While authorization keys make it easy to work with Azure Functions, they are not recommend as the way to secure an Azure Function in production.
There are three recommend ways to secure an Azure Function in production:
- Turn on App Service Authentication/Authorization
- Use Azure API Management (APIM) to authenticate requests.
- Deploy your function app to an Azure App Service Environment (ASE)
In this article will look at how to secure an Azure Function by turning on App Service Authentication/Authorization.
Let’s first create an Azure Function.
Navigate to the Azure Portal and click Create a resource.
In the Search Box type
Function, and select Function App, then click Create.
You will need to provide an App name, Resource Group and Storage account, then click Create.
Navigate to the newly created function app, click Functions and click the “+” icon to add a new function.
Select In-portal and click Continue.
Select Webhook + API and click Create, just leave the name as HttpTrigger1.
Set the authLevel to
anonymous and click Save.
Navigate back to the Azure Function App and click on the HttpTrigger1 function and then click Get function URL to get the URL to test your function app.
Open up Postman and create a GET request pointing to the function URL, be sure to include a value for the
For our example, I used
Execute the GET and you should receive a 200 status code and the message,
Hello, Malcolm Reynolds.
Now let’s secure your Azure Function App with Azure Active Directory.
Navigate back to the Azure Function App and click on Platform Features, and then click on Authentication/Authorization.
Switch on App Service Authentication.
Set Action to take when request is not authenticed to Log in with Azure Directory.
Click Azure Active Directory in the list of Authentication Providers.
In the next blade displayed, click Express.
Click Create New AD App, though it should default to this.
I would recommend the App Name be the same as the Azure Function App, makes it easier to manage.
Try calling the function endpoint again, you should receive a 401 status code.
Open up your favorite browser, and paste in the URL that we have been using in Postman.
You should now be prompted to provide Login and Password credentials.
Upon successful authentication you should be displayed the
Hello, Malcolm Reynolds in our browser.
You have successfully secured our Azure Function App with Azure Active Directory!