@Tovli, Thanks for the question! We are taking a look into this and will get back to you soon.

@Tovli, Apologies for the delay on this.
As mentioned in these documents userAssignedIdentities template reference and Managed Identity REST API reference, the supported API version is ‘2018-11-30’. You could try with this and let us know the outcome, while I check on this further.

The aforementioned Azure Rest API reference are auto generated docs based on Swagger APIs, checkout this document for more details -https://github.com/Azure/azure-rest-api-specs -That being said, the feedback will be shared with the respective engineering team to update to the latest version, but no ETA on this yet. Apologies for any inconvenience you experienced with this issue.

Additionally- Microsoft.ManagedIdentity resource types

@mattchenderson, Requesting your comments on the API version support.

Thanks @AjayKumar-MSFT
Does that mean that the api-version is for the resource and not for the msi/Token api?
That is a bit confusing as it worked with old api-version of the msi/token which isn't part of the user-assigned-identity api you've posted

@Tovli, If 2018-11-30 API version works for resource then it would work for API as well and same with other versions. Microsoft.ManagedIdentity resource types and Microsoft.Web resource types.

40968 - Your feedback has been shared with the content owner for further review and update the document as appropriate.

The documentation still shows the wrong api-version parameter. I can confirm ONLY 2017-09-01 works, 2018-11-30 does NOT work.

Can confirm that this is still an issue - tested on Azure .NET SDK:
Microsoft.Azure.Management.Fluent (Version=1.34.0)

var azureServiceTokenProvider = new AzureServiceTokenProvider();
var tokenTask = azureServiceTokenProvider.GetAccessTokenAsync(@"https://management.azure.com", AUTH_TENANT);

Resulting in the following exception with Function App running on cloud:

Parameters: Connection String: [No connection string specified], Resource: https://management.azure.com, Authority: https://login.microsoftonline.com/0debab66-8676-46dc-96a0-5c6b3e9993bb. Exception Message: Tried the following 3 methods to get an access token, but none of them worked.
Parameters: Connection String: [No connection string specified], Resource: https://management.azure.com, Authority: https://login.microsoftonline.com/0debab66-8676-46dc-96a0-5c6b3e9993bb. Exception Message: Tried to get token using Managed Service Identity. Access token could not be acquired. Received a non-retryable error. MSI ResponseCode: BadRequest, Response: {"error":{"code":"UnsupportedApiVersion","message":"The HTTP resource that matches the request URI 'http://localhost:8081/msi/token?resource=https://management.azure.com&api-version=2019-08-01' does not support the API version '2019-08-01'.","innerError":null}​}
Parameters: Connection String: [No connection string specified], Resource: https://management.azure.com, Authority: https://login.microsoftonline.com/0debab66-8676-46dc-96a0-5c6b3e9993bb. Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Environment variable LOCALAPPDATA not set.
Parameters: Connection String: [No connection string specified], Resource: https://management.azure.com, Authority: https://login.microsoftonline.com/0debab66-8676-46dc-96a0-5c6b3e9993bb. Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. 

Specifying "https://management.azure.com&api-version=2017-09-01" in azureServiceTokenProvider.GetAccessTokenAsync as suggested by @jflieben results in the following exception with Function App running on cloud:

Parameters: Connection String: [No connection string specified], Resource: https://management.azure.com&api-version=2017-09-01, Authority: https://login.microsoftonline.com/0debab66-8676-46dc-96a0-5c6b3e9993bb. Exception Message: Tried the following 3 methods to get an access token, but none of them worked.
Parameters: Connection String: [No connection string specified], Resource: https://management.azure.com&api-version=2017-09-01, Authority: https://login.microsoftonline.com/0debab66-8676-46dc-96a0-5c6b3e9993bb. Exception Message: Tried to get token using Managed Service Identity. Access token could not be acquired. Received a non-retryable error. MSI ResponseCode: BadRequest, Response: {"error":{"code":"AmbiguousApiVersion","message":"The following API versions were requested: 2017-09-01, 2019-08-01. At most, only a single API version may be specified. Please update the intended API version and retry the request.","innerError":null}​}
Parameters: Connection String: [No connection string specified], Resource: https://management.azure.com&api-version=2017-09-01, Authority: https://login.microsoftonline.com/0debab66-8676-46dc-96a0-5c6b3e9993bb. Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Resource https://management.azure.com&api-version=2017-09-01 is not in expected format. Only alphanumeric characters, [dot], [colon], [hyphen], and [forward slash] are allowed.
Parameters: Connection String: [No connection string specified], Resource: https://management.azure.com&api-version=2017-09-01, Authority: https://login.microsoftonline.com/0debab66-8676-46dc-96a0-5c6b3e9993bb. Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. Resource https://management.azure.com&api-version=2017-09-01 is not in expected format. Only alphanumeric characters, [dot], [colon], [hyphen], and [forward slash] are allowed.

Should be noted that there's no issue when debugging in VS Studio locally.

I'm surprised with the lack of traction from such an issue - interested in hearing if anyone else can replicate before opening an issue pertaining to the .NET SDK.

Can also confirm this is still an issue, it's been specific to azure functions on linux for me as it succesfully retrieves a token from azure functions on windows

It seems to be working fine for me when working on azure functions on windows server but it will give the UnsupportedApiVersion error when running the same code on a linux server.

I'm using nodeJS, Azure Functions runtime 3.0.13901.0 for both the windows and linux function app.

As mentioned in the previous comments, I've tried several api-version for the linux server with no luck, 2017-09-01 won't give me the UnsupportedApiVersion though, it'll just return a 401, the rest of my attempts get returned with UnsupportedApiVersion so I think this might be a linux specific issue.

sample response when requesting from windows
{ "access_token": "VALID TOKEN", "expires_on": "1593108148", "resource": "https://database.windows.net/", "token_type": "Bearer", "client_id": "xxxxxxxxxxxxxx-xxxxx-xxxx-xx-xx" }
sample response when requesting from linux
{ "name": "StatusCodeError", "statusCode": 400, "message": "400 - \"{\\\"error\\\":{\\\"code\\\":\\\"UnsupportedApiVersion\\\",\\\"message\\\":\\\"The HTTP resource that matches the request URI 'http://localhost:8081/msi/token/?resource=https://database.windows.net/&api-version=2019-08-01' does not support the API version '2019-08-01'.\\\",\\\"innerError\\\":null}}\"", "error": "{\"error\":{\"code\":\"UnsupportedApiVersion\",\"message\":\"The HTTP resource that matches the request URI 'http://localhost:8081/msi/token/?resource=https://database.windows.net/&api-version=2019-08-01' does not support the API version '2019-08-01'.\",\"innerError\":null}}", "options": { "method": "GET", "uri": "http://localhost:8081/msi/token/?resource=https://database.windows.net/&api-version=2019-08-01", "headers": { "X-IDENTITY-HEADER": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" }, "simple": true, "resolveWithFullResponse": false, "transform2xxOnly": false }, "response": { "statusCode": 400, "body": "{\"error\":{\"code\":\"UnsupportedApiVersion\",\"message\":\"The HTTP resource that matches the request URI 'http://localhost:8081/msi/token/?resource=https://database.windows.net/&api-version=2019-08-01' does not support the API version '2019-08-01'.\",\"innerError\":null}}", "headers": { "connection": "close", "date": "Wed, 24 Jun 2020 18:39:42 GMT", "content-type": "application/json; charset=utf-8", "server": "Kestrel", "transfer-encoding": "chunked" }, "request": { "uri": { "protocol": "http:", "slashes": true, "auth": null, "host": "localhost:8081", "port": "8081", "hostname": "localhost", "hash": null, "search": "?resource=https://database.windows.net/&api-version=2019-08-01", "query": "resource=https://database.windows.net/&api-version=2019-08-01", "pathname": "/msi/token/", "path": "/msi/token/?resource=https://database.windows.net/&api-version=2019-08-01", "href": "http://localhost:8081/msi/token/?resource=https://database.windows.net/&api-version=2019-08-01" }, "method": "GET", "headers": { "X-IDENTITY-HEADER": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" } } } }
code being executed

const { Connection, Request } = require("tedious");
const rp = require("request-promise");

async function getToken() {
const resource = "https://database.windows.net/";
const options = {
method: "GET",
uri: ${process.env["IDENTITY_ENDPOINT"]}/?resource=${resource}&api-version=2019-08-01,
headers: {
"X-IDENTITY-HEADER": process.env["IDENTITY_HEADER"],
},
};
try {
const response = await rp(options);
return Promise.resolve(response);
} catch (error) {
return Promise.resolve(error);
// return Promise.reject(error);
}
}

module.exports = async function (context, req) {
const result = await getToken();
context.log(result);
context.log("JavaScript HTTP trigger function processed a request.");
return {
// status: 200, /* Defaults to 200 */
body: result,
};
};

Hey @axelglzc ,

Thanks for pitching in - I should've clarified, but my function app lives on a Linux app service plan as well.

@AjayKumar-MSFT , could you please direct us to the appropriate project to make a formal issue for relevancy and visibility?

Apologies for the delay, Alvin. I have followed-up on this internally.
@mattchenderson, Your feedback has been shared with the content owner for further review and update the document as appropriate.

Hi all - I'd like to understand specifically which hosting options are being used for some of the above statements. Linux Consumption (Functions) and Linux App Service Plan are what I see so far - is that correct?

I'll try and get a repro / get some other folks investigating.

We have the above mentioned issue and are running on the following specs:

• Linux consumption plan
• Runtime Version ~2
• Python

By the way: I came here after trying this example: https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=python#obtain-tokens-for-azure-resources

Hey @mattchenderson ,
I'm replicating the same issue on:

• Linux consumption plan
• Runtime v2
• C# (.NET Core 2)

Thanks, all. I was able to successfully reproduce the issue on Linux Consumption (no luck with a dedicated Linux App Service plan, though - that works as expected).

We've identified cause here and will be trying to fix it in product ASAP. I'm waiting on an ETA, but if I get any indication that the ETA is going to take any time, I'll add a specific note to the document which says something to the effect of "For Linux Consumption, use the 2017-09-01 version."

Sorry about the confusion this created and for the amount of time that this issue report has been open, but I really do appreciate everyone providing all of the details in this discussion to help out.

I'll post back here with an update for Linux Consumption when I have one. If anyone is still seeing an issue with Linux App Service Plans, please let me know.

Slight hiccup here it looks like. I'll go ahead and get that note in.

I just missed the morning publish window I think, but it should get picked up in the afternoon doc update.

Since the doc has been updated, I'm going to go ahead and close this issue. Once I have confirmation and have verified successful behavior in Linux Consumption, I will remove the warnings that I introduced.

Thanks again, everyone, for providing great detail and helping us track this down. I'm hoping to have the new API version in Linux Consumption very soon.

please-close