This chapter covers the security of Azure Functions, a key compute service in Azure. You will learn how to secure function apps at every layer: authentication, authorization, network isolation, secret management, and monitoring. For the AZ-500 exam, questions on Azure Functions security appear in about 5-8% of the Compute Security domain (Objective 2.1). You must know the specific mechanisms such as EasyAuth, Managed Identities, Key Vault references, and network restrictions. This chapter provides the depth needed to confidently answer scenario-based questions.
Jump to a section
Imagine a corporate mailroom that handles incoming and outgoing packages for a large company. The mailroom has a single loading dock (the Function App endpoint) where all packages arrive. Every package must first pass through a security checkpoint (Authentication/Authorization) that checks the sender's ID and verifies they are allowed to send packages. Only packages with valid badges (tokens or keys) are allowed inside. Once inside, a sorting clerk (the function runtime) reads the label (HTTP trigger or binding) and routes the package to the correct department (function code). The mailroom has a list of approved senders (Azure AD or EasyAuth) and a list of blocked addresses (IP restrictions). Some packages contain sensitive materials that must be encrypted; the mailroom has a special machine (Key Vault integration) that decrypts them using keys stored in a secure vault. The mailroom also logs every package that arrives, including who sent it, when it arrived, and what was done with it (Application Insights and diagnostic logs). If a package is suspicious, the mailroom can reject it before it ever reaches a department (defense in depth). This mirrors how Azure Functions security works: authentication gates at the platform level, authorization checks within the code, network restrictions, managed identities for accessing secrets, and logging for auditing.
What is Azure Functions Security?
Azure Functions is a serverless compute service that runs code in response to events. Because functions are stateless and can be triggered by HTTP requests, timers, queues, or other Azure services, securing them requires a multi-layered approach. The AZ-500 exam focuses on the following security controls:
Authentication and Authorization (EasyAuth, Azure AD, function-level keys)
Network Security (access restrictions, VNet integration, private endpoints)
Secret Management (Key Vault references, Managed Identities)
Data Protection (encryption at rest and in transit)
Monitoring and Auditing (Application Insights, diagnostic logs)
Authentication and Authorization
Azure Functions supports several authentication mechanisms. The most important for the exam are:
1. Function-Level Keys: By default, HTTP-triggered functions require a function key, host key, or master key. These keys are stored in the function app's settings and can be managed via the portal or CLI. The master key ("_master") grants full access to all functions and should be protected like a root password. The exam tests that you know the key hierarchy: master key > host keys > function keys. Keys can be regenerated, and you can disable anonymous access.
2. EasyAuth (App Service Authentication): This is a built-in authentication layer that runs before the function code. It supports Azure AD, Microsoft Account, Facebook, Google, Twitter, and Apple. For enterprise scenarios, Azure AD is most common. EasyAuth can be configured to require authentication for all requests, and it automatically populates HTTP headers with claims (e.g., X-MS-CLIENT-PRINCIPAL). The exam tests that you know EasyAuth is a reverse-proxy authentication module that runs at the App Service platform level, not within the function code.
3. Azure AD Authentication: You can configure the function app to require Azure AD tokens. This is done via the "Authentication" blade in the portal. You specify the Azure AD app registration, and the function app validates tokens. The exam may ask about token validation: the function app uses the OpenID Connect discovery URL to validate the token's issuer, audience, and signature. You can also configure token exchange (e.g., for on-behalf-of flow).
4. Authorization in Code: Even with authentication, you need authorization logic within the function. The exam expects you to know how to check claims from the authenticated user (e.g., roles) using the ClaimsPrincipal object in .NET or the req.headers in other languages. A common pattern is to use [FunctionName("MyFunc")] with [Authorize] attribute or manual checks.
Network Security
Azure Functions can be network-isolated to prevent public internet access. The exam covers:
1. Access Restrictions (IP Whitelisting): You can restrict inbound traffic to a function app by specifying allowed IP addresses or virtual network (VNet) source IPs. This is configured in the "Networking" blade under "Access Restrictions". You can create rules with priority (lower number = higher priority) to allow or deny traffic. The default is to allow all. The exam tests that you can configure this to allow only specific IP ranges (e.g., your corporate VPN) and deny all others.
2. VNet Integration: For outbound traffic, you can integrate the function app with a VNet using VNet Integration (for regional VNet) or a gateway-required VNet (for classic). This allows the function to access resources in the VNet (e.g., databases) without going over the public internet. Inbound traffic can be restricted using Service Endpoints or Private Endpoints. The exam focuses on Private Endpoints: they place the function app on a private IP in your VNet, accessible only from within that VNet or peered networks. You must know that Private Endpoints require a Premium plan (Elastic Premium or Dedicated).
3. Service Endpoints: For PaaS services like Azure SQL, Service Endpoints allow the function app to connect securely. However, for inbound traffic to the function app, Service Endpoints are not supported; you need Private Endpoints.
Secret Management
Functions often need secrets like connection strings, API keys, or certificates. The exam tests:
1. Key Vault References: Instead of storing secrets in app settings, you can reference them from Azure Key Vault. The syntax is @Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/). The function app must have a Managed Identity assigned and granted GET permission on the secret. The exam tests that you know the format and that Managed Identity is required.
2. Managed Identities: System-assigned or user-assigned managed identities allow the function app to authenticate to Azure resources without storing credentials. For example, you can use a managed identity to access Key Vault, Azure SQL, or Storage. The exam expects you to know the difference: system-assigned is tied to the function app and deleted when the app is deleted; user-assigned is a separate resource that can be shared. You must know how to grant permissions (e.g., using Azure RBAC) and how to use the identity in code (e.g., DefaultAzureCredential).
3. Application Settings Encryption: All app settings are encrypted at rest by default using Azure's platform-managed keys. You can also use customer-managed keys (CMK) for additional control. The exam may test that CMK is supported for Functions on Dedicated plans but not on Consumption (though this is changing; check current docs).
Data Protection
Functions automatically encrypt data at rest (e.g., code, configuration) and in transit (TLS 1.2 by default). You can enforce HTTPS only and set the minimum TLS version. The exam tests that you can require TLS 1.2 or higher and that HTTP traffic can be redirected to HTTPS.
Monitoring and Auditing
Security monitoring is crucial. The exam covers:
1. Application Insights: You can enable Application Insights to monitor function executions, failures, and performance. Security events like authentication failures are logged. You can set alerts on failed requests.
2. Diagnostic Logs: The function app can stream logs to Log Analytics, Storage, or Event Hubs. You can audit who accessed the function and when. The exam may ask about enabling diagnostic settings for the Function App resource.
3. Azure Policy: You can enforce security policies on function apps, such as requiring HTTPS, disabling FTP, or enforcing minimum TLS version. The exam tests that you can create custom policies or use built-in ones.
Default Values and Timers
Function Key Expiration: Keys do not expire by default, but you can set expiration dates programmatically.
Token Lifetime: For EasyAuth, the default token lifetime is 8 hours for Azure AD tokens. You can customize this in the app registration.
IP Restriction Evaluation: Rules are evaluated in priority order. If no rule matches, the default is to allow. You must add a deny-all rule at lowest priority to block everything else.
Private Endpoint: Requires Premium plan. The private endpoint creates a NIC in your VNet. DNS resolution is handled by Azure Private DNS zones.
Interaction with Related Technologies
Azure AD B2C: Functions can be secured with Azure AD B2C for consumer-facing apps.
API Management: Functions are often exposed via Azure API Management, which adds another layer of security (subscriptions, OAuth, rate limiting).
Azure Front Door: Can be used for WAF and DDoS protection in front of functions.
Configuration and Verification Commands
Azure CLI examples:
# List function keys
az functionapp keys list --name MyFunctionApp --resource-group MyRG
# Add IP restriction
az functionapp config access-restriction add --name MyFunctionApp --resource-group MyRG --rule-name AllowCorporate --action Allow --ip-address 203.0.113.0/24 --priority 100
# Enable Managed Identity
az functionapp identity assign --name MyFunctionApp --resource-group MyRG
# Add Key Vault reference to app setting
az functionapp config appsettings set --name MyFunctionApp --resource-group MyRG --settings "MySecret=@Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/)"
# Enforce HTTPS only
az functionapp update --name MyFunctionApp --resource-group MyRG --set httpsOnly=truePowerShell example:
Set-AzWebApp -Name MyFunctionApp -ResourceGroupName MyRG -HttpsOnly $trueVerification:
Check authentication logs in Application Insights.
Test IP restrictions by attempting to access the function from a blocked IP.
Verify Key Vault access by checking the function logs for secret retrieval.
Exam-Specific Details
Function Authorization Level: The enum values are Anonymous, Function, Admin, System. Admin requires the master key. System is used for system triggers (e.g., Blob, Queue) and is not user-configurable.
Managed Identity Types: System-assigned (1 per resource) vs User-assigned (can be assigned to multiple resources).
Private Endpoint vs Service Endpoint: Private Endpoint is for inbound traffic to the function; Service Endpoint is for outbound traffic from the function to other Azure services.
EasyAuth Token Store: EasyAuth can store tokens in a cookie or a header. The exam may ask about token refresh.
CORS: Cross-Origin Resource Sharing can be configured but is not a security mechanism; it only controls browser-based access.
Step-by-Step: Securing an HTTP-Triggered Function
Create Function App with Authentication: Use the portal to create a function app with Azure AD authentication enabled. Select the Express option to create a new Azure AD app registration.
Restrict Access by IP: Add an IP restriction rule to allow only your corporate IP range and a deny-all rule.
Assign Managed Identity: Enable system-assigned managed identity and grant it access to Key Vault.
Store Secrets in Key Vault: Move any connection strings to Key Vault and reference them in app settings.
Enforce HTTPS and TLS 1.2: Set the minimum TLS version to 1.2 and enable HTTPS only.
Enable Diagnostic Logs: Stream logs to Log Analytics for auditing.
Test Authentication: Use a tool like Postman to call the function without a token (should get 401) and with a valid token (should succeed).
Monitor with Alerts: Set up alerts in Application Insights for failed requests.
Create Function App with AAD Auth
In the Azure portal, create a new Function App. Under the 'Authentication' tab, select 'Add identity provider' and choose 'Microsoft'. You can use the Express option to automatically create a new Azure AD app registration. This configures EasyAuth to validate tokens from Azure AD. The function app will reject any request without a valid token. Under the hood, the App Service platform intercepts the request, validates the JWT token against the Azure AD tenant, and populates the X-MS-CLIENT-PRINCIPAL header with claims. The function code can then read this header to get user information.
Restrict Inbound Traffic with IP Rules
Navigate to 'Networking' > 'Access Restrictions'. Add a rule with priority 100 to allow your corporate IP range (e.g., 203.0.113.0/24). Add another rule with priority 200 to deny all traffic (0.0.0.0/0). Rules are evaluated in order of priority; lower numbers are evaluated first. The deny-all rule ensures that only traffic from the allowed IP range is accepted. This is a network-layer control that blocks requests before they reach the function runtime, reducing the attack surface. Note that if you have Azure AD authentication enabled, the IP restriction is evaluated first; a blocked IP will not even see the authentication prompt.
Assign Managed Identity and Key Vault Access
Under 'Identity', set 'System assigned' to 'On'. This creates a service principal for the function app in Azure AD. Then, in your Key Vault, go to 'Access policies' and add a new policy. Select 'Get' and 'List' permissions for secrets. For the principal, search for the function app name. This allows the function app to retrieve secrets using its managed identity. The identity is automatically rotated and managed by Azure. In code, you can use DefaultAzureCredential to authenticate to Key Vault without any connection strings.
Configure Key Vault References in App Settings
In the function app's 'Configuration' blade, edit the app settings that contain secrets. Replace the value with a Key Vault reference in the format: @Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/). The function app will resolve this reference at runtime by calling Key Vault using its managed identity. If the identity does not have proper permissions, the function will fail to start. This approach avoids storing secrets in plaintext in the configuration.
Enforce HTTPS and Minimum TLS Version
In the function app's 'TLS/SSL settings', set 'HTTPS Only' to 'On'. This redirects any HTTP request to HTTPS. Also set 'Minimum TLS Version' to '1.2'. This ensures that only clients supporting TLS 1.2 or higher can connect. Older versions like TLS 1.0 and 1.1 have known vulnerabilities. These settings can also be enforced via Azure Policy. Note that if you have a custom domain, you need to upload a TLS/SSL certificate; otherwise, Azure uses a wildcard certificate for the azurewebsites.net domain.
Enable Diagnostic Logs and Monitoring
Under 'Monitoring' > 'Diagnostic settings', add a diagnostic setting to stream logs to a Log Analytics workspace. Select the categories 'FunctionAppLogs' and 'AllMetrics'. This captures authentication failures, function execution details, and performance metrics. You can then query logs using KQL to audit access. For example, you can search for failed authentication attempts or unauthorized access. Additionally, enable Application Insights to get detailed telemetry on function executions, including exceptions and dependencies.
Test the Secured Function Endpoint
Use a tool like Postman or curl to test the function. First, try to access the function URL without any authentication header. You should receive a 401 Unauthorized response. Then, obtain a valid Azure AD token using the OAuth 2.0 client credentials flow (for service-to-service) or authorization code flow (for user). Include the token in the Authorization header as 'Bearer <token>'. The function should return the expected response. Also test from an IP outside the allowed range to confirm that a 403 Forbidden is returned before authentication is attempted.
Set Up Alerts for Security Events
In Application Insights, create an alert rule for 'Failed requests' when the count exceeds a threshold (e.g., 10 in 5 minutes). This can indicate a brute-force attack. Also, create a log alert in Log Analytics for queries like 'AppServiceHTTPLogs | where ScStatus == 401 or ScStatus == 403'. When triggered, the alert can send an email or trigger a runbook to block the offending IP. This proactive monitoring helps detect and respond to security incidents quickly.
Enterprise Scenario 1: Internal API for Financial Data
A large bank uses Azure Functions to expose an internal API that retrieves customer account balances. The function is triggered via HTTP and must only be accessible from the bank's internal network and from authorized applications. The security team configures IP restrictions to allow only the bank's VPN IP range (10.0.0.0/8) and a specific Azure VNet where the frontend app resides. They enable Azure AD authentication so that only service principals with the 'Reader' role on the function app can call it. The function uses a managed identity to connect to Azure SQL Database, which is also firewalled to allow only the function's outbound IP. All secrets (like the SQL connection string) are stored in Key Vault with managed identity access. The function app is on a Premium plan to support VNet integration and private endpoints. In production, they handle about 1 million requests per day with p99 latency under 200ms. A common misconfiguration is forgetting to add the deny-all IP rule, leaving the function exposed to the internet. Another issue is not rotating the master key, which could allow unauthorized access if leaked. The team uses Azure Policy to enforce HTTPS only and minimum TLS version across all function apps.
Enterprise Scenario 2: Serverless ETL Pipeline
A media company uses Azure Functions to process video uploads. The function is triggered by a Blob Storage event (new blob) and then processes the video using Azure Media Services. Security here focuses on the trigger: the function must only be invoked by the storage account, not by external callers. They set the authorization level to 'System' (which requires a specific system key) and configure the storage account to use a managed identity to authenticate to the function. They also enable network restrictions so that only the storage account's service endpoint can reach the function. The function accesses Key Vault for API keys to third-party services. The team uses Application Insights to monitor for failed executions, which could indicate a security issue. A common mistake is leaving the function with 'Anonymous' authorization level, allowing anyone with the URL to trigger it, potentially causing unexpected costs or data leaks.
Enterprise Scenario 3: Multi-Tenant SaaS Application
A SaaS provider uses Azure Functions as the backend for a multi-tenant application. Each tenant has its own function app instance. Security is critical: tenants must not access each other's data. They use Azure AD B2C for tenant-specific authentication, with each tenant having a separate user pool. The function app validates the token's 'tid' (tenant ID) claim and uses it to filter data. They also implement IP restrictions per tenant if needed. Managed identities are used to access tenant-specific storage accounts. The challenge is scaling: with hundreds of tenants, managing individual function apps becomes complex. They use Azure API Management as a front door to handle tenant routing and rate limiting. A common failure is misconfigured CORS, which can block legitimate browser requests but is often mistaken for a security issue. The exam tests understanding that CORS is not a security mechanism but a browser policy.
What AZ-500 Tests on Azure Functions Security (Objective 2.1)
The AZ-500 exam focuses on your ability to configure and manage security controls for Azure Functions. Specific sub-objectives include:
2.1.1 Configure authentication for Azure Functions: You must know how to enable Azure AD authentication, configure EasyAuth, and manage function keys. The exam expects you to understand the difference between function-level keys and Azure AD tokens.
2.1.2 Configure network security for Azure Functions: You must know IP restrictions, VNet integration, and private endpoints. The exam tests when to use each and the plan requirements (e.g., Premium for private endpoints).
2.1.3 Manage secrets for Azure Functions: You must know Key Vault references and managed identities. The exam tests the syntax and the need for managed identity.
2.1.4 Monitor and audit Azure Functions: You must know how to enable diagnostic logs and Application Insights.
Common Wrong Answers and Why Candidates Choose Them
Wrong: 'Use Service Endpoints to restrict inbound traffic to the function app.' Many candidates confuse Service Endpoints (which secure outbound traffic to Azure services) with Private Endpoints (which secure inbound traffic). The correct answer is Private Endpoints for inbound isolation.
Wrong: 'Store secrets in app settings and encrypt them with a customer-managed key.' While app settings are encrypted, the exam expects you to use Key Vault references for secrets. Candidates may think CMK is sufficient, but the best practice is to avoid storing secrets in app settings entirely.
Wrong: 'Set the function authorization level to Anonymous to allow all users, then authenticate in code.' This is a security risk because the function is exposed without any platform-level authentication. The correct approach is to use EasyAuth or Azure AD authentication at the platform level.
Wrong: 'Use the master key for regular function calls.' The master key has full access and should be used only for administrative tasks. Candidates may think it's convenient, but it's a security risk.
Specific Numbers, Values, and Terms That Appear on the Exam
Master key name: '_master'
Function key default expiration: None (keys do not expire by default)
IP restriction default action: Allow all (you must add a deny rule)
Private Endpoint plan requirement: Premium (Elastic Premium or Dedicated)
Key Vault reference syntax: @Microsoft.KeyVault(SecretUri=...)
Managed Identity types: System-assigned (1 per resource) and User-assigned (multiple resources)
EasyAuth token store: Cookie (default) or header
Minimum TLS version: 1.2 (default is 1.0 in older apps, but you should enforce 1.2)
Edge Cases and Exceptions
When using VNet Integration, the function app's outbound traffic goes through the VNet, but inbound traffic still goes through the public endpoint unless you use Private Endpoint.
If you enable EasyAuth and also use function keys, the function keys are ignored if EasyAuth is set to 'Require authentication'. The request must have a valid token.
System-assigned managed identity is deleted when the function app is deleted. User-assigned persists.
Key Vault references are resolved at runtime, not at deployment. If the function app cannot access Key Vault, it will fail to start.
How to Eliminate Wrong Answers
If the question is about inbound traffic isolation, look for 'Private Endpoint' or 'Access Restrictions'. Eliminate 'Service Endpoint'.
If the question is about secret management, look for 'Key Vault reference' or 'Managed Identity'. Eliminate 'App Settings encryption'.
If the question is about authentication, look for 'EasyAuth' or 'Azure AD'. Eliminate 'Function key' if the scenario requires user authentication.
If the question is about network security for outbound traffic, look for 'VNet Integration' or 'Service Endpoint'. Eliminate 'Private Endpoint' for outbound.
Azure Functions supports three authorization levels: Anonymous, Function, Admin (master key). Default for HTTP triggers is Function.
EasyAuth is a reverse-proxy authentication module that runs before the function code; it can require authentication from Azure AD.
IP restrictions are evaluated in priority order; you must add a deny-all rule to block all other traffic.
Private Endpoints require a Premium plan (Elastic Premium or Dedicated) and provide inbound traffic isolation.
Key Vault references use the syntax @Microsoft.KeyVault(SecretUri=...) and require a managed identity with GET permission.
System-assigned managed identity is tied to the function app; user-assigned can be shared across resources.
Always enforce HTTPS only and minimum TLS version 1.2 to protect data in transit.
Diagnostic logs and Application Insights are essential for monitoring authentication failures and function executions.
The master key ('_master') grants full access to all functions; protect it like a root password.
Function keys do not expire by default; rotate them regularly using the portal or CLI.
These come up on the exam all the time. Here's how to tell them apart.
EasyAuth (App Service Authentication)
Runs at the platform level before the function code executes.
Supports multiple identity providers (Azure AD, Google, etc.).
Automatically populates headers with claims (X-MS-CLIENT-PRINCIPAL).
Cannot be customized beyond provider configuration.
Easier to implement and requires less code.
Custom Authentication in Code
Runs within the function code after the request reaches the runtime.
Requires manual token validation and claims extraction.
More flexible and can integrate with custom identity systems.
Requires more development effort and testing.
Can be combined with EasyAuth for additional authorization logic.
Mistake
Function keys are a secure way to authenticate users.
Correct
Function keys are meant for service-to-service authentication, not user authentication. They are static secrets that can be shared and are not tied to a user identity. For user authentication, use Azure AD tokens with EasyAuth.
Mistake
IP restrictions are sufficient to secure a function app from the internet.
Correct
IP restrictions are a network-layer control, but they can be bypassed if an attacker gains access from an allowed IP (e.g., compromised corporate machine). Always combine with authentication and authorization.
Mistake
Service Endpoints can restrict inbound traffic to a function app.
Correct
Service Endpoints secure outbound traffic from a VNet to Azure services. For inbound traffic to a function app, you need Private Endpoints. Service Endpoints do not change the inbound path.
Mistake
Managed identities are only for Azure resources within the same tenant.
Correct
Managed identities work within the same Azure AD tenant. They cannot be used to authenticate to resources in another tenant unless federated identity is used.
Mistake
Key Vault references require the function app's app setting to be marked as a secret.
Correct
Key Vault references are stored in app settings, which are encrypted at rest. However, the reference itself is a string that points to Key Vault. The actual secret is retrieved at runtime. The app setting does not need to be marked as secret; it's just a regular app setting.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A function key is specific to a single function within a function app. A host key can be used to access any function in the same function app. The master key is a special host key that also allows administrative operations like creating and deleting keys. Function keys are more granular; host keys are broader. For security, use function keys when you need to restrict access to a specific function.
Yes, you can set the authorization level to 'Anonymous', which allows any request to trigger the function. However, this is not recommended for production. Even for internal tools, you should use at least IP restrictions to limit access. For internet-facing functions, always use authentication and authorization.
Enable Azure AD authentication via EasyAuth. In the Authentication blade, select 'Microsoft' as the identity provider and choose 'Require authentication'. Then configure the Azure AD app registration to only allow users from your tenant (set 'Supported account types' to 'Accounts in this organizational directory only'). This ensures that only users from your tenant can obtain a token and access the function.
VNet Integration allows the function app to make outbound calls to resources in a VNet (e.g., a database). Private Endpoint allows inbound calls to the function app from within a VNet, giving it a private IP address. VNet Integration does not change the inbound endpoint; the function app still has a public URL. Private Endpoint makes the function app accessible only from the VNet.
You can regenerate the master key using the Azure portal: go to your function app, under 'Functions' select 'App keys', find the master key (named '_master'), and click 'Regenerate'. You can also use the Azure CLI: `az functionapp keys regenerate --name MyFunctionApp --resource-group MyRG --key-type master`. After regeneration, any clients using the old master key will get a 401 Unauthorized.
Yes, you can configure EasyAuth to use Azure AD B2C as an identity provider. This allows you to authenticate external users (e.g., customers) with social or local accounts. The configuration is similar to Azure AD but uses the B2C tenant's endpoints. You need to create an app registration in the B2C tenant and configure the user flows.
The default token lifetime for Azure AD access tokens is 1 hour. The refresh token (if using authorization code flow) has a default lifetime of 90 days. EasyAuth can be configured to use token store to cache tokens. You can customize token lifetimes in Azure AD app registration under 'Token configuration'.
You've just covered Azure Functions Security — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?