Source from repo

Azure Upgrade

Assess and upgrade Azure workloads between plans, tiers, or SKUs with automated migration steps

microsoftGitHub microsoftOfficialSource repo Original GitHub link Publisher page

Files

Skill

n/a

Size

156.9 KB

Entrypoint

SKILL.md

Format

git-repo

Open file

references/services/functions/automation.md

Syntax-highlighted preview of this file as included in the skill package.

Rendered Source

markdown422 linesFree

references/services/functions/automation.md

1# Automation: Consumption to Flex Consumption Upgrade
2 
3> These are the Azure CLI scripts to automate the upgrade from Linux Consumption plan to Flex Consumption plan.
4> All scripts use `bash` syntax compatible with Azure Cloud Shell. For PowerShell, adapt accordingly.
5>
6> **Source docs**: [Linux migration guide](https://learn.microsoft.com/en-us/azure/azure-functions/migration/migrate-plan-consumption-to-flex?pivots=platform-linux)
7 
8## Prerequisites
9 
10```bash
11# Ensure Azure CLI v2.77.0+
12az --version
13 
14# Install resource-graph extension
15az extension add --name resource-graph
16 
17# Login and set subscription
18az login
19az account set --subscription <SUBSCRIPTION_ID>
20```
21 
22---
23 
24## Step 1: Identify Candidate Apps
25 
26```bash
27# List all Linux Consumption apps with eligibility status
28az functionapp flex-migration list
29```
30 
31This returns two arrays:
32- `eligible_apps` — apps that can be migrated to Flex Consumption
33- `ineligible_apps` — apps with specific reasons why not
34 
35The output includes app name, resource group, location, and runtime stack for each app.
36 
37---
38 
39## Step 2: Assessment Checks
40 
41Set variables for your app:
42 
43```bash
44appName=<APP_NAME>
45rgName=<RESOURCE_GROUP>
46```
47 
48### 2a. Confirm Region Compatibility
49 
50```bash
51# List all regions where Flex Consumption is available
52az functionapp list-flexconsumption-locations --query "sort_by(@, &name)[].{Region:name}" -o table
53```
54 
55### 2b. Verify Language Stack Compatibility
56 
57Supported stacks: `dotnet-isolated`, `node`, `java`, `python`, `powershell`, `custom`.
58**Not supported**: `dotnet` (in-process) — must migrate to isolated first.
59 
60### 2c. Verify Stack Version Compatibility
61 
62```bash
63# Check supported versions for a specific runtime in a specific region
64az functionapp list-flexconsumption-runtimes --location <REGION> --runtime <LANGUAGE_STACK> \
65    --query '[].{version:version}' -o tsv
66```
67 
68Replace `<REGION>` with the app's region and `<LANGUAGE_STACK>` with one of: `dotnet-isolated`, `java`, `node`, `powershell`, `python`.
69 
70### 2d. Check Deployment Slots
71 
72```bash
73# List any deployment slots
74az functionapp deployment slot list --name $appName --resource-group $rgName --output table
75```
76 
77If this returns entries, the app has slots. Flex Consumption does NOT support slots — plan accordingly.
78 
79### 2e. Check TLS/SSL Certificates
80 
81```bash
82# List certificates available to the app
83az webapp config ssl list --resource-group $rgName
84```
85 
86If this returns output, the app likely uses certificates. Flex Consumption does NOT support certs yet.
87 
88### 2f. Check Blob Storage Triggers
89 
90```bash
91# Find blob triggers NOT using EventGrid source
92az functionapp function list --name $appName --resource-group $rgName \
93  --query "[?config.bindings[0].type=='blobTrigger' && config.bindings[0].source!='EventGrid'].{Function:name,TriggerType:config.bindings[0].type,Source:config.bindings[0].source}" \
94  --output table
95```
96 
97If this returns rows, convert those blob triggers from `LogsAndContainerScan` to `EventGrid` before upgrading.
98 
99---
100 
101## Step 3: Pre-Migration — Collect Settings
102 
103### 3a. Collect App Settings
104 
105```bash
106appName=<APP_NAME>
107rgName=<RESOURCE_GROUP>
108 
109# Get all app settings as JSON
110app_settings=$(az functionapp config appsettings list --name $appName --resource-group $rgName)
111echo "$app_settings"
112```
113 
114### 3b. Collect Application Configurations
115 
116```bash
117appName=<APP_NAME>
118rgName=<RESOURCE_GROUP>
119 
120echo "Getting commonly used site settings..."
121az functionapp config show --name $appName --resource-group $rgName \
122    --query "{http20Enabled:http20Enabled, httpsOnly:httpsOnly, minTlsVersion:minTlsVersion, \
123    minTlsCipherSuite:minTlsCipherSuite, clientCertEnabled:clientCertEnabled, \
124    clientCertMode:clientCertMode, clientCertExclusionPaths:clientCertExclusionPaths}"
125 
126echo "Checking for SCM basic publishing credentials policies..."
127az resource show --resource-group $rgName --name scm --namespace Microsoft.Web \
128    --resource-type basicPublishingCredentialsPolicies --parent sites/$appName --query properties
129 
130echo "Checking for the maximum scale-out limit configuration..."
131az functionapp config appsettings list --name $appName --resource-group $rgName \
132    --query "[?name=='WEBSITE_MAX_DYNAMIC_APPLICATION_SCALE_OUT'].value" -o tsv
133 
134echo "Checking for any file share mount configurations..."
135az webapp config storage-account list --name $appName --resource-group $rgName
136 
137echo "Checking for any custom domains..."
138az functionapp config hostname list --webapp-name $appName --resource-group $rgName \
139    --query "[?contains(name, 'azurewebsites.net')==\`false\`]" --output table
140 
141echo "Checking for any CORS settings..."
142az functionapp cors show --name $appName --resource-group $rgName
143```
144 
145### 3c. Identify Managed Identities and Role Assignments
146 
147```bash
148appName=<APP_NAME>
149rgName=<RESOURCE_GROUP>
150 
151echo "Checking for a system-assigned managed identity..."
152systemUserId=$(az functionapp identity show --name $appName --resource-group $rgName \
153    --query "principalId" -o tsv)
154 
155if [[ -n "$systemUserId" ]]; then
156    echo "System-assigned identity principal ID: $systemUserId"
157    echo "Checking for role assignments..."
158    az role assignment list --assignee $systemUserId --all
159else
160    echo "No system-assigned identity found."
161fi
162 
163echo "Checking for user-assigned managed identities..."
164userIdentities=$(az functionapp identity show --name $appName --resource-group $rgName \
165    --query 'userAssignedIdentities' -o json)
166 
167if [[ "$userIdentities" != "{}" && "$userIdentities" != "null" ]]; then
168    echo "$userIdentities" | jq -c 'to_entries[]' | while read -r identity; do
169        echo "User-assigned identity: $(echo "$identity" | jq -r '.key' | sed 's|.*/userAssignedIdentities/||')"
170        echo "Checking for role assignments..."
171        az role assignment list --assignee $(echo "$identity" | jq -r '.value.principalId') --all --output json
172        echo
173    done
174else
175    echo "No user-assigned identities found."
176fi
177```
178 
179### 3d. Check Built-in Authentication
180 
181```bash
182az webapp auth show --name $appName --resource-group $rgName
183```
184 
185### 3e. Review Inbound Access Restrictions
186 
187```bash
188az functionapp config access-restriction show --name $appName --resource-group $rgName
189```
190 
191### 3f. Get Deployment Package (if needed)
192 
193Ideally your project files are in source control and you can redeploy from there. If not:
194 
195#### Check WEBSITE_RUN_FROM_PACKAGE
196 
197```bash
198az functionapp config appsettings list --name $appName --resource-group $rgName \
199    --query "[?name=='WEBSITE_RUN_FROM_PACKAGE'].value" -o tsv
200```
201 
202If this returns a URL, download the package from that remote location.
203 
204#### Download from scm-releases blob container
205 
206Linux Consumption apps store deployment packages in the `scm-releases` blob container (in `squashfs` format).
207 
208```bash
209appName=<APP_NAME>
210rgName=<RESOURCE_GROUP>
211 
212echo "Getting the storage account connection string..."
213storageConnection=$(az functionapp config appsettings list --name $appName --resource-group $rgName \
214    --query "[?name=='AzureWebJobsStorage'].value" -o tsv)
215 
216echo "Getting the package name..."
217packageName=$(az storage blob list --connection-string $storageConnection --container-name scm-releases \
218    --query "[0].name" -o tsv)
219 
220echo "Downloading package: $packageName"
221az storage blob download --connection-string $storageConnection --container-name scm-releases \
222    --name $packageName --file $packageName
223```
224 
225> 💡 If your storage account is restricted to managed identity access only, you may need to grant your Azure account the `Storage Blob Data Reader` role.
226 
227---
228 
229## Step 4: Create the Flex Consumption App
230 
231```bash
232# Automated migration — creates new app and migrates most configurations
233az functionapp flex-migration start \
234    --source-name <SOURCE_APP_NAME> \
235    --source-resource-group <SOURCE_RESOURCE_GROUP> \
236    --name <NEW_APP_NAME> \
237    --resource-group <RESOURCE_GROUP>
238```
239 
240**Optional flags**:
241- `--storage-account <ACCOUNT>` — use a different storage account
242- `--maximum-instance-count <COUNT>` — set max scale-out instances
243- `--skip-access-restrictions` — skip migrating IP access restrictions
244- `--skip-cors` — skip migrating CORS settings
245- `--skip-hostnames` — skip migrating custom domains
246- `--skip-managed-identities` — skip migrating managed identity configurations
247- `--skip-storage-mount` — skip migrating storage mount configurations
248 
249The command automatically:
250- Assesses your source app for Flex Consumption compatibility
251- Creates a new function app in the Flex Consumption plan
252- Migrates app settings, identity assignments, storage mounts, CORS, custom domains, and access restrictions
253 
254### Verify Migration Results
255 
256```bash
257# Verify new app exists and is configured
258az functionapp show --name <NEW_APP_NAME> --resource-group <RESOURCE_GROUP> \
259    --query "{name:name, kind:kind, sku:properties.sku}" --output table
260 
261# Review migrated app settings
262az functionapp config appsettings list --name <NEW_APP_NAME> --resource-group <RESOURCE_GROUP> \
263    --output table
264 
265# Check managed identity
266az functionapp identity show --name <NEW_APP_NAME> --resource-group <RESOURCE_GROUP>
267 
268# Check custom domains
269az functionapp config hostname list --webapp-name <NEW_APP_NAME> --resource-group <RESOURCE_GROUP> \
270    --output table
271```
272 
273### Configure Items Not Auto-Migrated
274 
275The `flex-migration start` command handles most settings, but these may need manual configuration:
276 
277#### Built-in Authentication
278 
279```bash
280# Recreate auth settings if your original app used Easy Auth
281az webapp auth update --name <NEW_APP_NAME> --resource-group <RESOURCE_GROUP> \
282    --enabled true --action <AUTH_ACTION>
283```
284 
285#### Scale and Concurrency (if custom values needed)
286 
287```bash
288# Set maximum scale-out (default: 100, range: 1-1000)
289az functionapp scale config set --name <NEW_APP_NAME> --resource-group <RESOURCE_GROUP> \
290    --maximum-instance-count <MAX_SCALE_SETTING>
291```
292 
293> ⚠️ Reducing below 40 for HTTP apps can cause frequent request failures.
294 
295---
296 
297## Step 5: Deploy Code
298 
299> ⚠️ **Code is NOT automatically migrated.** The new app is created with config only — you must deploy code separately.
300 
301### ask_user: Choose Deployment Method
302 
303Present these options to the user:
304 
305> Your new Flex Consumption app `<NEW_APP_NAME>` has been created and configured. Now we need to deploy your function code. How would you like to proceed?
306>
307> 1. **Update CI/CD pipeline** — I'll help you update your Azure Pipelines or GitHub Actions workflow to target the new app
308> 2. **Deploy from local project** — I'll run `func azure functionapp publish <NEW_APP_NAME>` from your project directory  
309> 3. **Deploy existing package** — I'll deploy the package we downloaded earlier from the original app
310 
311---
312 
313### Option A: Update CI/CD Pipeline (if user selects option 1)
314 
315Update your existing pipeline (Azure Pipelines or GitHub Actions) to target the new app name.
316 
317- [Build and deploy with Azure Pipelines](https://learn.microsoft.com/en-us/azure/azure-functions/functions-how-to-azure-devops)
318- [Build and deploy with GitHub Actions](https://learn.microsoft.com/en-us/azure/azure-functions/functions-how-to-github-actions)
319 
320### Option B: Deploy from Local Project (if user selects option 2)
321 
322```bash
323# From your project directory
324func azure functionapp publish <NEW_APP_NAME>
325```
326 
327### Option C: Deploy Existing Package (if user selects option 3)
328 
329```bash
330# Deploy the zip package downloaded in Step 3
331az functionapp deployment source config-zip --name <NEW_APP_NAME> --resource-group <RESOURCE_GROUP> \
332    --src <PACKAGE_PATH.zip>
333```
334 
335### After Successful Deployment
336 
337Inform the user:
338 
339> Code deployed! Next steps to consider:
340>
341> - The original app is still running — keep it as rollback for a few days
342> - Update any clients/pipelines to point to the new URL
343> - Enable HTTPS-only and managed identity on the new app for better security
344> - When confident, you can delete the original app
345 
346---
347 
348## Step 6: Post-Upgrade Validation
349 
350### Smoke Test (run this first)
351 
352```bash
353# Minimum viability check — confirm the app is reachable at all
354DEFAULT_HOST=$(az functionapp show --name <NEW_APP_NAME> --resource-group <RESOURCE_GROUP> \
355    --query "defaultHostName" -o tsv)
356 
357HTTP_STATUS=$(curl -s -o /dev/null -w "%{http_code}" "https://$DEFAULT_HOST")
358echo "App responded with HTTP $HTTP_STATUS"
359 
360# Expected: 2xx or 401/404 (means the host is up). 
361# If 503 or connection refused → the app failed to start. Check logs:
362#   az functionapp log tail --name <NEW_APP_NAME> --resource-group <RESOURCE_GROUP>
363```
364 
365### Verify Plan
366 
367```bash
368az functionapp show --name <NEW_APP_NAME> --resource-group <RESOURCE_GROUP> --query "serverFarmId"
369```
370 
371### Test HTTP Endpoints
372 
373```bash
374# Test an HTTP trigger function
375curl -s -o /dev/null -w "%{http_code}" "https://$DEFAULT_HOST/api/<FUNCTION_NAME>"
376```
377 
378### Performance Benchmarks (Application Insights KQL)
379 
380```kql
381requests
382| where timestamp > ago(1d)
383| summarize percentiles(duration, 50, 95, 99) by bin(timestamp, 1h)
384| render timechart
385```
386 
387### Check for Errors
388 
389```kql
390traces
391| where severityLevel == 3
392| where cloud_RoleName == "<NEW_APP_NAME>"
393| where timestamp > ago(1d)
394| project timestamp, message, operation_Name, customDimensions
395| order by timestamp desc
396```
397 
398---
399 
400## Step 7: Cleanup (Optional)
401 
402```bash
403# ⛔ REQUIRES ask_user confirmation before executing
404 
405# Delete the original function app
406az functionapp delete --name <ORIGINAL_APP_NAME> --resource-group <RESOURCE_GROUP>
407```
408 
409> 💡 No rush. The Consumption plan only charges for actual usage, so keeping the old app (with triggers disabled) costs very little. We recommend keeping it for a few days/weeks.
410 
411---
412 
413## Rollback
414 
415```bash
416# Restart the original app if it was stopped
417az functionapp start --name <ORIGINAL_APP_NAME> --resource-group <RESOURCE_GROUP>
418 
419# Optionally delete the new Flex Consumption app
420az functionapp delete --name <NEW_APP_NAME> --resource-group <RESOURCE_GROUP>
421```
422

Marketplace

Source from repo

Azure Upgrade

Assess and upgrade Azure workloads between plans, tiers, or SKUs with automated migration steps

microsoftGitHub microsoftOfficialSource repo Original GitHub link Publisher page

Files

Skill

n/a

Size

156.9 KB

Entrypoint

SKILL.md

Format

git-repo

Open file

references/services/functions/automation.md

Syntax-highlighted preview of this file as included in the skill package.

Rendered Source

markdown422 linesFree

references/services/functions/automation.md

1# Automation: Consumption to Flex Consumption Upgrade
2 
3> These are the Azure CLI scripts to automate the upgrade from Linux Consumption plan to Flex Consumption plan.
4> All scripts use `bash` syntax compatible with Azure Cloud Shell. For PowerShell, adapt accordingly.
5>
6> **Source docs**: [Linux migration guide](https://learn.microsoft.com/en-us/azure/azure-functions/migration/migrate-plan-consumption-to-flex?pivots=platform-linux)
7 
8## Prerequisites
9 
10```bash
11# Ensure Azure CLI v2.77.0+
12az --version
13 
14# Install resource-graph extension
15az extension add --name resource-graph
16 
17# Login and set subscription
18az login
19az account set --subscription <SUBSCRIPTION_ID>
20```
21 
22---
23 
24## Step 1: Identify Candidate Apps
25 
26```bash
27# List all Linux Consumption apps with eligibility status
28az functionapp flex-migration list
29```
30 
31This returns two arrays:
32- `eligible_apps` — apps that can be migrated to Flex Consumption
33- `ineligible_apps` — apps with specific reasons why not
34 
35The output includes app name, resource group, location, and runtime stack for each app.
36 
37---
38 
39## Step 2: Assessment Checks
40 
41Set variables for your app:
42 
43```bash
44appName=<APP_NAME>
45rgName=<RESOURCE_GROUP>
46```
47 
48### 2a. Confirm Region Compatibility
49 
50```bash
51# List all regions where Flex Consumption is available
52az functionapp list-flexconsumption-locations --query "sort_by(@, &name)[].{Region:name}" -o table
53```
54 
55### 2b. Verify Language Stack Compatibility
56 
57Supported stacks: `dotnet-isolated`, `node`, `java`, `python`, `powershell`, `custom`.
58**Not supported**: `dotnet` (in-process) — must migrate to isolated first.
59 
60### 2c. Verify Stack Version Compatibility
61 
62```bash
63# Check supported versions for a specific runtime in a specific region
64az functionapp list-flexconsumption-runtimes --location <REGION> --runtime <LANGUAGE_STACK> \
65    --query '[].{version:version}' -o tsv
66```
67 
68Replace `<REGION>` with the app's region and `<LANGUAGE_STACK>` with one of: `dotnet-isolated`, `java`, `node`, `powershell`, `python`.
69 
70### 2d. Check Deployment Slots
71 
72```bash
73# List any deployment slots
74az functionapp deployment slot list --name $appName --resource-group $rgName --output table
75```
76 
77If this returns entries, the app has slots. Flex Consumption does NOT support slots — plan accordingly.
78 
79### 2e. Check TLS/SSL Certificates
80 
81```bash
82# List certificates available to the app
83az webapp config ssl list --resource-group $rgName
84```
85 
86If this returns output, the app likely uses certificates. Flex Consumption does NOT support certs yet.
87 
88### 2f. Check Blob Storage Triggers
89 
90```bash
91# Find blob triggers NOT using EventGrid source
92az functionapp function list --name $appName --resource-group $rgName \
93  --query "[?config.bindings[0].type=='blobTrigger' && config.bindings[0].source!='EventGrid'].{Function:name,TriggerType:config.bindings[0].type,Source:config.bindings[0].source}" \
94  --output table
95```
96 
97If this returns rows, convert those blob triggers from `LogsAndContainerScan` to `EventGrid` before upgrading.
98 
99---
100 
101## Step 3: Pre-Migration — Collect Settings
102 
103### 3a. Collect App Settings
104 
105```bash
106appName=<APP_NAME>
107rgName=<RESOURCE_GROUP>
108 
109# Get all app settings as JSON
110app_settings=$(az functionapp config appsettings list --name $appName --resource-group $rgName)
111echo "$app_settings"
112```
113 
114### 3b. Collect Application Configurations
115 
116```bash
117appName=<APP_NAME>
118rgName=<RESOURCE_GROUP>
119 
120echo "Getting commonly used site settings..."
121az functionapp config show --name $appName --resource-group $rgName \
122    --query "{http20Enabled:http20Enabled, httpsOnly:httpsOnly, minTlsVersion:minTlsVersion, \
123    minTlsCipherSuite:minTlsCipherSuite, clientCertEnabled:clientCertEnabled, \
124    clientCertMode:clientCertMode, clientCertExclusionPaths:clientCertExclusionPaths}"
125 
126echo "Checking for SCM basic publishing credentials policies..."
127az resource show --resource-group $rgName --name scm --namespace Microsoft.Web \
128    --resource-type basicPublishingCredentialsPolicies --parent sites/$appName --query properties
129 
130echo "Checking for the maximum scale-out limit configuration..."
131az functionapp config appsettings list --name $appName --resource-group $rgName \
132    --query "[?name=='WEBSITE_MAX_DYNAMIC_APPLICATION_SCALE_OUT'].value" -o tsv
133 
134echo "Checking for any file share mount configurations..."
135az webapp config storage-account list --name $appName --resource-group $rgName
136 
137echo "Checking for any custom domains..."
138az functionapp config hostname list --webapp-name $appName --resource-group $rgName \
139    --query "[?contains(name, 'azurewebsites.net')==\`false\`]" --output table
140 
141echo "Checking for any CORS settings..."
142az functionapp cors show --name $appName --resource-group $rgName
143```
144 
145### 3c. Identify Managed Identities and Role Assignments
146 
147```bash
148appName=<APP_NAME>
149rgName=<RESOURCE_GROUP>
150 
151echo "Checking for a system-assigned managed identity..."
152systemUserId=$(az functionapp identity show --name $appName --resource-group $rgName \
153    --query "principalId" -o tsv)
154 
155if [[ -n "$systemUserId" ]]; then
156    echo "System-assigned identity principal ID: $systemUserId"
157    echo "Checking for role assignments..."
158    az role assignment list --assignee $systemUserId --all
159else
160    echo "No system-assigned identity found."
161fi
162 
163echo "Checking for user-assigned managed identities..."
164userIdentities=$(az functionapp identity show --name $appName --resource-group $rgName \
165    --query 'userAssignedIdentities' -o json)
166 
167if [[ "$userIdentities" != "{}" && "$userIdentities" != "null" ]]; then
168    echo "$userIdentities" | jq -c 'to_entries[]' | while read -r identity; do
169        echo "User-assigned identity: $(echo "$identity" | jq -r '.key' | sed 's|.*/userAssignedIdentities/||')"
170        echo "Checking for role assignments..."
171        az role assignment list --assignee $(echo "$identity" | jq -r '.value.principalId') --all --output json
172        echo
173    done
174else
175    echo "No user-assigned identities found."
176fi
177```
178 
179### 3d. Check Built-in Authentication
180 
181```bash
182az webapp auth show --name $appName --resource-group $rgName
183```
184 
185### 3e. Review Inbound Access Restrictions
186 
187```bash
188az functionapp config access-restriction show --name $appName --resource-group $rgName
189```
190 
191### 3f. Get Deployment Package (if needed)
192 
193Ideally your project files are in source control and you can redeploy from there. If not:
194 
195#### Check WEBSITE_RUN_FROM_PACKAGE
196 
197```bash
198az functionapp config appsettings list --name $appName --resource-group $rgName \
199    --query "[?name=='WEBSITE_RUN_FROM_PACKAGE'].value" -o tsv
200```
201 
202If this returns a URL, download the package from that remote location.
203 
204#### Download from scm-releases blob container
205 
206Linux Consumption apps store deployment packages in the `scm-releases` blob container (in `squashfs` format).
207 
208```bash
209appName=<APP_NAME>
210rgName=<RESOURCE_GROUP>
211 
212echo "Getting the storage account connection string..."
213storageConnection=$(az functionapp config appsettings list --name $appName --resource-group $rgName \
214    --query "[?name=='AzureWebJobsStorage'].value" -o tsv)
215 
216echo "Getting the package name..."
217packageName=$(az storage blob list --connection-string $storageConnection --container-name scm-releases \
218    --query "[0].name" -o tsv)
219 
220echo "Downloading package: $packageName"
221az storage blob download --connection-string $storageConnection --container-name scm-releases \
222    --name $packageName --file $packageName
223```
224 
225> 💡 If your storage account is restricted to managed identity access only, you may need to grant your Azure account the `Storage Blob Data Reader` role.
226 
227---
228 
229## Step 4: Create the Flex Consumption App
230 
231```bash
232# Automated migration — creates new app and migrates most configurations
233az functionapp flex-migration start \
234    --source-name <SOURCE_APP_NAME> \
235    --source-resource-group <SOURCE_RESOURCE_GROUP> \
236    --name <NEW_APP_NAME> \
237    --resource-group <RESOURCE_GROUP>
238```
239 
240**Optional flags**:
241- `--storage-account <ACCOUNT>` — use a different storage account
242- `--maximum-instance-count <COUNT>` — set max scale-out instances
243- `--skip-access-restrictions` — skip migrating IP access restrictions
244- `--skip-cors` — skip migrating CORS settings
245- `--skip-hostnames` — skip migrating custom domains
246- `--skip-managed-identities` — skip migrating managed identity configurations
247- `--skip-storage-mount` — skip migrating storage mount configurations
248 
249The command automatically:
250- Assesses your source app for Flex Consumption compatibility
251- Creates a new function app in the Flex Consumption plan
252- Migrates app settings, identity assignments, storage mounts, CORS, custom domains, and access restrictions
253 
254### Verify Migration Results
255 
256```bash
257# Verify new app exists and is configured
258az functionapp show --name <NEW_APP_NAME> --resource-group <RESOURCE_GROUP> \
259    --query "{name:name, kind:kind, sku:properties.sku}" --output table
260 
261# Review migrated app settings
262az functionapp config appsettings list --name <NEW_APP_NAME> --resource-group <RESOURCE_GROUP> \
263    --output table
264 
265# Check managed identity
266az functionapp identity show --name <NEW_APP_NAME> --resource-group <RESOURCE_GROUP>
267 
268# Check custom domains
269az functionapp config hostname list --webapp-name <NEW_APP_NAME> --resource-group <RESOURCE_GROUP> \
270    --output table
271```
272 
273### Configure Items Not Auto-Migrated
274 
275The `flex-migration start` command handles most settings, but these may need manual configuration:
276 
277#### Built-in Authentication
278 
279```bash
280# Recreate auth settings if your original app used Easy Auth
281az webapp auth update --name <NEW_APP_NAME> --resource-group <RESOURCE_GROUP> \
282    --enabled true --action <AUTH_ACTION>
283```
284 
285#### Scale and Concurrency (if custom values needed)
286 
287```bash
288# Set maximum scale-out (default: 100, range: 1-1000)
289az functionapp scale config set --name <NEW_APP_NAME> --resource-group <RESOURCE_GROUP> \
290    --maximum-instance-count <MAX_SCALE_SETTING>
291```
292 
293> ⚠️ Reducing below 40 for HTTP apps can cause frequent request failures.
294 
295---
296 
297## Step 5: Deploy Code
298 
299> ⚠️ **Code is NOT automatically migrated.** The new app is created with config only — you must deploy code separately.
300 
301### ask_user: Choose Deployment Method
302 
303Present these options to the user:
304 
305> Your new Flex Consumption app `<NEW_APP_NAME>` has been created and configured. Now we need to deploy your function code. How would you like to proceed?
306>
307> 1. **Update CI/CD pipeline** — I'll help you update your Azure Pipelines or GitHub Actions workflow to target the new app
308> 2. **Deploy from local project** — I'll run `func azure functionapp publish <NEW_APP_NAME>` from your project directory  
309> 3. **Deploy existing package** — I'll deploy the package we downloaded earlier from the original app
310 
311---
312 
313### Option A: Update CI/CD Pipeline (if user selects option 1)
314 
315Update your existing pipeline (Azure Pipelines or GitHub Actions) to target the new app name.
316 
317- [Build and deploy with Azure Pipelines](https://learn.microsoft.com/en-us/azure/azure-functions/functions-how-to-azure-devops)
318- [Build and deploy with GitHub Actions](https://learn.microsoft.com/en-us/azure/azure-functions/functions-how-to-github-actions)
319 
320### Option B: Deploy from Local Project (if user selects option 2)
321 
322```bash
323# From your project directory
324func azure functionapp publish <NEW_APP_NAME>
325```
326 
327### Option C: Deploy Existing Package (if user selects option 3)
328 
329```bash
330# Deploy the zip package downloaded in Step 3
331az functionapp deployment source config-zip --name <NEW_APP_NAME> --resource-group <RESOURCE_GROUP> \
332    --src <PACKAGE_PATH.zip>
333```
334 
335### After Successful Deployment
336 
337Inform the user:
338 
339> Code deployed! Next steps to consider:
340>
341> - The original app is still running — keep it as rollback for a few days
342> - Update any clients/pipelines to point to the new URL
343> - Enable HTTPS-only and managed identity on the new app for better security
344> - When confident, you can delete the original app
345 
346---
347 
348## Step 6: Post-Upgrade Validation
349 
350### Smoke Test (run this first)
351 
352```bash
353# Minimum viability check — confirm the app is reachable at all
354DEFAULT_HOST=$(az functionapp show --name <NEW_APP_NAME> --resource-group <RESOURCE_GROUP> \
355    --query "defaultHostName" -o tsv)
356 
357HTTP_STATUS=$(curl -s -o /dev/null -w "%{http_code}" "https://$DEFAULT_HOST")
358echo "App responded with HTTP $HTTP_STATUS"
359 
360# Expected: 2xx or 401/404 (means the host is up). 
361# If 503 or connection refused → the app failed to start. Check logs:
362#   az functionapp log tail --name <NEW_APP_NAME> --resource-group <RESOURCE_GROUP>
363```
364 
365### Verify Plan
366 
367```bash
368az functionapp show --name <NEW_APP_NAME> --resource-group <RESOURCE_GROUP> --query "serverFarmId"
369```
370 
371### Test HTTP Endpoints
372 
373```bash
374# Test an HTTP trigger function
375curl -s -o /dev/null -w "%{http_code}" "https://$DEFAULT_HOST/api/<FUNCTION_NAME>"
376```
377 
378### Performance Benchmarks (Application Insights KQL)
379 
380```kql
381requests
382| where timestamp > ago(1d)
383| summarize percentiles(duration, 50, 95, 99) by bin(timestamp, 1h)
384| render timechart
385```
386 
387### Check for Errors
388 
389```kql
390traces
391| where severityLevel == 3
392| where cloud_RoleName == "<NEW_APP_NAME>"
393| where timestamp > ago(1d)
394| project timestamp, message, operation_Name, customDimensions
395| order by timestamp desc
396```
397 
398---
399 
400## Step 7: Cleanup (Optional)
401 
402```bash
403# ⛔ REQUIRES ask_user confirmation before executing
404 
405# Delete the original function app
406az functionapp delete --name <ORIGINAL_APP_NAME> --resource-group <RESOURCE_GROUP>
407```
408 
409> 💡 No rush. The Consumption plan only charges for actual usage, so keeping the old app (with triggers disabled) costs very little. We recommend keeping it for a few days/weeks.
410 
411---
412 
413## Rollback
414 
415```bash
416# Restart the original app if it was stopped
417az functionapp start --name <ORIGINAL_APP_NAME> --resource-group <RESOURCE_GROUP>
418 
419# Optionally delete the new Flex Consumption app
420az functionapp delete --name <NEW_APP_NAME> --resource-group <RESOURCE_GROUP>
421```
422

Azure Upgrade

references/services/functions/automation.md

Preparing the source view

Azure Upgrade

references/services/functions/automation.md