API Management bypasses Azure Function security

Alexandre Giuseppe 41 Reputation points

Hey guys,

I have an azure function with Authorization Level set to Function.

When I access it through the API Management URL, it returns "Hello World". When I access it through the Azure Function url, it returns 401.


How come API Management bypass security? I have set no inbound policy to have this behavior, just imported the function into API management.


How do I disable such bypass?

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,795 questions
Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,357 questions
0 comments No comments
{count} votes

Accepted answer
  1. MughundhanRaveendran-MSFT 12,436 Reputation points

    @Alexandre Giuseppe ,

    Thanks for reaching out to Q&A.

    When the authorization scope is set to "Function", it uses one of the function keys (default, host) to authorize the requests. So for the requests without the key, the function would return 401 response. In your case, you have imported the function api to APIM. As soon as the http function is integrated with APIM, a host key gets created in the function app (Please refer the below screenshot). The APIM uses this key to communicate with the function app, so the APIM does not bypass the function security. You can check the key creation in your function app.


    I hope this helps!

    Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.

1 additional answer

Sort by: Most helpful
  1. James Longworth 326 Reputation points

    When you import a function into API management (APIM) you are, in effect, moving the point of authentication for the down-stream consumer (in this case your Powershell) to APIM. APIM acts as a facade (or proxy) for the functions behind it. And can apply authentication as well as many other policy-based elements to the traffic in additon to acting as a central 'switch-board' for all the back-end services behind it.

    An import of a function app sets up a host-key in the function, a named value in APIM and appropriate policies which means that it is APIM that is authenticating with your function, not the calling user or service. The default config and policy for an imported policy may no 'end-user' authentication configured. Thus, if you can reach the APIM API endpoint then your call will pass through to the backend function without the need to provide any function key in the 'client'

    Whilst you can configure an API to require a dedicated subscription key at the API level, APIM has the concept of Products and Subscriptions. A product is a collection of APIs, and a subscription provides access to one or more products (Thus a collection of APIs). If you want to use a 'pre-shared key' method of authentication, via APIM then review this. However, using API management you can enforce OAUTH2, mutual certificate authentication and pretty much anything else (including bespoke authentication providers) using advanced policies.

    You could always change the API config and policy to just 'pass through' the function key, but then I would be interested in your use case for APIM (if you have one of course - you could just be learning :))

    Hope that helps.

    0 comments No comments