Now, many of you must be wondering how the Authorization types for Azure Functions using HTTP Triggers work and where to look for information while using these different types. Hopefully, this post helps simplify each of those for you.

Now, when you create a new Azure Function from Visual Studio or from the Azure Portal, you’ll be asked about Authorization where you’ll find the selection to either be 1 of the below –

1. Anonymous
2. Function
3. Admin
4. System

Anonymous

This type of Authotization let’s you use the Azure Function without needing for any key and anyone with the URL alone can access it. Of course, this is not recommended for any production use –

1. Now, if you notice your Visual Studio, when you write your first Azure Function, it comes with pre-defined method ready for you to continue to write your own code. But right away, you’ll see that the Authorization method is pre-defined considering you must’ve selected Anonymous while starting the Project.
   
   
2. Also, since the Azure Function is understood to be Published already on the Azure Portal, you’ll see in the Function’s settings that the same has been reflected as well.
   
   
3. Now, if you test this using Postman, the code will be able to run directly just using the URL without any API key. Either you pass in the body – and you’ll get a 200 OK with the result that the Azure Function is supposed to result.
   
   
   Or using query parameters – the result will be the same.
   
   
   This simply explains Anonymous authorization. Without any check on who’s supposed to access the Azure Function.
   

Function

In this type of Authentication, only the Function and resources associated to it will be accessible. This needs the caller to have a key [or code] to be passed while calling Azure Function –

1. Let’s look at the code, and see that the type is not set to Function for Authorization.
   
   
2. And when you Publish the code, the same will be reflected in the Settings too.
   
   
   
3. And when you want to access the Azure Function from Postman, you’ll need the Function Keys defined in the Function Keys area of the Function itself – a Default Key is given already but you can choose to add your own keys and using any of them would do.
   
   
4. Now, here’s what the Key looks like when you click on Show [there’s a button on the far right to expose the key’s value]
   
   
5. Now, when you go to Postman, you need to can pass this as a query parameter –
   
   
   Now, let’s look at the Admin Type of Authorization.

Admin

In this type of Authorization, you get access to Functions’ Runtime APIs. The way to use the Admin key is similar to the Function Keys, just that they are available from the Function App itself than the Function –

1. Now, when the Authorization is set to Admin
   
   
2. You’ll see this reflected in the portal once Published.
   
   
3. Now, in the Function App itself – you can navigate to the App keys under Functions [as of the portal’s layout in mid-2024]
   
   
4. You can expose to see this value and share it to the clients who are going to consume this Function App. They key required here is the _master
   
   
5. Now, you can test this using Postman
   
   
   Remember, this type of Authorization is to be used when the calling client needs to also access Functions Runtime API.
   Finally, Let’s look at the System type.
   

System

This type of key is managed by Function runtime and is used when the calling client when there’s a need for granular access to function runtime features.

1. Now, you can set this from the code and publish it.
   
   
   
2. And it’ll appear in the settings of the Function [In case when the Function wants to access granular function runtime features].
   
   
3. And this is present in the App keys area under System Keys section.
   
   
4. And when you test the same, they work just like any other key from the Function app when called.
   
   

Hope this was useful!