![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 57.99999999999999%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZL%3C/text%3E%3C/svg%3E)
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
Hi ,
Thanks for reaching out to Microsoft Q&A.
No, azure functions (even Premium) does not have a native portal switch to upload and enforce client certificates like API Management does. If you wanted fully managed mTLS with certificate upload and enforcement at the gateway without code changes, you would need to place Azure API Management or Application Gateway in front of your Function App, configure mTLS there, and let APIM/App Gateway handle validation before calling your function app
What is possible? >
- You can enable "Require incoming client certificates" in the Function App > Configuration > General settings section.
When this is enabled, Azure App Service (which hosts Function Apps) will require clients to present a certificate for the TLS handshake to succeed.
- Azure will not validate the certificate against a list you upload, it only ensures the client presents some certificate.
The validation (against a CA, thumbprint, etc.) must be done inside your function code.
Key difference from API Management: In APIM, you can upload client certificates and enforce them at the gateway. In Function App, you must manually validate them in your code.
How to access the client certificate in Azure Function App code
When you enable "Require incoming client certificates", Azure puts the client certificate in a request header:
- Header name:
X-ARR-ClientCert.This is a Base64-encoded representation of the certificate.
Important processing note:
Azure terminates TLS at the App Service front end.
- The certificate is not passed via raw TLS to your app instead, it is injected into the HTTP request headers after being Base64 encoded.
- This means you will not have direct access to the raw TLS session in your Spring Boot code; you will decode and parse the certificate from that header.
HTTPS with a custom domain for Function App
To use your own domain over HTTPS:
Buy or obtain a TLS certificate for your custom domain (PFX format, with private key).
- In the Azure portal, go to Function App > Custom domains.
Add your domain and verify it using a TXT record in DNS.
- Upload your certificate (PFX) under Function App > TLS/SSL settings > Private Key Certificates (.pfx).
Bind the uploaded certificate to your custom domain.
This handles server-side TLS (your Function App proving its identity).
Putting it all together for mTLS in Function App (Premium)
Flow:
- Configure your Function App to Require client certificates.
- Deploy your Java Spring Boot app in Functions (Premium plan).
- On each request, read
X-ARR-ClientCertfrom headers. - Decode and parse as
X509Certificate. - Validate against:
- CA chain you trust
- Thumbprints of allowed certs
- Expiry date / revocation
- Return
401 Unauthorizedif validation fails.
Please 'Upvote'(Thumbs-up) and 'Accept' as answer if the reply was helpful. This will be benefitting other community members who face the same issue.