Securing your Azure Function App

This section guides you on securing the HTTP endpoint for your App.

Enforce HTTPS

  1. In your Function App, click the TLS/SSL Settings blade on the left.

  2. Next to HTTPS Only, click On.

  3. Ensure that "Minimum TLS Version" is the latest version.

  4. You can also configure the server certificate on this page.

Add an Identity Provider

By default, your HTTP Function endpoint is completely public. In order to restrict access to only authorized users, you can add an Identity Provider:

  1. In the Authentication blade of your Function App, click the Add Identity Provider button.

    Several options are available. This example uses Microsoft.
  2. Leave the App registration type as Create new app registration.

  3. Enter the name of your Function App as the registration name.

  4. Select the desired Supported account types (for example, "Any Azure AD directory - Multi-tenant")

  5. Ensure Restrict access is set to Require authentication.

  6. Select the desired Unauthenticated requests value.

    This example uses "HTTP 401 Unauthorized: recommended for APIs".
  7. Ensure Token store is selected.

  8. Click the Add.

The identity provider appears in the Authentication blade. You can follow the Quickstart link for details on how to use it to authenticate for your HTTP Function. The example presented here shows a common use case.

To access your HTTP Function endpoint programmatically, you can create a new App Registration representing the calling client:

  1. In the App Registrations service, click New registration.

  2. Give the registration a name representing your client (e.g., myfunction-client).

  3. Select the desired Supported account types option, and click Register.

  4. In the Certificates & secrets blade, select Client secrets > New client secret.

  5. Specify a description, and click Add.

  6. Copy the secret Value, because it will not be shown again.
  7. In the Overview blade, add the Directory (tenant) ID and Application (client) ID for the next step.

  8. Add the Application (client) ID of your Function App's App Registration.

  9. Request an access token similar to the following:

    # <tenant-id> is the tenant ID copied above
    # <client-id> is the client App Registration's "Application (client) ID" copied above
    # <client-secret> is the client App Registration's client secret copied above
    # <application-id> is your Function App's App Registration "Application (client) ID" copied above
    curl -X POST<tenant-id>/oauth2/token -H "Content-Type: application/x-www-form-urlencoded" -d \
        'grant_type=client_credentials&client_id=<client-id>&client_secret=<client-secret>&resource=<application-id>' -X POST

    This will give you an OAuth 2 response.

  10. Copy the value of the "access_token" to use below.

  11. Submit a request to your HTTP function now as follows:

    TOKEN=<access_token> # copied from above
    curl https://<your-function-app> \
        -H "Authorization: Bearer $TOKEN" \
        ... etc.