Azure Cognitive Search Data Source: Managed Identity Not Persisting - Always Returns Null

Hi,

Yes, the Storage Blob Data Reader role has been properly assigned and verified multiple times.

Configuration Verified ✅

Role Assignment:

• Role: Storage Blob Data Reader
• Assigned to: User-assigned managed identity
• Scope: Storage account
• Confirmed via Access Control (IAM) - attempting to add the role again returns "The role assignment already exists"

Identity Configuration:

• User-assigned managed identity is attached to the search service (confirmed in Identity → User assigned tab)
• Identity is properly configured in the data source when using API version 2025-11-01-preview

Blob Metadata:

All 12 custom metadata fields verified present on blobs via Azure CLI:

{

  "document_id": "1",

  "document_type": "policy",

  "tenant_id": "centre-123",

  "version": "v1.0",

  "jurisdiction": "federal",

  "source_type": "internal",

  "generated_by": "human",

  "last_updated": "2025-11-24T22:45:00+11:00",

  "element": "2.2.1",

  "qa": "QA2",

  "provider_id": "provider-xyz",

  "title": "Supervision Policy"

}

The Core Issue 🔍

Despite proper configuration, the data source does not persist authentication credentials:

Using API version 2025-11-01-preview:

GET /datasources/my-datasource?api-version=2025-11-01-preview

Returns:

{

  "identity": {

    "@odata.type": "#Microsoft.Azure.Search.DataUserAssignedIdentity",

    "userAssignedIdentity": "/subscriptions/.../userAssignedIdentities/my-identity"

  },

  "credentials": {

    "connectionString": null  ← PROBLEM: Not persisting

  }

}

Even when explicitly provided in PUT/POST requests:

{

  "credentials": {

    "connectionString": "ResourceId=/subscriptions/.../storageAccounts/myaccount;"

  },

  "identity": {

    "@odata.type": "#Microsoft.Azure.Search.DataUserAssignedIdentity",

    "userAssignedIdentity": "/subscriptions/.../my-identity"

  }

}

Observable Behavior

Indexer execution:

• Status: Success ✅
• Documents processed: 2/2 ✅
• Errors: 0 ✅
• Warnings: 0 ✅

Search results:

• Content field: Populated ✅
• All 12 custom metadata fields: null ❌

This indicates the indexer can enumerate and read blob content (via AzureServices firewall bypass) but cannot authenticate to read custom metadata.

What I've Exhausted

1. ✅ API version 2024-07-01 → Error: "Cannot find nested property 'identity'"
2. ✅ API version 2024-11-01-preview → Identity persists but connectionString returns null
3. ✅ API version 2025-11-01-preview → Same result: identity persists, connectionString null
4. ✅ Portal UI configuration (both user-assigned and system-assigned) → Identity shows null via API
5. ✅ REST API POST and PUT methods → connectionString not persisted
6. ✅ Deleted and recreated all resources multiple times
7. ✅ Reset indexer tracking state
8. ✅ Verified role assignments at subscription, resource group, and resource levels
9. ✅ Changed index schema to match metadata structure (Collection → String)

Environment Details

• Storage account uses customer-managed encryption keys (Azure Key Vault)
• Storage account firewall enabled (defaultAction: Deny, bypass: AzureServices)
• Same managed identity successfully accesses Key Vault for encryption
• Storage account: allowSharedKeyAccess = false (requires managed identity)

Request for Microsoft Support

I have an active support plan with Microsoft but am unable to create support tickets via the Azure Portal (experiencing navigation issues).

Could a Microsoft engineer please:

1. Contact me offline to investigate this issue
2. Confirm if this is a known limitation with customer-managed encryption keys
3. Provide the correct method to configure managed identity for data sources when credentials.connectionString refuses to persist

This is blocking production deployment of a compliance-critical search system. The workaround (enabling shared key access) defeats our security requirements.

Any assistance would be greatly appreciated!

Contact preference: Offline assistance via my Azure subscription support channel

Thank you,

Sean

Hi @Sean M

Could you please share the Indexer Mapping Definition, along with details on how and where the metadata is stored in the Storage Account?

Since the User Assigned Managed Identity is able to retrieve the blob content even when the connectionString is null, it indicates that the identity has access to the container. Logically, it should also be able to retrieve the metadata.

The key concern now is whether the UAMI has access to the metadata at the specific location or whether the metadata keys and paths are aligned correctly. At this stage, mapping issues seem less likely, but verifying both the metadata location and the indexer mappings will help narrow down the root cause.

Hello Sean M,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that your Azure Cognitive Search Data Source: Managed Identity Not Persisting - Always Returns Null.

If you've tried the above pointers from @Vimal Lalani and you still have the issue, follow the below to rectify the issue:

1. Run indexer > test query result for metadata_<field>.
2. Ensure trusted Azure services bypass is enabled; temporarily disable encryption or test with Microsoft-managed key.
3. Confirm user-assigned identity is supported in preview only for 2025-11-01-preview.
4. Set Metadata Role Using Azure CLI

      az role assignment create \
      --role "Storage Blob Metadata Reader" \
      --assignee-object-id $USER_ID \
      --scope /subscriptions/.../resourceGroups/.../providers/Microsoft.Storage/storageAccounts/.../blobServices/default/containers/docs
   

5. Then re-create datasource using preview API above.

I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.