![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 74%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAC%3C/text%3E%3C/svg%3E)
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,930 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 77%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAR%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 87%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Hello @Alex Curtis Sorry for the late answer. I think that the authentication options & their security strengths will vary depending on how much you can leverage from the existing system you have for the on-prem users. You mentioned that the users have to install an on-prem application in order to be able to connect to the Function Apps -- are they on-prem local network and have to connect via VPN? If so, there are opportunities to leverage plenty of networking features to strengthen the security of your Function App and I highly recommend this option if possible.
If network security options aren't possible, and it's more like any user who installs the application needs to be able to call Function App wherever they are (from the public internet), you might consider exploring certificate authentication next. This option is machine-based and requires your users to install an X509 certificate on their machine. And when users attempt to call Function Apps, the certificate is included in their HTTP request and Azure App Service will perform authentication accordingly. Be aware that any machine that possesses a valid certificate will be able to call your Function App.
Another option is to secure your Function App with API Management (short for APIM) such that only requests from APIM are allowed to call your Function Apps. The requests made by users on-prem will have to pass through APIM during which the APIM will have to perform authentication. The APIM supports many different authentication options with most lose ones being Subscription Key based ones as well as Basic Auth.
Lastly, another thing to note here is that both Function App and APIM can be containerized and can run in an on-prem environment (or anywhere you can run containers). This feature can be instrumental in some situations when putting together on-prem-to-cloud workflows/architectures.
If any of the options above resonate better with what you're trying to accomplish and if you're interested in getting more details, just let me know and I'd be happy to provide more resources.