services / Azure / Web Apps Functions keys
Access keys for an individual Azure Functions function, used as bearer credentials to authorize HTTP invocation of that function.
Function invocation keys are credentials; invoking a function runs code under the function app's (possibly managed) identity. Asset is a single function app -> HIGH.
Microsoft.Web/Sites/functions/keys/write
Sending a PUT request to set a function key lets an attacker set a known invocation credential (durable backdoor / persistence) enabling repeated invocation that runs code as the app's identity (lateral), and overwriting an existing key alters/revokes the legitimate credential (manipulation).
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security