There are several ways of out of the box security mechanisms that Azure provide in its products.
When you write APIs using HTTP Triggered Functions, you have several options to secure the APIs e.g, Admin, System, Functions etc. If you use any of these you will have to pass appropriate key either in the header or in the query string of URL.
Secondly, when you put them behind the APIM, it also provide you several ways of making them secure. If your consumers are the users of your apps you have options to either do Oauth2 or Open ID Connect. If the consumers of your APIs are other products in your organization or the partners, you usually use API keys. APIM has a concept of Subscription Keys where you can associate subscriptions to your APIs and then you can give access to appropriate applications or users.
The video below is a hands on guide on how you can secure the APIs and what are different ways.
Article Board 