services / Azure / Web Apps Functions host system keys

Azure Functions host system keys are app-level bearer credentials that authorize the Functions runtime admin API and privileged extension webhook endpoints (e.g. Durable Functions, Event Grid extension) of a function app.

These keys are credential material gating privileged/admin invocation of the function app; functions invoked with them run under the app's assigned managed identity.


Microsoft.​Web/​Sites/​host/​systemkeys/​write

PUT creates/overwrites a host system key with an attacker-chosen value and returns the resolved key in the response, planting a persistent credential that authorizes privileged admin/extension invocation running as the app identity.

Risks

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​microsoft.​web
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog