There are several assertion regarding how an Azure Function App should be configured according to security best practices. Think of each one as a requirement or policy Azure Function App should be compliant with. Azure Function App setup usually includes other Azure services – like Storage account, Key Vault, Networking etc. Some of the requirements contradict others. Blindly following remediation steps might break function app. Let us think of it holistically and propose an ideal Azure Function App configuration.

Requirements (policies) are:

• function apps should only be accessible over https
• managed identity should be enabled on function apps
• function apps should have client certificates (incoming client certificates) enabled
• key vault should have purge protection enabled
• azure key vaults should use private link
• azure key vault should use rbac permission model
• firewall should be enabled on key vault
• storage account public access should be disallowed
• Versioning for Azure Storage
• storage account should use private link
• storage accounts should restrict network access using virtual network rules
• storage accounts should prevent shared key access

TBP…