {
+  name: '${resourcePrefix}-${serviceName}-${uniqueHash}'
+  location: location
+  kind: 'functionapp,linux'
+  identity: {
+    type: 'SystemAssigned'
+  }
+  properties: {
+    serverFarmId: functionAppPlan.id
+    httpsOnly: true
+    functionAppConfig: {
+      deployment: {
+        storage: {
+          type: 'blobContainer'
+          value: '${storageAccount.properties.primaryEndpoints.blob}deploymentpackage'
+          authentication: {
+            type: 'SystemAssignedIdentity'
+          }
+        }
+      }
+      scaleAndConcurrency: {
+        maximumInstanceCount: 100
+        instanceMemoryMB: 2048
+      }
+      runtime: {
+        name: 'python'  // or 'node', 'dotnet-isolated'
+        version: '3.11'
+      }
+    }
+    siteConfig: {
+      appSettings: [
+        {
+          name: 'AzureWebJobsStorage__accountName'
+          value: storageAccount.name
+        }
+        {
+          name: 'APPLICATIONINSIGHTS_CONNECTION_STRING'
+          value: appInsights.properties.ConnectionString
+        }
+        {
+          name: 'FUNCTIONS_EXTENSION_VERSION'
+          value: '~4'
+        }
+        {
+          name: 'FUNCTIONS_WORKER_RUNTIME'
+          value: 'python'
+        }
+      ]
+    }
+  }
+}
+
+// Grant Function App access to Storage for runtime
+resource storageRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(storageAccount.id, functionApp.id, 'Storage Blob Data Owner')
+  scope: storageAccount
+  properties: {
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')
+    principalId: functionApp.identity.principalId
+    principalType: 'ServicePrincipal'
+  }
+}
+```
+
+> 💡 **Key Points:**
+> - Use `AzureWebJobsStorage__accountName` instead of connection string
+> - Set `allowSharedKeyAccess: false` for enhanced security
+> - Use `SystemAssignedIdentity` for deployment authentication
+> - Grant `Storage Blob Data Owner` role for full access to blobs, queues, and tables
+
+## Consumption Plan (Legacy)
 
 ```bicep
 resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
@@ -38,6 +156,68 @@ resource functionApp 'Microsoft.Web/sites@2022-09-01' = {
 }
 ```
 
+## Service Bus Integration (Managed Identity)
+
+```bicep
+resource serviceBusNamespace 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' existing = {
+  name: serviceBusNamespaceName
+}
+
+resource functionApp 'Microsoft.Web/sites@2024-04-01' = {
+  // ... (Function App definition from above)
+  properties: {
+    // ... (other properties)
+    siteConfig: {
+      appSettings: [
+        // Storage with managed identity
+        {
+          name: 'AzureWebJobsStorage__accountName'
+          value: storageAccount.name
+        }
+        // Service Bus with managed identity
+        {
+          name: 'SERVICEBUS__fullyQualifiedNamespace'
+          value: '${serviceBusNamespace.name}.servicebus.windows.net'
+        }
+        {
+          name: 'SERVICEBUS_QUEUE_NAME'
+          value: serviceBusQueueName
+        }
+        // Other settings...
+      ]
+    }
+  }
+}
+
+// Grant Service Bus Data Receiver role for triggers
+resource serviceBusReceiverRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(serviceBusNamespace.id, functionApp.id, 'Azure Service Bus Data Receiver')
+  scope: serviceBusNamespace
+  properties: {
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')
+    principalId: functionApp.identity.principalId
+    principalType: 'ServicePrincipal'
+  }
+}
+
+// Grant Service Bus Data Sender role (if function sends messages)
+resource serviceBusSenderRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(serviceBusNamespace.id, functionApp.id, 'Azure Service Bus Data Sender')
+  scope: serviceBusNamespace
+  properties: {
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')
+    principalId: functionApp.identity.principalId
+    principalType: 'ServicePrincipal'
+  }
+}
+```
+
+> 💡 **Key Points:**
+> - Use `SERVICEBUS__fullyQualifiedNamespace` (double underscore) for managed identity
+> - Grant `Service Bus Data Receiver` role for reading messages
+> - Grant `Service Bus Data Sender` role for sending messages (if needed)
+> - Role assignments automatically enable connection via managed identity
+
 ## Premium Plan (No Cold Starts)
 
 ```bicep

plugin/skills/azure-prepare/references/services/functions/triggers.md

@@ -23,7 +23,107 @@ module.exports = async function (context, req) {
 
 Cron format: `{second} {minute} {hour} {day} {month} {day-of-week}`
 
-## Queue Trigger (Service Bus)
+## Service Bus Trigger (Managed Identity)
+
+### Python (v2 model)
+
+```python
+import azure.functions as func
+import logging
+
+app = func.FunctionApp()
+
+@app.service_bus_queue_trigger(
+    arg_name="msg",
+    queue_name="orders",
+    connection="SERVICEBUS"  # References SERVICEBUS__fullyQualifiedNamespace
+)
+def process_queue_message(msg: func.ServiceBusMessage):
+    logging.info('Processing Service Bus message: %s', msg.get_body().decode('utf-8'))
+    # Process the message
+```
+
+**Required app settings:**
+- `SERVICEBUS__fullyQualifiedNamespace`: `<namespace>.servicebus.windows.net`
+- Function App must have `Azure Service Bus Data Receiver` role on namespace
+
+### Python (v1 model)
+
+```json
+// function.json
+{
+  "bindings": [{
+    "name": "msg",
+    "type": "serviceBusTrigger",
+    "queueName": "orders",
+    "connection": "SERVICEBUS"
+  }]
+}
+```
+
+```python
+# __init__.py
+import logging
+import azure.functions as func
+
+def main(msg: func.ServiceBusMessage):
+    logging.info('Processing message: %s', msg.get_body().decode('utf-8'))
+```
+
+### Node.js
+
+```json
+// function.json
+{
+  "bindings": [{
+    "name": "message",
+    "type": "serviceBusTrigger",
+    "queueName": "orders",
+    "connection": "SERVICEBUS"
+  }]
+}
+```
+
+```javascript
+// index.js
+module.exports = async function (context, message) {
+    context.log('Processing message:', message);
+};
+```
+
+### .NET (Isolated)
+
+```csharp
+[Function("ServiceBusProcessor")]
+public void Run(
+    [ServiceBusTrigger("orders", Connection = "SERVICEBUS")] 
+    ServiceBusReceivedMessage message,
+    FunctionContext context)
+{
+    var logger = context.GetLogger("ServiceBusProcessor");
+    logger.LogInformation($"Processing message: {message.Body}");
+}
+```
+
+> 💡 **Managed Identity Configuration:**
+> - Connection name (e.g., `SERVICEBUS`) maps to `<name>__fullyQualifiedNamespace` app setting
+> - Use double underscore (`__`) to signal managed identity authentication
+> - No connection strings needed when proper RBAC roles are assigned
+
+## Service Bus Topic Trigger
+
+```python
+@app.service_bus_topic_trigger(
+    arg_name="msg",
+    topic_name="events",
+    subscription_name="processor",
+    connection="SERVICEBUS"
+)
+def process_topic_message(msg: func.ServiceBusMessage):
+    logging.info('Processing topic message: %s', msg.get_body().decode('utf-8'))
+```
+
+## Queue Trigger (Legacy - Connection String)
 
 ```json
 // function.json
@@ -37,6 +137,10 @@ Cron format: `{second} {minute} {hour} {day} {month} {day-of-week}`
 }
 ```
 
+**App setting:** `ServiceBusConnection`: `Endpoint=sb://...`
+
+> ⚠️ **Use managed identity instead** for new deployments (see above)
+
 ## Blob Trigger
 
 ```json

plugin/skills/azure-prepare/references/services/service-bus/README.md

@@ -16,7 +16,7 @@ Enterprise messaging with queues and pub/sub topics.
 | Resource | Purpose |
 |----------|---------|
 | None required | Service Bus is self-contained |
-| Key Vault | Store connection strings |
+| Key Vault | Store connection strings (legacy) |
 
 ## SKU Selection
 
@@ -28,6 +28,20 @@ Enterprise messaging with queues and pub/sub topics.
 
 ## Environment Variables
 
+### Managed Identity (Recommended)
+
+| Variable | Value |
+|----------|-------|
+| `SERVICEBUS__fullyQualifiedNamespace` | `<namespace>.servicebus.windows.net` |
+| `SERVICEBUS_NAMESPACE` | Namespace name (for SDK) |
+| `SERVICEBUS_QUEUE` | Queue name |
+
+**Required RBAC roles:**
+- `Azure Service Bus Data Sender` (69a216fc-b8fb-44d8-bc22-1f3c2cd27a39) - for sending
+- `Azure Service Bus Data Receiver` (4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0) - for receiving
+
+### Connection String (Legacy)
+
 | Variable | Value |
 |----------|-------|
 | `SERVICEBUS_CONNECTION_STRING` | Connection string (Key Vault) |