Share via

az functionapp config access-restriction

Methods that show, set, add, and remove access restrictions on a functionapp.


Name Description Type Status
az functionapp config access-restriction add

Adds an Access Restriction to the function app.

Core GA
az functionapp config access-restriction remove

Removes an Access Restriction from the functionapp.

Core GA
az functionapp config access-restriction set

Sets if SCM site is using the same restrictions as the main site.

Core GA
az functionapp config access-restriction show

Show Access Restriction settings for functionapp.

Core GA

az functionapp config access-restriction add

Adds an Access Restriction to the function app.

az functionapp config access-restriction add --priority
                                             [--action {Allow, Deny}]
                                             [--ignore-missing-endpoint {false, true}]
                                             [--scm-site {false, true}]
                                             [--skip-service-tag-validation {false, true}]


Add Access Restriction opening (Allow) named developers for IPv4 address with priority 200 to main site.

az functionapp config access-restriction add -g ResourceGroup -n AppName --rule-name developers --action Allow --ip-address --priority 200

Add Access Restriction opening (Allow) named build_server for IPv4 address with priority 250 to scm site.

az functionapp config access-restriction add -g ResourceGroup -n AppName --rule-name build_server --action Allow --ip-address --priority 250 --scm-site true

Add Access Restriction opening (Allow) named app_gateway for Subnet app_gw in vNet core_weu with priority 300 to main site.

az functionapp config access-restriction add -g ResourceGroup -n AppName --rule-name app_gateway --action Allow --vnet-name core_weu --subnet app_gateway --priority 300

Add Access Restriction opening (Allow) named internal_agents for Subnet build_agents in vNet corp01 with priority 500 to scm site; and ignore service endpoint registration on the Subnet.

az functionapp config access-restriction add -g ResourceGroup -n AppName --rule-name internal_agents --action Allow --vnet-name corp01 --subnet build_agents --priority 500 --scm-site true --ignore-missing-endpoint true

Add Access Restriction opening (Allow) named remote_agents in vNet 'corp01' in rg 'vnets' with subnet 'agents'

az functionapp config access-restriction add -g ResourceGroup -n AppName --rule-name remote_agents --action Allow --vnet-name corp01 --subnet agents --priority 500 --vnet-resource-group vnets

Add Access Restriction opening (Allow) named agents in vNet 'corp01' in rg 'vnets' with subnet 'agents' (using subnet resource id)

az functionapp config access-restriction add -g ResourceGroup -n AppName --rule-name remote_agents --action Allow --priority 800 --subnet '/subscriptions/<subscription-id>/resourceGroups/vnets/providers/Microsoft.Network/virtualNetworks/corp01/subnets/agents'

Add Access Restriction opening (Allow) with no rule name for service tag AzureCloud

az functionapp config access-restriction add -g ResourceGroup -n AppName --priority 400 --service-tag AzureCloud

Add Access Restriction opening (Allow) with no rule name for service tag AzureFrontDoor.Backend and http-header X-Azure-FDID with value '12345678-abcd-1234-abcd-12345678910a'

az functionapp config access-restriction add -g ResourceGroup -n AppName --priority 400 --service-tag AzureFrontDoor.Backend --http-header x-azure-fdid=12345678-abcd-1234-abcd-12345678910a

Add Access Restriction opening (Allow) with multiple http-header values for the same header 'X-Azure-FDID'

az functionapp config access-restriction add -g ResourceGroup -n AppName --priority 400 --service-tag AzureFrontDoor.Backend --http-header x-azure-fdid=12345678-abcd-1234-abcd-12345678910a x-azure-fdid=11111111-abcd-1234-abcd-222222222222

Required Parameters

--priority -p

Priority of the access restriction rule.

Optional Parameters


Allow or deny access.

Accepted values: Allow, Deny
Default value: Allow

Description of the access restriction rule.


Space-separated http headers in a format of <name>=<value>.


One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--ignore-missing-endpoint -i

Create access restriction rule with checking if the subnet has Microsoft.Web service endpoint enabled.

Accepted values: false, true
Default value: False

IP address or CIDR range (optional comma separated list of up to 8 ranges).

--name -n

Name of the function app.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--rule-name -r

Name of the access restriction rule to add.


True if access restrictions is added for scm site.

Accepted values: false, true
Default value: False

Service Tag (optional comma separated list of up to 8 tags).

--skip-service-tag-validation -k

Skip validating public service tags.

Accepted values: false, true
--slot -s

The name of the slot. Default to the productions slot if not specified.


Subnet name (requires vNet name) or subnet resource id.


Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.


VNet name.


Resource group of virtual network (default is web app resource group).

Global Parameters

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.


Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json

JMESPath query string. See for more information and examples.


Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.


Increase logging verbosity. Use --debug for full debug logs.

az functionapp config access-restriction remove

Removes an Access Restriction from the functionapp.

az functionapp config access-restriction remove [--action {Allow, Deny}]
                                                [--scm-site {false, true}]
                                                [--skip-service-tag-validation {false, true}]


Remove Access Restriction named developers from the main site.

az functionapp config access-restriction remove -g ResourceGroup -n AppName --rule-name developers

Remove Access Restriction named internal_agents from the scm site.

az functionapp config access-restriction remove -g ResourceGroup -n AppName --rule-name internal_agents --scm-site true

Remove Access Restriction with service tag AzureFrontDoor.Backend from the main site.

az functionapp config access-restriction remove -g ResourceGroup -n AppName --service-tag AzureFrontDoor.Backend

Optional Parameters


Allow or deny access.

Accepted values: Allow, Deny
Default value: Allow

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.


IP address or CIDR range (optional comma separated list of up to 8 ranges).

--name -n

Name of the function app.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--rule-name -r

Name of the access restriction to remove.


True if access restriction should be removed from scm site.

Accepted values: false, true
Default value: False

Service Tag (optional comma separated list of up to 8 tags).

--skip-service-tag-validation -k

Skip validating public service tags.

Accepted values: false, true
--slot -s

The name of the slot. Default to the productions slot if not specified.


Subnet name (requires vNet name) or subnet resource id.


Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.


VNet name.

Global Parameters

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.


Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json

JMESPath query string. See for more information and examples.


Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.


Increase logging verbosity. Use --debug for full debug logs.

az functionapp config access-restriction set

Sets if SCM site is using the same restrictions as the main site.

az functionapp config access-restriction set [--default-action {Allow, Deny}]
                                             [--scm-default-action {Allow, Deny}]
                                             [--use-same-restrictions-for-scm-site {false, true}]


Enable SCM site to use same access restrictions as main site.

az functionapp config access-restriction set -g ResourceGroup -n AppName --use-same-restrictions-for-scm-site true

Set default action to Allow for main site.

az functionapp config access-restriction set -g ResourceGroup -n AppName --default-action Allow

Set default action to Deny for scm site.

az functionapp config access-restriction set -g ResourceGroup -n AppName --scm-default-action Deny

Optional Parameters


Configure default action for main site.

Accepted values: Allow, Deny

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--name -n

Name of the function app.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.


Configure default action for scm site.

Accepted values: Allow, Deny
--slot -s

The name of the slot. Default to the productions slot if not specified.


Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.


Use same access restrictions for scm site.

Accepted values: false, true
Global Parameters

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.


Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json

JMESPath query string. See for more information and examples.


Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.


Increase logging verbosity. Use --debug for full debug logs.

az functionapp config access-restriction show

Show Access Restriction settings for functionapp.

az functionapp config access-restriction show [--ids]


Get Access Restriction settings for a functionapp.

az functionapp config access-restriction show -g ResourceGroup -n AppName

Optional Parameters


One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--name -n

Name of the function app.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--slot -s

The name of the slot. Default to the productions slot if not specified.


Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

Global Parameters

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.


Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json

JMESPath query string. See for more information and examples.


Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.


Increase logging verbosity. Use --debug for full debug logs.