Skip to main content

Azure Function App
Audit Chef

Ensure your Azure Function Apps are secure, compliant, and optimizedlike a chef inspecting every ingredient in the serverless kitchen to maintain the highest standards.

Blaze
Blaze says:The number one Function App security miss? HTTPS-only not being enforced. It takes 30 seconds to fix but most teams don't realize it's off until an audit catches it. Run this script before your next compliance review.
Download ScriptBest Practices

Quick Start

# Audit all Function Apps in subscription
.\Azure-FunctionAppAudit.ps1 -SubscriptionId "your-subscription-id"
# Generate HTML report with custom path
.\Azure-FunctionAppAudit.ps1 -SubscriptionId"your-sub-id" -HtmlReportPath"C:\Reports\Audit.html"

Standard audit workflow

Structured quick-reference sections for prerequisites, installation, usage, and troubleshooting.

Prerequisites

  • PowerShell 5.1+ with Azure PowerShell (Az) module installed and configured
  • Azure subscription access with appropriate RBAC permissions (Reader role minimum)
  • Valid Azure credentials configured via Connect-AzAccount or service principal authentication
  • Function App read permissions across target subscriptions and resource groups
  • Network connectivity to Azure APIs and sufficient API quota for discovery operations

Permission scope

Start with Reader access and a single subscription/resource group. Validate the findings and report format before expanding to multi-subscription scans.

Key parameters

ParameterWhat it doesWhen to use it
-SubscriptionIdTargets a single Azure subscriptionDefault starting point for most audits
-ResourceGroupNameLimits scope to one resource groupFocused review or pilot rollout
-FunctionAppNameTargets a specific Function AppDeep dive on a high-risk / critical app
-HtmlReportPathSets custom HTML output pathSave reports to shared review location
-CsvReportPathSets custom CSV output pathAutomation pipelines / BI ingestion

Standard audit workflow

  1. 1Authenticate to Azure (`Connect-AzAccount`) and confirm the target subscription.
  2. 2Run a single-subscription scan first and review the HTML report for obvious security misconfigurations.
  3. 3Use CSV output for remediation tracking or import into your existing governance workflow.
  4. 4Expand to multi-subscription runs after validating output paths and permissions.
PowerShell
.\Azure-FunctionAppAudit.ps1 -SubscriptionId"your-sub-id" -ResourceGroupName"my-rg" -FunctionAppName"my-function-app"
PowerShell
.\Azure-FunctionAppAudit.ps1 -SubscriptionId"your-sub-id"
PowerShell
.\Azure-FunctionAppAudit.ps1 -SubscriptionIds"sub-id-1","sub-id-2" -HtmlReportPath"C:\Reports\MultiSubAudit.html"

Audit coverage snapshot

CategoryCoverageFocus
Security Configuration15+ security checksHTTPS-only settings, authentication methods, and security protocols
Identity & Access8+ identity checksManaged Identity configuration and authentication settings
Networking & VNet10+ networking checksVNet integration, IP restrictions, and network security settings
Runtime & Performance12+ runtime checksRuntime versions, language settings, and performance configurations
Monitoring & Logging6+ monitoring checksApplication Insights integration and logging configuration

Coverage counts are the page-level guidance summary. Always review the generated report details before remediation.

Expected report outputs

The tool generates both technical and stakeholder-friendly outputs so engineering and governance teams can review the same run.

OutputPrimary audienceWhat it contains
CSV reportOps / FinOps analystsRow-level findings for filtering, remediation tracking, and automation
HTML reportSecurity / leadershipVisual summary, categorized findings, and remediation guidance
  • Run on a small scope first to validate output directories and HTML rendering in your environment.

Troubleshooting

  • If no Function Apps are returned, verify the subscription scope and Reader permissions on the target resources.
  • If report files are missing, use explicit `-HtmlReportPath` / `-CsvReportPath` values and ensure the directory exists.
  • If scans are slow in large estates, start with resource-group scope to validate the baseline before expanding.

Comprehensive Audit Features

Enterprise-grade Function App security and configuration analysis for Azure

Security Posture Assessment

Identifies critical security misconfigurations and vulnerabilities in Function Apps with comprehensive analysis

Configuration Best Practices

Audits Function App settings against Azure recommendations for optimal performance and reliability

Networking & Access Control Review

Examines VNet integration, IP restrictions, and authentication settings for secure access

Identity & Authentication Audit

Verifies Managed Identity usage and flags insecure authentication methods

Runtime & Language Version Check

Ensures Function Apps are running on supported and secure runtime versions

Monitoring & Logging Verification

Confirms proper Application Insights integration for comprehensive observability

Detailed HTML & CSV Reports

Generates comprehensive reports for easy analysis and executive summaries

Cost Optimization Insights

Highlights configurations that might lead to unnecessary operational costs

Comprehensive Audit Categories

50+ configuration checks across critical security and compliance areas

Audit Coverage Areas

15+ security checks
Security Configuration
HTTPS-only settings, authentication methods, and security protocols
Security
8+ identity checks
Identity & Access
Managed Identity configuration and authentication settings
Identity
10+ networking checks
Networking & VNet
VNet integration, IP restrictions, and network security settings
Network
12+ runtime checks
Runtime & Performance
Runtime versions, language settings, and performance configurations
Runtime
6+ monitoring checks
Monitoring & Logging
Application Insights integration and logging configuration
Monitor

Usage Examples

Real-world scenarios for effective Azure Function App auditing

Audit a Single Function App

Focus on specific Function App for detailed analysis

.\Azure-FunctionAppAudit.ps1 -SubscriptionId"your-sub-id" -ResourceGroupName"my-rg" -FunctionAppName"my-function-app"

Perfect for targeted analysis of critical Function Apps with detailed configuration review

Scan All Function Apps in Subscription

Comprehensive audit across entire Azure subscription

.\Azure-FunctionAppAudit.ps1 -SubscriptionId"your-sub-id"

Ideal for organization-wide governance and compliance assessment

Audit Across Multiple Subscriptions

Enterprise-scale auditing with centralized reporting

.\Azure-FunctionAppAudit.ps1 -SubscriptionIds"sub-id-1","sub-id-2" -HtmlReportPath"C:\Reports\MultiSubAudit.html"

Essential for large organizations with multiple Azure subscriptions requiring unified governance

Generate Only CSV Report

Structured data output for automated processing

.\Azure-FunctionAppAudit.ps1 -SubscriptionId"your-sub-id" -CsvReportPath"C:\Reports\FunctionAudit.csv" -NoHtmlReport

Perfect for integration with existing analytics pipelines and automated compliance workflows

Technical Specifications

Enterprise-grade requirements and comprehensive feature documentation

Requirements

  • PowerShell 5.1+ with Azure PowerShell (Az) module installed and configured
  • Azure subscription access with appropriate RBAC permissions (Reader role minimum)
  • Valid Azure credentials configured via Connect-AzAccount or service principal authentication
  • Function App read permissions across target subscriptions and resource groups
  • Network connectivity to Azure APIs and sufficient API quota for discovery operations

Parameters

-SubscriptionId
Target Azure subscription ID for audit (required)
-ResourceGroupName
Specific resource group to audit (optional)
-FunctionAppName
Specific Function App to audit (optional)
-HtmlReportPath
Custom path for HTML report output
-CsvReportPath
Custom path for CSV report output

Core Analysis Features

Security Analysis

  • • HTTPS-only configuration verification
  • • Authentication and authorization settings
  • • Managed Identity configuration review
  • • Key Vault integration assessment

Configuration Compliance

  • • Runtime version and language settings
  • • VNet integration and networking review
  • • Application Insights integration check
  • • Performance and scaling configuration

Professional Reporting

Dual-format output for technical analysis and executive presentation

CSV Report

Structured data format perfect for analysis, filtering, and integration with existing compliance workflows.

  • • Function App configuration details
  • • Security and compliance findings
  • • Runtime and performance settings
  • • Networking and access control data
  • • Timestamp and audit metadata

HTML Report

Rich visual presentation with charts, summaries, and executive-friendly formatting for stakeholder communication.

  • • Executive summary with key findings
  • • Visual compliance status distribution
  • • Detailed audit results with recommendations
  • • Security and governance insights
  • • Professional CloudCostChefs branding

Chef's Tips

Professional best practices for effective Azure Function App auditing

Security Focus

Prioritize security findings like missing HTTPS-only settings, disabled Managed Identity, and missing Application Insights integration for immediate action. These represent the highest risk areas.

Performance Optimization

For large environments, start with targeted resource group audits to understand scope and performance. Use subscription-level audits for comprehensive governance assessments.

Compliance Strategy

Focus on configuration compliance findings for immediate remediation opportunities. Use audit results to establish baseline security and governance standards for your organization.

Report Integration

Use CSV reports for detailed analysis and automation workflows. Share HTML reports with stakeholders for governance visibility. Both formats support compliance tracking and audit trails.

Related CloudCostChefs Tools

Complete your Azure optimization toolkit with these complementary tools

Azure VM Deallocation Detective

Discover deallocated Azure VMs for lifecycle optimization

Azure Load Balancer Ghost Hunter

Hunt down unused Azure Load Balancers consuming resources

All Tools

Explore the complete CloudCostChefs toolkit

What to do next

Pick the path that fits where you are right now.

Browse Tools35+ free scripts & utilities
Browse Guides25+ step-by-step guides

Trust & run-safety metadata

Key execution details for Azure Function App Audit Chef so users know what they are downloading or running before they act.

Need verification guidance? See Security & Trust and Responsible Disclosure.

Read-only / reportingGitHub sourceExplicit + inferred metadata

Maintainer

CloudCostChefs

Last Updated

July 10, 2025

Last Tested

February 23, 2026

Minimum Access

Reader access to Azure Function Apps, App Service configuration, and related resource metadata

Execution Type

GitHub-hosted PowerShell audit script (Function App security/configuration review)

Version

2025-07-10

SHA256 Checksum

Not published yet (recommend adding checksum for downloadable files)

Verification Notes

GitHub-hosted audit script intended for discovery and reporting. Review the audit checks and output paths before running in production subscriptions.

Safe Usage Checklist

  • Treat audit findings as review items and confirm secure defaults/exceptions with platform teams before remediating.
  • Protect generated audit reports because they may include app configuration metadata.
  • Run in a non-production subscription/account/tenancy first and capture sample output before broader rollout.
  • Use least-privilege access. Current best hint from docs: Reader access to Azure Function Apps, App Service configuration, and related resource metadata.

Quick start (fast path)

Minimal steps to safely get value from this tool without reading the entire page first.

Estimated time: 10-15 minutes per subscriptionDifficulty: IntermediateAccess: Review / read-only

  1. 1. Confirm scope and permissions

    Use least privilege and test in a non-production scope first. Minimum access hint: Reader access to Azure Function Apps, App Service configuration, and related resource metadata.

  2. 2. Get the tool package / source

    View on GitHub and review the files before running.

    GitHub

  3. 3. Check prerequisites

    • ✅ PowerShell 5.1+ with Azure PowerShell (Az) module installed and configured
    • ✅ Azure subscription access with appropriate RBAC permissions (Reader role minimum)
    • ✅ Valid Azure credentials configured via Connect-AzAccount or service principal authentication

  4. 4. Run safely and review output

    GitHub-hosted audit script intended for discovery and reporting. Review the audit checks and output paths before running in production subscriptions. Start with a small sample scope, then expand once results look correct.

Browse all toolsStart free assessment

Ready to use this tool?

Grab the files or open the source from the end of the page. No need to scroll back to the top.

View on GitHubBrowse All ToolsBack to Top

Related tools you might want next

Azure Carbon Skimmer

Professional PowerShell script that harvests carbon emissions data from Azure subscriptions like a sustainability chef gathering the finest ingredients. Generate CSV reports optimized for dashboard consumption.

Open docs

Azure Dev/Test Cost Chef: Comprehensive Resource Auditor

PowerShell script that performs comprehensive audits of Azure dev/test environments. Detects premium SKUs, oversized VMs, orphaned resources, security issues, and missing automation tags across 7 audit categories.

Open docs

Azure Load Balancer Ghost Hunter

Professional PowerShell script that hunts down forgotten and unused Azure Load Balancers consuming resources but not serving traffic like a ghost hunter chef tracking down phantom ingredients. Intelligent ghost scoring with comprehensive CSV + HTML reporting.

Open docs
GitHubRelated