This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 81%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
I would like to force clients of my function app to provide their client TLS certificate when connecting which i would like to inspect inside the triggered function.
According to several topics this would be possible if i set "Client certificate mode" to for example "Allow". The server would request the client certificate in that case in the TLS handshake and provide that client certificate in the "X-ARR-ClientCert" request header.
Now it seems that for a consumption plan function app, the general settings are not available, in the portal at least.
I am able to change the setting in the cloud shell using:
az functionapp update --set clientCertMode="Optional" --name <<function app name>> --resource-group <<resource group>>
But that won't allow me to set it to "Allow", e.g. the server should request the client certificate in the TLS handshake.
My questions are:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 33%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
The general settings page in the portal is available for consumption SKU windows apps but not in the Linux platform apps. Instead of using the general settings, you can use the below command in cloud shell for Linux apps
az webapp update --set clientCertEnabled=true --name <app-name> --resource-group <group-name>
Once this is set, you can validate the client certificate by refering to this article : https://learn.microsoft.com/en-us/azure/app-service/app-service-web-configure-tls-mutual-auth#access-client-certificate
The general settings page in the portal is available for consumption SKU windows apps but not in the Linux platform apps
I have just confirmed that a Linux function app on a dedicated S1:1 plan also has a "General Settings" tab, so that is not entirely correct.
Do you know which of the client certification modes (Require, Allow, Optional, Ignore) are supported in the case of Linux consumption plan apps?
Is there a reason why these settings are not in the portal for this specific scenario? Seems a bit particular to hide these settings in case of Linux consumption plan apps?
@MughundhanRaveendran-MSFT Could you please have a look at above questions?
@Tom Bulsink | Inspiro , I am looking into this. I will get back to you
@MughundhanRaveendran-MSFT Do you have any more information on this issue yet?
I don't believe that requiring client certificates is supported for the consumption plan, only the dedicated app service plan. I'm struggling to find any docs that confirm that, but that was my understanding.
Hello Sam, i have done some quick tests with setting the clientCertMode as per above cloud shell command, when set to "Required" and it at least generates a HTTP 403 when enabled and some low level TLS debugging also reveals that the server in this case requests a client certificate. I have not (yet) confirmed that the function in question also receives the client certificate in the header mentioned but that would be my next test.
In short, it definitely changes the server side behaviour when i change the setting, even in a consumption plan app. I agree with you however that it is hard to get at some clear documentation regarding this combination.