Secure Your Azure Functions

Azure Functions provide a serverless compute platform that can be secured using multiple layers, from network isolation to runtime protections. This guide outlines best practices, built‑in features, and code samples to help you protect your functions.

Authentication & Authorization

Managed Identity Integration ▶

Use a system‑assigned or user‑assigned managed identity to authenticate to Azure services without storing secrets.

// C# example: Access Azure Key Vault with Managed Identity
using Azure.Identity;
using Azure.Security.KeyVault.Secrets;

var client = new SecretClient(new Uri("https://myvault.vault.azure.net/"), new DefaultAzureCredential());
var secret = await client.GetSecretAsync("MySecret");
Console.WriteLine(secret.Value);

Function‑level Authorization (Azure AD) ▶

Configure authLevel to function or admin and enforce Azure AD tokens.

// host.json snippet
{
  "extensions": {
    "http": {
      "routePrefix": "api",
      "maxConcurrentRequests": 5
    }
  },
  "auth": {
    "azureAd": {
      "clientId": "YOUR-CLIENT-ID",
      "tenantId": "YOUR-TENANT-ID"
    }
  }
}

Networking & Isolation

VNet Integration ▶

Place your function app inside a Virtual Network to limit inbound traffic.

Enable Private Endpoints.
Use Service Tags for Azure services.

IP Restrictions ▶

Define allowed IP ranges in the Function App settings.

// Azure CLI
az functionapp config access-restriction add \
  --resource-group MyRG \
  --name MyFunctionApp \
  --rule-name AllowCorporate \
  --priority 100 \
  --ip-address 203.0.113.0/24 \
  --action Allow

Data Protection

Encryption at Rest ▶

Azure Functions store data in Azure Storage which is encrypted by default with Microsoft‑managed keys. For additional control, enable Customer‑Managed Keys (CMK).

// Azure PowerShell to set CMK
Set-AzStorageAccount -ResourceGroupName "MyRG" -Name "mystorage" `
  -EncryptionKeySource "Microsoft.Keyvault" `
  -KeyVaultKeyUri "https://myvault.vault.azure.net/keys/mykey"

Secure Input/Output Bindings ▶

Use AzureKeyVault binding to retrieve secrets at runtime.

{
  "type": "extensionBundle",
  "version": "[2.*, 3.0.0)"
}
{
  "bindings": [
    {
      "type": "keyVault",
      "name": "mySecret",
      "vaultName": "myvault",
      "secretName": "DbPassword",
      "direction": "in"
    }
  ]
}

Best Practices Checklist

Enable Managed Identity and avoid secret storage.
Use Azure AD for HTTP trigger auth.
Place the function app in a VNet with private endpoints.
Apply IP restrictions and service tags.
Encrypt all storage with Customer‑Managed Keys.
Regularly rotate secrets and keys.
Monitor with Azure Monitor and enable diagnostic logs.

Secure Your Azure Functions

Authentication & Authorization

Networking & Isolation

Data Protection

Best Practices Checklist

Additional Resources