This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 4%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPL%3C/text%3E%3C/svg%3E)
We have an Azure Function that has its' existing functions secured via a Function Key. That is OK for those but we want to add a new function that we would want to have stronger security. We would want to use Azure B2C accounts.
Is it possible to secure just the new Function with EasyAuth or is Easy Auth a setting that must apply to all functions within an Azure Function?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 10%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
@Pat Long Thank you for reaching out to Microsoft Q&A. EasyAuth is enabled at Function App/App Service level and hence you cannot enable only for specific functions in a Function App. In such scenarios, you would have to place it in a separate Function App. Refer docs: Authentication and authorization in Azure App Service and Azure Functions and let me know if any questions.
If that i the case then can you please explain the following configuration options.
When enabling an IdentityProvider on the function you can also say "Allow Anonymous" True. What is the reason for that option?
You are still able to independently set the AuthorizationLevel for each "function" in the Function App, what is the reason for that functionality if you cannot have functions with different auth settings.
Currently I have the Function App set with a Microsoft Identity Provider and Allow Anonymous and 3 of the 4 functions have AuthorizationLevel.Function with one set as AuthorizationLevel.Anonymous. There is nothing in the runtime saying this is wrong. Please offer some more insight into the mess that is Authorization within Azure Function apps
@Pat Long #1 When you enable EasyAuth with "Allow unauthenticated requests", it allows unauthenticated traffic for all Functions in a Function App. In this scenario, you can choose to write a custom code to handle authentication. Refer Authorization behavior for more info.
For #2: At each function level of HTTP triggered function, you can set AuthorizationLevel to Anonymous or Function which then requires API access key in the request. Please note, this authorization is for API access key and docs: Function access keys describe more about function-level keys (Function, Host). However, EasyAuth is for user authentication and validation of authentication tokens from the identity provider.
I hope this helps and let me know if any questions.
I now have a single Function in a Function App secured using B2C.
The function has the AuthorizationLevel.Anonymous and I followed these excellent instructions https://damienbod.com/2020/09/24/securing-azure-functions-using-azure-ad-jwt-bearer-token-authentication-for-user-access-tokens/
@Pat Long Glad you got the solution and thanks for sharing it.