I'm working on some kind of plugin architecture where people can submit small pieces of C# code themselves and it will execute every hour on Azure.
Is this secure or can they easily compromise your whole Azure environment? Any other workarounds?
I was thinking about using IronPython - I guess it is simpeler to make hard boundaries there, but I actually prefer to use c#.
Update
Just to be clear: I am mainly concerned about security not about Azure cost. This will be something like a reserved instance or at least something where cost is limited.
The risk of someone uploading a bitcoin miner and me finding out after two days is something I can live with.
What I can't live is this person actually getting access to all kind of Azure related stuff like credentials etc.
It has access to everything you gave the Azure function access to: it can read all the environment variables, connection strings etc.; it may get database or key-vault access through them and learn other secrets; it may have a managed identity that gives it other capabilities; it may have access past firewalls that would otherwise have blocked it as a result of being on a trusted Azure IP; ... etc.
Now most of these things should have been disallowed by the configuration but you would be relying on all future changes to your function app environment by any developer or devops person to ensure they aren't exposing anything to it.
It could also hammer external services you rely on and get you blocked by rate limits.
Bottom line: it's not a good idea.