Migrate Consumption plan apps to the Flex Consumption plan

• Access to the Azure subscription containing one or more function apps to migrate. The account used to run Azure CLI commands must be able to:

  • Create and manage function apps and App Service hosting plans.
  • Assign roles to managed identities.
  • Create and manage storage accounts.
  • Create and manage Application Insights resources.
  • Access all dependent resources of your app, such as Azure Key Vault, Azure Service Bus, or Azure Event Hubs.

  Being assigned to the Owner or Contributor roles in your resource group generally provides sufficient permissions.

• Azure CLI, version v2.74.0, or a later version. Scripts are tested using Azure CLI in Azure Cloud Shell.

• The resource-graph extension, which you can install by using the az extension add command:

  az extension add --name resource-graph
  

• The jq tool, which is used to work with JSON output.

• Access to the Azure portal

• Access to the Azure subscription containing one or more function apps to migrate. The account used to access the portal must be able to:

  • Create and manage function apps and App Service hosting plans.

  • Assign roles to managed identities.

  • Create and manage storage accounts.

  • Access all dependent resources of your app, such as Azure Key Vault, Azure Service Bus, or Azure Event Hubs.

    Being assigned to the Owner or Contributor roles in your resource group generally provides sufficient permissions.

• A modern web browser that is up-to-date.

Use this az graph query command to list all function apps in your subscription that are running in a Consumption plan:

az graph query -q "resources | where subscriptionId == '$(az account show --query id -o tsv)' \
   | where type == 'microsoft.web/sites' | where ['kind'] == 'functionapp,linux' | where properties.sku == 'Dynamic' \
   | extend siteProperties=todynamic(properties.siteProperties.properties) | mv-expand siteProperties \
   | where siteProperties.name=='LinuxFxVersion' | project name, ___location, resourceGroup, stack=siteProperties.value" \
   --query data --output table

This command generates a table with the app name, ___location, resource group, and runtime stack for all Consumption apps running on Linux in the current subscription.

You're promoted to install the resource-graph extension, if it isn't already installed.

1. Navigate to the Azure Resource Graph Explorer in the Azure portal.

2. Copy this Kusto query, paste it in the query window, and select Run query:

   resources 
   | where type == 'microsoft.web/sites' 
   | where ['kind'] == 'functionapp,linux' 
   | where properties.sku == 'Dynamic'
   | extend siteProperties=todynamic(properties.siteProperties.properties) 
   | mv-expand siteProperties 
   | where siteProperties.name=='LinuxFxVersion' 
   | project name, ___location, resourceGroup, stack=tostring(siteProperties.value)
   

This command generates a table with the app name, ___location, resource group, and runtime stack for all Consumption apps running on Linux in the current subscription.

Use this az graph query command to list all function apps in your subscription that are running in a Consumption plan:

az graph query -q "resources | where subscriptionId == '$(az account show --query id -o tsv)' \
   | where type == 'microsoft.web/sites' | where ['kind'] == 'functionapp' | where properties.sku == 'Dynamic' \
   | project name, ___location, resourceGroup" \
   --query data --output table

This command generates a table with the app name, ___location, and resource group for all Consumption apps running on Windows in the current subscription.

You're promoted to install the resource-graph extension, if it isn't already installed.

1. Navigate to the Azure Resource Graph Explorer in the Azure portal.

2. Copy this Kusto query, paste it in the query window, and select Run query:

   resources 
   	| where type == 'microsoft.web/sites' 
   	| where ['kind'] == 'functionapp' 
   	| where properties.sku == 'Dynamic'
   	| project name, ___location, resourceGroup
   

This command generates a table with the app name, ___location, and resource group for all Consumption apps running on Windows in the current subscription.

Use this az functionapp list-flexconsumption-locations command to list all regions where Flex Consumption plan is available:

az functionapp list-flexconsumption-locations --query "sort_by(@, &name)[].{Region:name}" -o table

This command generates a table of Azure regions where the Flex Consumption plan is currently supported.

The create process for a function app in the Azure portal filters out regions that aren't currently supported by the Flex Consumption plan.

1. In the Azure portal, select Create a resource in the left-hand menu and select Function app > Create.

2. Select Flex Consumption > Select and in the Basics tab expand Region.

3. Review the supported Flex Consumption plan regions.

Use this az functionapp list-flexconsumption-runtimes command to verify Flex Consumption plan support for your language stack version in a specific region:

az functionapp list-flexconsumption-runtimes --___location <REGION> --runtime <LANGUAGE_STACK> --query '[].{version:version}' -o tsv

In this example, replace <REGION> with your current region and <LANGUAGE_STACK> with one of these values:

This command displays all versions of the specified language stack supported by the Flex Consumption plan in your region.

The create process for a function app in the Azure portal filters out language stack versions that aren't currently supported by the Flex Consumption plan.

1. In the Azure portal, select Create a resource in the left-hand menu and select Function app > Create.

2. Select Flex Consumption > Select and in the Basics tab select your language Runtime stack and Region.

3. Expand Version and review the supported versions of your language stack in your chosen region.

Use this az functionapp deployment slot list command to list any deployment slots defined in your function app:

az functionapp deployment slot list --name <APP_NAME> --resource-group <RESOURCE_GROUP> --output table

In this example, replace <RESOURCE_GROUP> and <APP_NAME> with your resource group name and app name, respectively. If the command returns an entry, your app has deployment slots enabled.

To determine whether your function app has deployment slots enabled:

1. In the Azure portal, search for or otherwise navigate to your function app page.

2. In the left menu, select Deployment > Deployment slots.

3. If you see any slots listed in the Deployment slots page, your function app is currently using deployment slots.

Use the az webapp config ssl list command to list any TSL/SSL certificates available to your function app:

az webapp config ssl list --resource-group <RESOURCE_GROUP>  

In this example, replace <RESOURCE_GROUP> with your resource group name. If this command produces output, your app is likely using certificates.

To determine whether your function app is using TSL/SSL certificates:

1. In the Azure portal, search for or otherwise navigate to your function app page.

2. In the left menu, select Settings > Certificates.

3. Check the Managed certificates, Bring your own certificates (.pfx), Public key certificates (.cer) tabs for any installed certificates.

Use this [az functionapp function list] command to determine if your app has any Blob storage triggers that don't use Event Grid as the source:

az functionapp function list  --name <APP_NAME> --resource-group <RESOURCE_GROUP> \
  --query "[?config.bindings[0].type=='blobTrigger' && config.bindings[0].source!='EventGrid'].{Function:name,TriggerType:config.bindings[0].type,Source:config.bindings[0].source}" \
  --output table

In this example, replace <RESOURCE_GROUP> and <APP_NAME> with your resource group name and app name, respectively. If the command returns rows, there is at least one trigger using container polling in your function app.

To determine whether your function app has any Blob storage triggers that don't use Event Grid as the source:

1. In the Azure portal, search for or otherwise navigate to your function app page.

2. In the Overview on the Functions tab, look for any functions with a Trigger type of Blob.

3. Select a blob trigger function and in the Code + Test select Resource JSON.

4. Locate the properties.config.bindings section of the function definition. This section should have a bindings.type of blobTrigger. If the bindings object has no source property or source has a value of LogsAndContainerScan, then the trigger is using container polling. An Event Grid source trigger instead has a source value of EventGrid.

5. Repeat steps 3-4 for any remaining Blob storage trigger functions in your app.

Use this az functionapp config appsettings list command to return an app_settings object that that contains the existing app setting as JSON:

app_settings=$(az functionapp config appsettings list --name `<APP_NAME>` --resource-group `<RESOURCE_GROUP>`)
echo $app_settings

In this example, replace <RESOURCE_GROUP> and <APP_NAME> with your resource group name and app name, respectively.

To get your current function app settings:

1. In the Azure portal, search for or otherwise navigate to your function app page.

2. In the left menu, expand Settings and select Environment variables.

3. In the App settings tab, select Advanced edit then copy and save the JSON app settings content.

Use this script to obtain the relevant application configurations of your existing app:

# Set the app and resource group names
appName=<APP_NAME>
rgName=<RESOURCE_GROUP>

echo "Getting commonly used site settings..."
az functionapp config show --name $appName --resource-group $rgName \
    --query "{http20Enabled:http20Enabled, httpsOnly:httpsOnly, minTlsVersion:minTlsVersion, \
    minTlsCipherSuite:minTlsCipherSuite, clientCertEnabled:clientCertEnabled, \
    clientCertMode:clientCertMode, clientCertExclusionPaths:clientCertExclusionPaths}"

echo "Checking for SCM basic publishing credentials policies..."
az resource show --resource-group $rgName --name scm --namespace Microsoft.Web \
    --resource-type basicPublishingCredentialsPolicies --parent sites/$appName --query properties

echo "Checking for the maximum scale-out limit configuration..."
az functionapp config appsettings list --name $appName --resource-group $rgName \
    --query "[?name=='WEBSITE_MAX_DYNAMIC_APPLICATION_SCALE_OUT'].value" -o tsv

echo "Checking for any file share mount configurations..."
az webapp config storage-account list --name $appName --resource-group $rgName

echo "Checking for any custom domains..."
az functionapp config hostname list --webapp-name $appName --resource-group $rgName --query "[?contains(name, 'azurewebsites.net')==\`false\`]" --output table

echo "Checking for any CORS settings..."
az functionapp cors show --name $appName --resource-group $rgName 

In this example, replace <RESOURCE_GROUP> and <APP_NAME> with your resource group name and app name, respectively. If any of the site settings or checks return non-null values, make a note of them.

To review the relevant application configurations of your existing app:

1. In the Azure portal, search for or otherwise navigate to your function app page.

2. In the left menu, expand Settings and select Configuration.

3. In the General settings tab, make a note of these settings:

   • SCM Basic Auth Publishing Credentials
   • HTTP version
   • HTTPS Only
   • Minimum Inbound TLS Version
   • Minimum Inbound TLS Cipher
   • Incoming client certificates

4. In the Path mappings tab, verify if there are any existing file share mounts required by your app. If there are, note the storage Account name, Share name, Mount path, and access Type for each mounted share.

5. Under Settings > Scale out, if Enforce Scale Out Limit is set to Yes, note the Maximum Scale Out Limit value.

6. Under Settings > Custom domains, note any ___domain names other than *.azurewebsites.net, the binding type, and SSL certificate information.

7. Under API > CORS, note any explicitly allowed CORS origins and other CORS settings.

This script checks for both the system-assigned managed identity and any user-assigned managed identities associated with your app:

appName=<APP_NAME>
rgName=<RESOURCE_GROUP>

echo "Checking for a system-assigned managed identity..."
systemUserId=$(az functionapp identity show --name $appName --resource-group $rgName --query "principalId" -o tsv) 

if [[ -n "$systemUserId" ]]; then
echo "System-assigned identity principal ID: $systemUserId"
echo "Checking for role assignments..."
az role assignment list --assignee $systemUserId --all
else
  echo "No system-assigned identity found."
fi

echo "Checking for user-assigned managed identities..."
userIdentities=$(az functionapp identity show --name $appName --resource-group $rgName --query 'userAssignedIdentities' -o json)
if [[ "$userIdentities" != "{}" && "$userIdentities" != "null" ]]; then
  echo "$userIdentities" | jq -c 'to_entries[]' | while read -r identity; do
    echo "User-assigned identity name: $(echo "$identity" | jq -r '.key' | sed 's|.*/userAssignedIdentities/||')"
	echo "Checking for role assignments..."
    az role assignment list --assignee $(echo "$identity" | jq -r '.value.principalId') --all --output json
    echo
  done
else
  echo "No user-assigned identities found."
fi

In this example, replace <RESOURCE_GROUP> and <APP_NAME> with your resource group name and app name, respectively. Make a note of all identities and their role assignments.

1. In the Azure portal, search for or otherwise navigate to your function app page.

2. In the left menu, expand Settings and select Identity.

3. Check the System assigned tab to see if the system-assigned managed identity is enabled. If enabled, select Azure role assignments to view the roles assigned to this identity.

4. Check the User assigned tab to see if there any user-assigned managed identities are assigned. Note the names of any user-assigned identities.

5. For each user-assigned managed identity, select the identity and in the identity page select Azure role assignments.

6. Make a note of each role assignment granted to the identity and determine whether it's required by your app.

Document all identities and their role assignments so that you can recreate the same permissions structure for your new Flex Consumption app.

Use this az webapp auth show command to determine if built-in authentication is configured in your function app:

az webapp auth show --name <APP_NAME> --resource-group <RESOURCE_GROUP>

In this example, replace <RESOURCE_GROUP> and <APP_NAME> with your resource group name and app name, respectively. Review the output to determine if authentication is enabled and which identity providers are configured.

You should recreate these setting in your new app post-migration so that your clients can maintain access using their preferred provider.

To determine if built-in client authentication is configured:

1. In the Azure portal, search for or otherwise navigate to your function app page.

2. In the left menu, expand Settings and select Authentication.

3. If built-in authentication is enabled, make a note of which client identity providers are configured. Also note any advanced settings such as token store, allowed external redirects, and allowed token audiences.

This az functionapp config access-restriction show command returns a list of any existing IP-based access restrictions:

az functionapp config access-restriction show --name <APP_NAME> --resource-group <RESOURCE_GROUP>

In this example, replace <RESOURCE_GROUP> and <APP_NAME> with your resource group name and app name, respectively.

1. In the Azure portal, search for or otherwise navigate to your function app page.

2. In the left menu, expand Settings and select Networking.

3. If you see Enabled with no access restrictions for Public network access then there's no inbound access restrictions. Otherwise Select Access restrictions.

4. Document all configured IP-based access restrictions currently configured.

Consumption plan apps on Linux maintain the deployment zip package file in one of these locations:

• An Azure Blob storage container named scm-releases in the default host storage account (AzureWebJobsStorage). This container is the default deployment source for a Consumption plan app on Linux.

• If your app has a WEBSITE_RUN_FROM_PACKAGE setting that is a URL, the package is in an externally accessible ___location that is maintained by you. An external package should be hosted in a blob storage container with restricted access. For more information, see External package URL.

The ___location of your project source files depends on the WEBSITE_RUN_FROM_PACKAGE app setting as follows:

1. Use this az functionapp config appsettings list command to get the WEBSITE_RUN_FROM_PACKAGE app setting, if present:

   az functionapp config appsettings list --name <APP_NAME> --resource-group <RESOURCE_GROUP> \
       --query "[?name=='WEBSITE_RUN_FROM_PACKAGE'].value" -o tsv
   

   In this example, replace <RESOURCE_GROUP> and <APP_NAME> with your resource group name and app name, respectively. If this command returns a URL, then you can download the deployment package file from that remote ___location and skip to the next section.

2. If the WEBSITE_RUN_FROM_PACKAGE value is 1 or nothing, use this script to get the deployment package for the existing app:

   appName=<APP_NAME>
   rgName=<RESOURCE_GROUP>
   
   echo "Getting the storage account connection string from app settings..."
   storageConnection=$(az functionapp config appsettings list --name $appName --resource-group $rgName \
            --query "[?name=='AzureWebJobsStorage'].value" -o tsv)
   
   echo "Getting the package name..."
   packageName=$(az storage blob list --connection-string $storageConnection --container-name scm-releases \
   --query "[0].name" -o tsv)
   
   echo "Download the package? $packageName? (Y to proceed, any other key to exit)"
   read -r answer
   if [[ "$answer" == "Y" || "$answer" == "y" ]]; then
      echo "Proceeding with download..."
      az storage blob download --connection-string $storageConnection --container-name scm-releases \
   --name $packageName --file $packageName
   else
      echo "Exiting script."
      exit 0
   fi
   

   Again, replace <RESOURCE_GROUP> and <APP_NAME> with your resource group name and app name. The package .zip file is downloaded to the directory from which you executed the command.

1. In the Azure portal, search for or otherwise navigate to your function app page.

2. In the left menu, expand Settings > Environment variables and see if a setting named WEBSITE_RUN_FROM_PACKAGE exists.

3. If WEBSITE_RUN_FROM_PACKAGE exists, check if it's set to a value of 1 or a URL. If set to a URL, that URL is the ___location of the package file for your app content. Download the .zip file from that URL ___location that is owned by you.

4. If the WEBSITE_RUN_FROM_PACKAGE setting doesn't exist or is set to 1, you must download the package from the specific storage account, which depends on whether you're running on Linux or Windows.

5. Get the storage account name from the AzureWebJobsStorage or AzureWebJobsStorage__accountName application setting. For a connection string, the AccountName is the name your storage account.

6. In the portal, search for your storage account name.

7. In the storage account page, locate the deployment package and download it.

8. Expand Data storage > Containers and select scm_releases. Choose the file named scm-latest-<APP_NAME>.zip and select Download.

1. Use this az functionapp config appsettings list command to get the WEBSITE_RUN_FROM_PACKAGE app setting, if present:

   az functionapp config appsettings list --name <APP_NAME> --resource-group <RESOURCE_GROUP> \
       --query "[?name=='WEBSITE_RUN_FROM_PACKAGE'].value" -o tsv
   

   In this example, replace <RESOURCE_GROUP> and <APP_NAME> with your resource group name and app name, respectively. If this command returns a URL, then you can download the deployment package file from that remote ___location and skip to the next section.

2. If the WEBSITE_RUN_FROM_PACKAGE value is 1 or nothing, use this script to get the deployment package for the existing app:

   appName=<APP_NAME>
   rgName=<RESOURCE_GROUP>
   
   echo "Getting the storage account connection string and file share from app settings..."
   json=$(az functionapp config appsettings list --name $appName --resource-group $rgName \
       --query "[?name=='WEBSITE_CONTENTAZUREFILECONNECTIONSTRING' || name=='WEBSITE_CONTENTSHARE'].value" -o json)
   
   storageConnection=$(echo "$json" | jq -r '.[0]')
   fileShare=$(echo "$json" | jq -r '.[1]')
   
   echo "Getting the package name..."
   packageName=$(az storage file list --share-name $fileShare --connection-string $storageConnection \
     --path "data/SitePackages" --query "[?ends_with(name, '.zip')] | sort_by(@, &properties.lastModified)[-1].name" \
     -o tsv) 
   
   echo "Download the package? $packageName? (Y to proceed, any other key to exit)"
   read -r answer
   if [[ "$answer" == "Y" || "$answer" == "y" ]]; then
       echo "Proceeding with download..."
       az storage file download --connection-string $storageConnection --share-name $fileShare \
   	--path "data/SitePackages/$packageName"
   else
       echo "Exiting script."
       exit 0
   fi
   

   Again, replace <RESOURCE_GROUP> and <APP_NAME> with your resource group name and app name. The package .zip file is downloaded to the directory from which you executed the command.

1. In the Azure portal, search for or otherwise navigate to your function app page.

2. In the left menu, expand Settings > Environment variables and see if a setting named WEBSITE_RUN_FROM_PACKAGE exists.

3. If WEBSITE_RUN_FROM_PACKAGE exists, check if it's set to a value of 1 or a URL. If set to a URL, that URL is the ___location of the package file for your app content. Download the .zip file from that URL ___location that is owned by you.

4. If the WEBSITE_RUN_FROM_PACKAGE setting doesn't exist or is set to 1, you must download the package from the specific storage account, which depends on whether you're running on Linux or Windows.

5. Get the storage account name from the WEBSITE_CONTENTAZUREFILECONNECTIONSTRING setting, where the AccountName is the name your storage account. Also, make a note of the WEBSITE_CONTENTSHARE value, which is the name of the file share.

6. In the portal, search for your storage account name.

7. In the storage account page, locate the deployment package and download it.

8. Expand Data storage > File shares, select the share name from WEBSITE_CONTENTSHARE, and browse to the data\SitePackages subfolder. Choose the most recent .zip file and select Download.

Run this script that performs these tasks:

1. Gets app settings from the old app, ignoring settings that don't apply in a Flex Consumption plan or that already exist in the new app.
2. Writes the collected settings locally to a temporary file.
3. Applies settings from the file to your new app.
4. Deletes the temporary file.

sourceAppName=<SOURCE_APP_NAME>
destAppName=<DESTINATION_APP_NAME>
rgName=<RESOURCE_GROUP>

echo "Getting app settings from the old app..."
app_settings=$(az functionapp config appsettings list --name $sourceAppName --resource-group $rgName)

# Filter out settings that don't apply to Flex Consumption apps or that will already have been created
filtered_settings=$(echo "$app_settings" | jq 'map(select(
  (.name | ascii_downcase) != "website_use_placeholder_dotnetisolated" and
  (.name | ascii_downcase | startswith("azurewebjobsstorage") | not) and
  (.name | ascii_downcase) != "website_mount_enabled" and
  (.name | ascii_downcase) != "enable_oryx_build" and
  (.name | ascii_downcase) != "functions_extension_version" and
  (.name | ascii_downcase) != "functions_worker_runtime" and
  (.name | ascii_downcase) != "functions_worker_runtime_version" and
  (.name | ascii_downcase) != "functions_max_http_concurrency" and
  (.name | ascii_downcase) != "functions_worker_process_count" and
  (.name | ascii_downcase) != "functions_worker_dynamic_concurrency_enabled" and
  (.name | ascii_downcase) != "scm_do_build_during_deployment" and
  (.name | ascii_downcase) != "website_contentazurefileconnectionstring" and
  (.name | ascii_downcase) != "website_contentovervnet" and
  (.name | ascii_downcase) != "website_contentshare" and
  (.name | ascii_downcase) != "website_dns_server" and
  (.name | ascii_downcase) != "website_max_dynamic_application_scale_out" and
  (.name | ascii_downcase) != "website_node_default_version" and
  (.name | ascii_downcase) != "website_run_from_package" and
  (.name | ascii_downcase) != "website_skip_contentshare_validation" and
  (.name | ascii_downcase) != "website_vnet_route_all" and
  (.name | ascii_downcase) != "applicationinsights_connection_string"
))')

echo "Settings to migrate..."
echo "$filtered_settings"

echo "Writing settings to a local a local file (app_settings_filtered.json)..."
echo "$filtered_settings" > app_settings_filtered.json

echo "Applying settings to the new app..."
output=$(az functionapp config appsettings set --name $destAppName --resource-group $rgName --settings @app_settings_filtered.json)

echo "Deleting the temporary settings file..."
rm -rf app_settings_filtered.json  

echo "Current app settings in the new app..."
az functionapp config appsettings list --name $destAppName --resource-group $rgName 

In this example, replace <RESOURCE_GROUP>, <SOURCE_APP_NAME>, and <DEST_APP_NAME> with your resource group name and the old a new app names, respectively. This script assumes that both apps are in the same resource group.

To transfer settings:

1. In the Azure portal, search for or otherwise navigate to the page for your new app.

2. In the left menu, expand Settings > Environment variables and in the App settings tab select + Add.

3. Type or paste-in both the setting Name and Value and then select Apply.

4. Repeat the previous step for each setting in the old app that you need to recreate in the new app. If a setting already exists in the new app, skip it. You should also skip any setting that's deprecated in the Flex Consumption plan.

5. After adding all relevant settings, select Apply > Save.

In this script, set the value for any configuration set in the original app and comment-out any commands for any configuration not set (null):

appName=<APP_NAME>
rgName=<RESOURCE_GROUP>
http20Setting=<YOUR_HTTP_20_SETTING>
minTlsVersion=<YOUR_TLS_VERSION>
minTlsCipher=<YOUR_TLS_CIPHER>
httpsOnly=<YOUR_HTTPS_ONLY_SETTING>
certEnabled=<CLIENT_CERT_ENABLED>
certMode=<YOUR_CLIENT_CERT_MODE>
certExPaths=<CERT_EXCLUSION_PATHS>
scmAllowBasicAuth=<ALLOW_SCM_BASIC_AUTH>

# Apply HTTP version and minimum TLS settings
az functionapp config set --name $appName --resource-group $rgName --http20-enabled $http20Setting  
az functionapp config set --name $appName --resource-group $rgName --min-tls-version $minTlsVersion

# Apply the HTTPS-only setting
az functionapp update --name $appName --resource-group $rgName --set HttpsOnly=$httpsOnly

# Apply incoming client cert settings
az functionapp update --name $appName --resource-group $rgName --set clientCertEnabled=$certEnabled
az functionapp update --name $appName --resource-group $rgName --set clientCertMode=$certMode
az functionapp update --name $appName --resource-group $rgName --set clientCertExclusionPaths=$certExPaths

# Apply the TLS cipher suite setting
az functionapp update --name $appName --resource-group $rgName --set minTlsCipherSuite=$minTlsCipher

# Apply the allow scm basic auth configuration
az resource update --resource-group $rgName --name scm --namespace Microsoft.Web --resource-type basicPublishingCredentialsPolicies \
	--parent sites/$appName --set properties.allow=$scmAllowBasicAuth

In this example, replace <RESOURCE_GROUP> and <APP_NAME> with your resource group and function app names, respectively. Also, replace the placeholders of any variable definitions for existing settings you want to recreate in the new app, and comment-out any null settings.

1. In the Azure portal, search for or otherwise navigate to the page for your new app.

2. In the left menu, expand Settings > Configuration and on the General settings tab update these settings to match what you documented from your original Consumption plan app:

   • SCM Basic Auth Publishing Credentials
   • HTTP version
   • HTTPS Only
   • Minimum Inbound TLS Version and cypher
   • Client Certificate settings

3. Select Save to apply the configuration changes.

Use this az functionapp scale config set command to set the maximum scale-out.

az functionapp scale config set --name <APP_NAME> --resource-group <RESOURCE_GROUP> \
    --maximum-instance-count <MAX_SCALE_SETTING>

In this example, replace <RESOURCE_GROUP> and <APP_NAME> with your resource group and function app names, respectively. Replace <MAX_SCALE_SETTING> with the maximum scale value you're setting.

To configure scale and concurrency in your new app:

1. In the Azure portal, search for or otherwise navigate to the page for your new app.

2. In the left menu, expand Settings > Scale and concurrency and for Maximum instance count set a maximum value out to which your app is allowed to scale.

3. Select Save to apply the changes.

Use this az webapp config storage-account add command to reconnect each storage share in your new app.

az webapp config storage-account add --name <APP_NAME> --resource-group <RESOURCE_GROUP> \
  --custom-id <MOUNT_NAME> --storage-type AzureFiles --account-name <STORAGE_ACCOUNT> \
  --share-name <STORAGE_SHARE_NAME> --access-key <ACCESS_KEY> --mount-path <MOUNT_PATH>

In this example, make these replacements based on the details you documented during premigration:

Repeat this step for each file share being reconnected.

To reconnect file shares in your new app:

1. In the Azure portal, search for or otherwise navigate to the page for your new app.

2. In the left menu, expand Settings > Configuration and on the Path mappings tab select + New Azure Storage Mount and set these mount properties based on the details you documented during premigration:

   Property	Description
   Name	The name used for the connected share in your app.
   Storage account	Select the storage account to connect.
   Storage type	Choose Azure Files.
   Protocol	Choose SMB.
   Storage container	Select the name of the share in your storage account.
   Mount path	The path to your connected share in your app.

3. Select OK and repeat the previous step for any other shares you need to reconnect.

4. When you're done adding shares, select Save.

1. Use this az functionapp config hostname add command to rebind any custom ___domain mappings to your app:

   az functionapp config hostname add --name <APP_NAME> --resource-group <RESOURCE_GROUP> \
       --hostname <CUSTOM_DOMAIN>
   

   In this example, replace <RESOURCE_GROUP> and <APP_NAME> with your resource group and function app names, respectively. Replace <CUSTOM_DOMAIN> with your custom ___domain name.

2. Use this az functionapp cors add command to replace any CORS settings:

   az functionapp cors add --name <APP_NAME> --resource-group <RESOURCE_GROUP> \
       --allowed-origins <ALLOWED_ORIGIN_1> <ALLOWED_ORIGIN_2> <ALLOWED_ORIGIN_N>
   

   In this example, replace <RESOURCE_GROUP> and <APP_NAME> with your resource group and function app names, respectively. Replace <ALLOWED_ORIGIN_*> with your allowed origins.

1. In the Azure portal, search for or otherwise navigate to the page for your new app.

2. In the left menu, expand Settings > Custom domains, select + Add custom ___domain, configure the custom ___domain, select Validate, and then select Add.

3. Repeat the previous step to add any other custom domains.

4. In the left menu, expand API > CORS, add one or more Allowed origins, and select Save.

1. Use this az functionapp identity assign command to enable the system-assigned managed identity in your new app:

   az functionapp identity assign --name <APP_NAME> --resource-group <RESOURCE_GROUP>
   

   In this example, replace <RESOURCE_GROUP> and <APP_NAME> with your resource group and function app names, respectively.

2. Use this script to get the principal ID of the system assigned identity and add it to the required roles:

   # Get the principal ID of the system identity
   principalId=$(az functionapp identity show --name <APP_NAME> --resource-group <RESOURCE_GROUP> \
       --query principalId -o tsv)
   
   # Assign a role in a specific resource (scope) to the system identity
   az role assignment create --assignee $principalId --role "<ROLE_NAME>" --scope "<RESOURCE_ID>"
   

   In this example, replace <RESOURCE_GROUP> and <APP_NAME> with your resource group and function app names, respectively. Replace <ROLE_NAME> and <RESOURCE_ID> with the role name and specific resource you captured from the original app.

3. Repeat the previous commands for each role required by the new app.

Use this script to get the ID of an existing user-assigned managed identity and associate it with your new app:

appName=<APP_NAME>
rgName=<RESOURCE_GROUP>
userName=<USER_IDENTITY_NAME>

userId=$(az identity show --name $userName --resource-group $rgName --query 'id' -o tsv)
az functionapp identity assign --name $appName --resource-group $rgName --identities $userId

Repeat this script for each role required by the new app.

1. In the Azure portal, search for or otherwise navigate to the page for your new app.

2. In the left menu, expand Settings > Identity and on the System assigned tab set Status to On.

3. Select Azure role assignments in the left pane.

4. Select + Add role assignment the set these assignment properties for a role you documented in the original app:

   Property	Description
   Scope	The resource type being accessed.
   Subscription	The subscription of the resource.
   Resource	The specific resource within the selected scope.
   Role	Search for and select the role being assigned.

5. Select Save to add the scope, and repeat the previous step for each documented role required by the new app.

1. In the Azure portal, search for or otherwise navigate to the page for your new app.

2. In the left menu, expand Settings > Identity and on the User assigned tab select + Add.

3. Select an existing identity and then Add.

4. Select the identity you just added and select Azure role assignments in the left pane.

5. Select + Add role assignment the set these assignment properties for a role you documented in the original app:

   Property	Description
   Scope	The resource type being accessed.
   Subscription	The subscription of the resource.
   Resource	The specific resource within the selected scope.
   Role	Search for and select the role being assigned.

6. Select Save to add the scope, and repeat the previous step for each documented role required by the new app.

Based on the information you collected earlier, use the az webapp auth update command to recreate each built-in authentication registration required by your app.

1. In the Azure portal, search for or otherwise navigate to the page for your new app.

2. In the left menu, expand Settings > Authentication and select Add identity provider.

3. Select your desired Identity provider and set the configurations and permissions required by the authenticator.

For more information, see these provider-specific articles:

• Configure your Azure Functions app to use Microsoft Entra sign-in
• Configure your Azure Functions app to use GitHub login
• Configure your Azure Functions app to use Google authentication
• Configure your Azure Functions app to use Facebook login
• Configure your Azure Functions app to use X login

Use this az functionapp config access-restriction add command for each IP access restriction you want to replicate in the new app:

az functionapp config access-restriction add --name <APP_NAME> --resource-group <RESOURCE_GROUP> \
  --rule-name <RULE_NAME> --action Deny --ip-address <IP_ADDRESS> --priority <PRIORITY>

In this example, replace these placeholders with the values from your original app:

Run this command for each documented IP restriction from the original app.

To add IP-based networking restrictions:

1. In the Azure portal, search for or otherwise navigate to the page for your new app.

2. In the left menu, expand Settings > Networking and select the link next to Public network access.

3. In the Access restrictions page under Site access and rules, select + Add and enter these settings for a specific IP restriction:

   Setting	Value
   Name	Friendly name for the IP rule.
   Action	Deny
   Priority	Priority for the exclusion.
   Type	Select either IPv4 or IPv6.
   IP Address Block	The IP addresses to exclude.

4. Select Add rule and repeat the previous step for each access restriction you documented.

5. After you enter all of the IP restrictions from the original app, select Save.

You should update your existing deployment workflows to deploy your source code to your new app:

• Build and deploy using Azure Pipelines
• Build and deploy using GitHub Actions

You can also create a new continuous deployment workflow for your new app. For more information, see Continuous deployment for Azure Functions

You can use these tools to achieve a one-off deployment of your code project to your new plan:

• Visual Studio Code
• Visual Studio
• Azure Functions Core Tools

You can use this az functionapp deployment source config-zip command to redeploy a downloaded package or a newly created deployment package:

az functionapp deployment source config-zip --resource-group <RESOURCE_GROUP> --name <APP_NAME> --src <PACKAGE_PATH>

In this example, replace <RESOURCE_GROUP> and <APP_NAME> with your resource group and function app names, respectively. Replace <PACKAGE_PATH> with the path and file name of your deployment package, such as /path/to/function/package.zip.

Use the az functionapp delete command to delete the original function app:

az functionapp delete --name <ORIGINAL_APP_NAME> --resource-group <RESOURCE_GROUP>

In this example, replace <RESOURCE_GROUP> and <APP_NAME> with your resource group and function app names, respectively.

1. In the Azure portal, search for or otherwise navigate to the page for your new app.

2. Select Delete from the top menu.

3. Confirm the deletion by typing the app name and selecting Delete.