Merge pull request #314102 from lilyjma/update-disable-key

Set key-based access to anonymous using app setting instead

Author: JamesJBarnett

articles/azure-functions/functions-mcp-tutorial.md

@@ -288,7 +288,7 @@ There are two ways to reduce or prevent unauthorized use of your remote MCP serv
 ::: zone pivot="programming-language-csharp,programming-language-python,programming-language-typescript" 
 ## Disable key-based authentication  
 
-The built-in server authorization feature is a component separate from Azure Functions. When using server authentication, it's best to first disable key-based authentication by allowing anonymous access. 
+The built-in server authorization feature is a component separate from Azure Functions. When using server authentication, disable key-based authentication by allowing anonymous access first. 
 
 ### [MCP extension server](#tab/mcp-extension)
 
@@ -368,6 +368,16 @@ When deployment finishes, you should see a notification in Visual Studio Code ab
 
 The following instruction shows how to enable the built-in authorization and authentication feature on the server app and configures Microsoft Entra ID as the identity provider. When done, you test by connecting to the server in Visual Studio Code and see that you're prompted to authenticate before connecting. 
 
+When enabling built-in auth, you should [disable the default key-based auth](#disable-key-based-authentication) first. If you haven't done that and your app is already deployed, follow the instructions below. 
+
+### [MCP extension server](#tab/mcp-extension)
+[!INCLUDE [functions-mcp-extension-disable-key-access](../../includes/functions-mcp-extension-disable-key-access.md)]
+
+### [Self-hosted server](#tab/self-hosted)
+[!INCLUDE [functions-self-hosted-disable-key-access](../../includes/functions-self-hosted-disable-key-access.md)]
+
+---
+
 ### Configure authentication on server app
 
 1. Open the server app on the Azure portal, and select **Settings** > **Authentication** from the left menu.

includes/functions-self-hosted-disable-key-access.md

@@ -0,0 +1,19 @@
+---
+author: lilyjma
+ms.service: azure-functions
+ms.topic: include
+ms.date: 04/01/2026
+ms.author: jiayma
+---
+
+To disable host-based authentication in your self-hosted MCP server, add a setting named `AzureFunctionsJobHost__customHandler__http__DefaultAuthorizationLevel` with a value of `anonymous` to your application settings. You can add this setting in the portal or use the following Azure CLI command:
+
+```azurecli
+az functionapp config appsettings set --name <APP_NAME> --resource-group <RESOURCE_GROUP> \
+  --settings "AzureFunctionsJobHost__customHandler__http__DefaultAuthorizationLevel=Anonymous"
+```
+
+In this example, replace `<APP_NAME>` and `<RESOURCE_GROUP>` with the name of your function app and resource group.
+
+>[!TIP]  
+>This setting is equivalent to setting `DefaultAuthorizationLevel` to `anonymous` in the `customHandler` section of the `host.json` file. However, that method requires you to republish your server project.