Authorize an application request by using Microsoft Entra ID

Azure Web PubSub supports Microsoft Entra ID for authorizing requests from applications.

This article shows you how to configure your Web PubSub resource and code to authorize a request to a Web PubSub resource from an Azure application.

Register an application

The first step is to register an Azure application.

  1. In the Azure portal, search for and then select Microsoft Entra ID.
  2. On the left menu under Manage, select App registrations.
  3. Select New registration.
  4. For Name, enter a name to use for your application.
  5. Select Register to confirm the application registration.

Screenshot that shows registering an application.

When your application is registered, go to the application overview to view the values for Application (client) ID and Directory (tenant) ID. You use these values in the following sections.

Screenshot that shows an application.

For more information about registering an application, see the quickstart Register an application by using the Microsoft identity platform.

Add credentials

You can add both certificates and client secrets (a string) as credentials to your confidential client app registration.

For more information about adding credentials, see Add credentials.

Add a client secret

The application requires a client secret for a client to prove its identity when it requests a token.

To create a client secret:

  1. On the left menu under Manage, select Certificates & secrets.

  2. On the Client secrets tab, select New client secret.

    Screenshot that shows creating a client secret.

  3. Enter a description for the client secret, and then choose an Expires time for the secret.

  4. Copy the value of the client secret, and then paste it to a secure location to save for later use.

    Note

    The secret is visible only when you create the secret. You can't view the client secret in the portal later.

Add a certificate

You can upload a certificate instead of creating a client secret.

Screenshot that shows uploading a certificate.

Add a role assignment in the Azure portal

This section demonstrates how to assign a Web PubSub Service Owner role to a service principal (application) for a Web PubSub resource.

Note

You can assign a role to any scope, including management group, subscription, resource group, and single resource. For more information about scope, see Understand scope for Azure role-based access control.

  1. In the Azure portal, go to your Web PubSub resource.

  2. On the left menu, select Access control (IAM) to display access control settings for the resource.

  3. Select the Role assignments tab and view the role assignments at this scope.

    The following figure shows an example of the Access control (IAM) pane for a Web PubSub resource:

    Screenshot that shows an example of the Access control (IAM) pane.

  4. Select Add > Add role assignment.

  5. Select the Roles tab, and then select Web PubSub Service Owner.

  6. Select Next.

    Screenshot that shows adding a role assignment.

  7. Select the Members tab. Under Assign access to, select User, group, or service principal.

  8. Choose Select members.

  9. Search for and select the application to assign the role to.

  10. Choose Select to confirm the selection.

  11. Select Next.

    Screenshot that shows assigning a role to service principals.

  12. Select Review + assign to confirm the change.

Important

Azure role assignments might take up to 30 minutes to propagate.

To learn more about how to assign and manage Azure role assignments, see these articles:

Code samples that use Microsoft Entra authorization

Get samples that use Microsoft Entra authorization in our four officially supported programming languages: