"Error occurred when attempting to purge previous diagnostic event versions" on v4.839.500, v4.639.500 and v4.1039.500

[oscarhermoso]

Investigative information

• Timestamp: 2025-05-29T00:19:50.2163438Z
• Function App version: v4.839.500, v4.639.500 and v4.1039.500
• Function App name: Please email me at oscar.hermosoclarke (at) rac.com.au if this is imporant to the investigation
• Function name(s) (as appropriate): Not relevant
• Invocation ID: Seemingly not part of a function app invocation. Request ID is 1e2f7931-e002-0044-3f2f-d00e1d000000. If you need more information, please email me at oscar.hermosoclarke at rac.com.au
• Region: Australia South East

Repro steps

• Affecting various Linux function apps.
  • Have noticed affecting P2mv3, and I2V2 ASPs.
  • Our function apps authenticate to storage accounts with Entra auth, using User Managed Identity.
• No intentional changes, but I believe the runtime version of these function apps may have updated yesterday?
• Only affecting apps in Australia South East, our function apps deployed to Australia East are unaffected

Expected behaviour

No errors in logs.

Actual behavior

Azure Monitor is raising alerts & calling on-call staff due to new and unexpected errors in logs.

Key	Value
Message	Error occurred when attempting to purge previous diagnostic event versions.
timestamp [UTC]	2025-05-29T00:19:50.2197757Z
problemId	Azure.RequestFailedException at Azure.Data.Tables.TableRestClient+<QueryEntitiesAsync>d__23.MoveNext
type	Azure.RequestFailedException
assembly	Azure.Data.Tables, Version=12.8.3.0, Culture=neutral, PublicKeyToken=92742159e12e44c8
method	Azure.Data.Tables.TableRestClient+<QueryEntitiesAsync>d__23.MoveNext
outerType	Azure.RequestFailedException
outerMessage	This request is not authorized to perform this operation using this permission. RequestId: 1e2f7931-e002-0044-3f2f-d00e1d000000 Time: 2025-05-29T00:19:50.2163438Z Status: 403 (Forbidden) ErrorCode: AuthorizationPermissionMismatch
Content	{"odata.error":{"code":"AuthorizationPermissionMismatch","message":{"lang":"en-US","value":"This request is not authorized to perform this operation using this permission.\nRequestId:1e2f7931-e002-0044-3f2f-d00e1d000000\nTime:2025-05-29T00:19:50.2163438Z"}}}
Headers	Cache-Control: no-cache Transfer-Encoding: chunked Server: Windows-Azure-Table/1.0 Microsoft-HTTPAPI/2.0 x-ms-request-id: 1e2f7931-e002-0044-3f2f-d00e1d000000 x-ms-client-request-id: 48346492-1ba6-4335-b40b-9b5c3e87f8d2 x-ms-version: REDACTED X-Content-Type-Options: REDACTED Date: Thu, 29 May 2025 00:19:50 GMT Content-Type: application/json;odata=minimalmetadata;streaming=true;charset=utf-8
outerAssembly	Azure.Data.Tables, Version=12.8.3.0, Culture=neutral, PublicKeyToken=92742159e12e44c8
outerMethod	Azure.Data.Tables.TableRestClient+<QueryEntitiesAsync>d__23.MoveNext
severityLevel	3

Known workarounds

Redeploy our Azure Monitor alerts with new KQL to ignore this error?

Related information

Provide any related information

• Possibly related to this commit: 32c0e71

[oscarhermoso]

Seems we have silenced errors by adding Storage Table Data Contributor to our User Assigned Identity.

Would be nice if the Storage Table Data Contributor role assignment was mentioned hereand in other places in the docs.

[cjaliaga]

Thanks for the report @oscarhermoso . The PR you mentioned (#10996) disables the service when it's not able to connect to the storage account. However, there's one case that's not covered by that PR and the service is not disabled, when the identity has the following permissions:

• Microsoft.Storage/storageAccounts/tableServices/tables/delete
• Microsoft.Storage/storageAccounts/tableServices/tables/write
• Microsoft.Storage/storageAccounts/tableServices/tables/read

but does not include:

• Microsoft.Storage/storageAccounts/tableServices/tables/entities/read
• Microsoft.Storage/storageAccounts/tableServices/tables/entities/delete

This follow-up PR (#11100) includes these changes and also fixes what's explained here #11098