I need to disable Local Authentication Methods (Access Keys) for Azure App Configuration Stores. Currently for an ASP.NET Framework application, I am using the following for accessing the App Configuration Store from my application: <configSections> <section name="configBuilders" type="System.Configuration.ConfigurationBuildersSection, System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" restartOnExternalChanges="false" requirePermission="false" /> </configSections> <configBuilders> <builders> <add name="MyConfigStore" mode="Greedy" connectionString="${ConnectionString}" type="Microsoft.Configuration.ConfigurationBuilders.AzureAppConfigurationBuilder, Microsoft.Configuration.ConfigurationBuilders.AzureAppConfiguration" /> <add name="Environment" mode="Greedy" type="Microsoft.Configuration.ConfigurationBuilders.EnvironmentConfigBuilder, Microsoft.Configuration.ConfigurationBuilders.Environment" /> </builders> </configBuilders> Here the value of ${ConnectionString} = "Endpoint=https://<app_config>.azconfig.io;Id=<Id>;Secret=<Access Key>" Now in order to access the App Configuration through the ASP.NET application, I created a Service Principal, generated a secret to use. I have stored the CLIENT_ID , TENANT_ID and CLIENT_SECRET values. I have also assigned the App Configuration Data Reader role to the Service Principal. I also have a managed identity which I can use. Now what change do I need to make at the application side in order to access the App Configuration through the ASP.NET Framework application?

@ Aayush Suresh Jain Thank you for reaching out to Microsoft Q&A. Please find the answers below: To disable access key authentication, follow doc: Disable access key authentication for an Azure App Configuration instance . App Configuration and .NET framework has managed identity built-in support and here is step by step guide Use managed identities to access App Configuration for ASP.NET Core app which includes role assignment for managed identity, adding Azure.Identity package and code snippet to access app configuration with managed identity. You can also use it for ASP.NET Framework app with the below snippet (refer ASP.NET Framework tutorial for more info) config.AddAzureAppConfiguration(options => options.Connect(new Uri(settings["AppConfig:Endpoint"]), new ManagedIdentityCredential())); Just note, Managed Identity can't be used when running application locally and the application must be deployed to azure service. I hope this helps with your question and feel free to add a comment if you have any other questions. We would be happy to assist you. Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community.

How to use Service Principal/Managed Identities to access Azure App Configuration from .NET Framework Application?

Accepted answer

MuthuKumaranMurugaachari-MSFT 22,141 Reputation points

2023-01-12T22:49:05.2866667+00:00
@Aayush Suresh Jain Thank you for reaching out to Microsoft Q&A. Please find the answers below:

To disable access key authentication, follow doc: Disable access key authentication for an Azure App Configuration instance.

App Configuration and .NET framework has managed identity built-in support and here is step by step guide Use managed identities to access App Configuration for ASP.NET Core app which includes role assignment for managed identity, adding Azure.Identity package and code snippet to access app configuration with managed identity. You can also use it for ASP.NET Framework app with the below snippet (refer ASP.NET Framework tutorial for more info)

config.AddAzureAppConfiguration(options => options.Connect(new Uri(settings["AppConfig:Endpoint"]), new ManagedIdentityCredential()));

Just note, Managed Identity can't be used when running application locally and the application must be deployed to azure service. I hope this helps with your question and feel free to add a comment if you have any other questions. We would be happy to assist you.

Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community.
Please sign in to rate this answer.

1 person found this answer helpful.
Aayush Suresh Jain 136 Reputation points

2023-01-16T12:01:39.6233333+00:00

Hello @MuthuKumaranMurugaachari-MSFT ,
The ASP.NET Framework Tutorial link in the point 2 do not have anything about using Managed Identity/Service Principal. I read the use of DefaultAzureCredential

Is there a way to use ConfigurationClient with DefaultAzureCredential ?

MuthuKumaranMurugaachari-MSFT 22,141 Reputation points

2023-01-16T19:25:42.17+00:00

@Aayush Suresh Jain I would like to clarify on the answer above. As you mentioned, we don't have ManagedIdentity example specifically for ASP.NET Framework. However, you can refer ASP.NET Core app example specified in Use managed identities to access App Configuration tutorial and use ManagedIdentityCredential() in your ASP.NET application (refer snippet above).
To add more context above snippet, AzureAppConfigurationOptions.Connect Method has an overload method to specify Uri and TokenCredential. ManagedIdentityCredential inherits TokenCredential which can be used to specific either system managed identity or user-assigned managed identity as mentioned in Use a managed identity.

System-assigned managed identity snippet:

config.AddAzureAppConfiguration(options => options.Connect(new Uri(settings["AppConfig:Endpoint"]), new ManagedIdentityCredential()));

User-assigned managed identity snippet:

config.AddAzureAppConfiguration(options => { options.Connect(new Uri(settings["AppConfig:Endpoint"]), new ManagedIdentityCredential("<your_clientId>")) });

Instead of ManagedIdentityCredential, you can also use DefaultAzureCredential and please check doc for the credential types of order which will be tried.

User-assigned managed identity snippet:

config.AddAzureAppConfiguration(options => options.Connect(new Uri("<endpoint>"), new DefaultAzureCredential(new DefaultAzureCredentialOptions { ManagedIdentityClientId = "<your managed identity client Id>" })));

If you have any questions or face any issues, let me know. Would be happy to answer any.

MuthuKumaranMurugaachari-MSFT 22,141 Reputation points

2023-01-18T12:34:55.48+00:00

@Aayush Suresh Jain Just a follow up on the above comment and see if it helped with your question. For any questions, feel free to reach out to us.

Aayush Suresh Jain 136 Reputation points

2023-01-20T10:32:56.51+00:00

Hello @MuthuKumaranMurugaachari-MSFT ,

I am still figuring out how I will implement the above method. Currently , I have made the following changes :

<configSections> <section name="configBuilders" type="System.Configuration.ConfigurationBuildersSection, System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" restartOnExternalChanges="false" requirePermission="false" /> </configSections> <configBuilders> <builders> <add name="Environment" mode="Greedy" type="Microsoft.Configuration.ConfigurationBuilders.EnvironmentConfigBuilder, Microsoft.Configuration.ConfigurationBuilders.Environment" /> <add name="MyConfigStore" mode="Greedy" endpoint="${AppConfigEndpoint}" type="Microsoft.Configuration.ConfigurationBuilders.AzureAppConfigurationBuilder, Microsoft.Configuration.ConfigurationBuilders.AzureAppConfiguration" /> </builders> </configBuilders>

And the above snippet gives me 403 - Forbidden error.
Also , I have tried the following :
private readonly ConfigurationClient _client = new ConfigurationClient(new Uri(appConfigEndpoint), new DefaultAzureCredential());

Currently, I am using the below snippet to access a Configuration setting :

ConfigurationManager.AppSettings["MySetting"]

What change do I have to make now to access the Configuration Settings?

MuthuKumaranMurugaachari-MSFT 22,141 Reputation points

2023-01-23T15:32:55.2133333+00:00

@Aayush Suresh Jain
**
I have created a sample ASP.NET MVC app and thought it might help with your test. App Configuration Data Reader role was assigned to Service Principal (otherwise you will get 401 Forbidden error). When I ran it, I was able to get the values loaded from Azure App Configuration.

Global.asax.cs

public class MvcApplication : System.Web.HttpApplication { public static IConfiguration Configuration; private static IConfigurationRefresher _configurationRefresher; protected void Application_Start() { AreaRegistration.RegisterAllAreas(); FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters); RouteConfig.RegisterRoutes(RouteTable.Routes); BundleConfig.RegisterBundles(BundleTable.Bundles); Microsoft.Extensions.Configuration.ConfigurationBuilder builder = new Microsoft.Extensions.Configuration.ConfigurationBuilder(); builder.AddAzureAppConfiguration(options => { options.Connect(new Uri(https://<azure-appconfig-name>.azconfig.io), new DefaultAzureCredential()) // Load all keys that start with `TestApp:` and have no label. .Select("TestApp:*") // Configure to reload configuration if the registered key 'TestApp:Settings:Sentinel' is modified. .ConfigureRefresh(refresh => { refresh.Register("TestApp:Settings:Sentinel", refreshAll: true) .SetCacheExpiration(new TimeSpan(0, 5, 0)); }); _configurationRefresher = options.GetRefresher(); }); Configuration = builder.Build(); } protected void Application_BeginRequest(object sender, EventArgs e) { _ = _configurationRefresher.TryRefreshAsync(); } }

HomeController.cs

public class HomeController : Controller { public ActionResult Index() { string messageText = MvcApplication.Configuration["TestApp:Settings:Message"] ?? "Please add the key \"TestApp:Settings:Message\" in your Azure App Configuration store."; ViewBag.Message = messageText; return View(); } public ActionResult About() { ViewBag.Message = "Your application description page."; return View(); } public ActionResult Contact() { ViewBag.Message = "Your contact page."; return View(); } }

Azure App Configuration -> Configuration Explorer (values)

HTML:

**
Result:**

Let me know if you face any problems with this test. If it resolves, please Accept as answer to benefit others in the community.

Jaquez, Harfel 0 Reputation points

2023-12-13T16:54:44.44+00:00

Is there a way to achieve this on the web.config using the config builder instead? This documentation I found says that the connection to app configuration service can be setup with DefaultAzureCredential to use a managed identity, but there are no examples of where to add the identity value.

https://github.com/aspnet/MicrosoftConfigurationBuilders/blob/main/docs/KeyValueConfigBuilders.md#azure-config-builders
Sign in to comment

How to use Service Principal/Managed Identities to access Azure App Configuration from .NET Framework Application?

0 additional answers