Ensure Function App Authentication is set up

Remediation

Enable App Service Authentication for the Function App and require unauthenticated requests to be rejected or redirected to your approved identity provider. Choose the provider and unauthenticated action that matches the function's invocation pattern.

Azure CLI

Review the current authentication settings:

az webapp auth show \
  --resource-group {{asset.azureResourceGroup}} \
  --name {{asset.name}}

Enable authentication and reject unauthenticated requests with HTTP 401. The authV2 extension may be installed automatically by Azure CLI when required.

az webapp auth update \
  --resource-group {{asset.azureResourceGroup}} \
  --name {{asset.name}} \
  --enabled true \
  --unauthenticated-client-action Return401

If the function is meant to be called by users through a browser, configure the approved identity provider and use RedirectToLoginPage instead of Return401 where appropriate.

Validation

az webapp auth show \
  --resource-group {{asset.azureResourceGroup}} \
  --name {{asset.name}} \
  --query '{enabled:platform.enabled,unauthenticatedClientAction:globalValidation.unauthenticatedClientAction}'

Rollout guidance

1. Confirm which callers invoke the function and whether they use user auth, workload identity, managed identity, or signed webhook tokens.
2. Add authentication in staging first and verify all legitimate callers can still invoke the function.
3. For intentionally public webhooks, document the exception and enforce compensating controls such as signed requests, IP restrictions, rate limiting, and monitoring.
4. Capture the setting in IaC or Azure Policy so new Function Apps inherit the secure baseline.

References

• https://learn.microsoft.com/en-us/cli/azure/webapp/auth
• https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization