Azure function accessing service bus with MSI

what am I missing or what am I doing wrong?

You may mix up with MSI and Shared Access Policy.They are using different provider to access to Azure servicebus. You could just use connectionstring or just use MSI to authenticate.

When you use Managed Service Identity(MSI) to authenticate, you need to create a token provider for the managed service identity with the following code.

TokenProvider.CreateManagedServiceIdentityTokenProvider(ServiceAudience.ServiceBusAudience).

This TokenProvider's implementation uses the AzureServiceTokenProvider found in the Microsoft.Azure.Services.AppAuthentication library. AzureServiceTokenProvider will follow a set number of different methods, depending on the environment, to get an access token. And then initialize client to operate the servicebus. For more details, you could refer to this article.

When you use servicebus connectionstring to access which using the Shared Access Token (SAS) token provider, so you can operate directly.

Agreed that from azure function we cannot access the resource like ASB directly. However, one still does not need to put in the password in this case "SharedAccessKeyName" in the connectionstring directly. Azure function can work with Azure KeyVault. Thus one can store the connectionstring with sensitive information as a secret in the KeyVault and then grant System assigned identity from azure functions access over KeyVault and then specify the value for the settings in the portal as @Microsoft.KeyVault(SecretUri={theSecretUri}) Details on how to achieve the above is mentioned in the following blog. https://medium.com/statuscode/getting-key-vault-secrets-in-azure-functions-37620fd20a0b

This will still avoid specifying the connectionstring directly in Azure functions and provides with single point of access via Vault to be disabled in case of a security breach