Why is my Azure Function Accessible without Authentication?

Question

We have created and deployed an Azure Function (API i.e. HTTP Trigger) which should NOT be accessible without authentication. For this we have set the authLevel attribute on the HttpTrigger to AuthorizationLevel.Function:

public IActionResult Print([HttpTrigger(AuthorizationLevel.Function, "post")] HttpRequest req) {
   _log.LogInformation("OK");
   return new OkObjectResult("Welcome to Azure Functions!");
}

This has no effect, the function is accessible without any keys/headers after deployment to the azure cloud.

According to the docs this should not be the case:

Authorization level

The authorization level is a string value that indicates the kind of authorization key that's required to access the function endpoint. For an HTTP triggered function, the authorization level can be one of the following values:

Level value Description

anonymous No access key is required.

function A function-specific key is required to access the endpoint.

admin The master key is required to access the endpoint.

Function access keys

Functions lets you use keys to make it harder to access your function endpoints. Unless the HTTP access level on an HTTP triggered function is set to anonymous, requests must include an access key in the request.

We are seeing functions respond to requests with no access key in the request.

How can we ensure the app is only called by verified azure identities with a specific role?