Authorize requests to Azure SignalR Service resources with Microsoft Entra managed identities

  • Article

Azure SignalR Service supports Microsoft Entra ID for authorizing requests from Microsoft Entra managed identities.

This article shows how to configure your Azure SignalR Service resource and code to authorize requests to the resource from a managed identity.

Configure managed identities

The first step is to configure managed identities.

This example shows you how to configure a system-assigned managed identity on an App Service by using the Azure portal:

  1. Access your app's settings in the Azure portal under the Settings group in the left navigation pane.

  2. Select Identity.

  3. Within the System assigned tab, switch Status to On. Click Save.

    Screenshot that shows where to switch Status to On and then select Save.

To learn more how to configure managed identities in other ways for Azure App Service and Azure Functions, see How to use managed identities for App Service and Azure Functions.

To learn more about configuring managed identities on an Azure VM, see Configure managed identities on Azure virtual machines (VMs)

Add role assignments in the Azure portal

The following steps describe how to assign a SignalR App Server role to a system-assigned identity over an Azure SignalR Service resource. For detailed steps, see Assign Azure roles using the Azure portal.

Note

A role can be assigned to any scope, including management group, subscription, resource group, or single resource. To learn more about scope, see Understand scope for Azure RBAC.

  1. In the Azure portal, go to your Azure SignalR Service resource.

  2. Select Access control (IAM).

  3. Select Add > Add role assignment.

    Screenshot that shows the page for access control and selections for adding a role assignment.

  4. On the Role tab, select SignalR App Server.

  5. On the Members tab, select Managed identity, and then choose Select members.

  6. Select your Azure subscription.

  7. Select System-assigned managed identity, search for a virtual machine to which you want to assign the role, and then select it.

  8. On the Review + assign tab, select Review + assign to assign the role.

Important

Azure role assignments might take up to 30 minutes to propagate.

To learn more about how to assign and manage Azure roles, see these articles:

Configure your app

App server

Use a system-assigned identity

Azure SignalR SDK supports identity based connection string. If the configuration is set in App Server's environment variables, you don't need to redeploy App Server but simply a configuration change to migrate from Access Key to MSI. For example, update your App Server's environment variable Azure__SignalR__ConnectionString to Endpoint=https://<resource1>.signalr.azure.cn;AuthType=azure.msi;Version=1.0;. Or set in DI code.

services.AddSignalR().AddAzureSignalR("Endpoint=https://<resource1>.signalr.azure.cn;AuthType=azure.msi;Version=1.0;");

Besides, you can use either DefaultAzureCredential or ManagedIdentityCredential to configure your Azure SignalR Service endpoints. The best practice is to use ManagedIdentityCredential directly.

Notice that system-assigned managed identity is used by default, but make sure that you don't configure any environment variables that EnvironmentCredential preserved if you use DefaultAzureCredential. Otherwise, Azure SignalR Service falls back to use EnvironmentCredential to make the request, which usually results in an Unauthorized response.

Important

Remove Azure__SignalR__ConnectionString if there was from environment variables in this way. Azure__SignalR__ConnectionString will be used to build default ServiceEndpoint with first priority and may leads your App Server use Access Key unexpectedly.

services.AddSignalR().AddAzureSignalR(option =>
{
    option.Endpoints = new ServiceEndpoint[]
    {
        new ServiceEndpoint(new Uri("https://<resource1>.signalr.azure.cn"), new ManagedIdentityCredential()),
    };
});

Use a user-assigned identity

Provide ClientId while creating the ManagedIdentityCredential object.

Important

Use the client ID, not the object (principal) ID, even if they're both GUIDs.

Use identity based connection string.

services.AddSignalR().AddAzureSignalR("Endpoint=https://<resource1>.signalr.azure.cn;AuthType=azure.msi;ClientId=<your-user-identity-client-id>;Version=1.0;");

Or build ServiceEndpoint with ManagedIdentityCredential.

services.AddSignalR().AddAzureSignalR(option =>
{
    option.Endpoints = new ServiceEndpoint[]
    {
        var clientId = "<your-user-identity-client-id>";
        new ServiceEndpoint(new Uri("https://<resource1>.signalr.azure.cn"), new ManagedIdentityCredential(clientId)),
    };
});

Azure SignalR Service bindings in Azure Functions

Azure SignalR Service bindings in Azure Functions use application settings in the portal or local.settings.json locally to configure a managed identity to access your Azure SignalR Service resources.

You might need a group of key/value pairs to configure an identity. The keys of all the key/value pairs must start with a connection name prefix (which defaults to AzureSignalRConnectionString) and a separator. The separator is an underscore (__) in the portal and a colon (:) locally. You can customize the prefix by using the binding property ConnectionStringSetting.

Use a system-assigned identity

If you configure only the service URI, you use the DefaultAzureCredential class. This class is useful when you want to share the same configuration on Azure and local development environments. To learn how it works, see DefaultAzureCredential.

In the Azure portal, use the following example to configure DefaultAzureCredential. If you don't configure any of these environment variables, the system-assigned identity is used for authentication.

<CONNECTION_NAME_PREFIX>__serviceUri=https://<SIGNALR_RESOURCE_NAME>.signalr.azure.cn

Here's a configuration sample of DefaultAzureCredential in the local.settings.json file. At the local scope, there's no managed identity. Authentication via Visual Studio, the Azure CLI, and Azure PowerShell accounts is attempted in order.

{
  "Values": {
    "<CONNECTION_NAME_PREFIX>:serviceUri": "https://<SIGNALR_RESOURCE_NAME>.signalr.azure.cn"
  }
}

If you want to use a system-assigned identity independently and without the influence of other environment variables, set the credential key with the connection name prefix to managedidentity. Here's a sample for application settings:

<CONNECTION_NAME_PREFIX>__serviceUri = https://<SIGNALR_RESOURCE_NAME>.signalr.azure.cn
<CONNECTION_NAME_PREFIX>__credential = managedidentity

Use a user-assigned identity

If you want to use a user-assigned identity, you need to assign clientId in addition to serviceUri and credential keys with the connection name prefix. Here's a sample for application settings:

<CONNECTION_NAME_PREFIX>__serviceUri = https://<SIGNALR_RESOURCE_NAME>.signalr.azure.cn
<CONNECTION_NAME_PREFIX>__credential = managedidentity
<CONNECTION_NAME_PREFIX>__clientId = <CLIENT_ID>

Next steps

See the following related articles: