Does Azure Managed Redis with Balanced_B0 supports Entra Auth?

Question

Hello Team,

Use case:

We have the AMR provisioned in the customer tenant that has the UAMI assigned and the Entra Auth assinged with the same UAMI.

We need to connect from the NodeJS app hosted in AKS that has its own UAMI has the required permssion to access the AMR.

But we are still getting: NOAUTH Authentication required if we use the @redis/entraid package and getting the error "WRONGPASS invalid username-password pair" with the ioredis package.

Kindly confirm the Entra ID part for the Balanced_B0 with OSSCluster policy

Thanks and Regards,

Shailesh

Answer 1

According to the official documentation, yes, azure Managed Redis does support authentication via Microsoft Entra ID (formerly Azure AD).

However, and this is critical there are some caveats (which may explain the issues you are seeing) and nothing in the docs indicates that a specific SKU such as Balanced_B0 is excluded from Entra authentication. The focus is more on tier support and proper configuration rather than on specific SKU exclusions.

What does the docs say?

• Entra-ID authentication is supported for Azure Managed Redis. Microsoft Learn
• The prerequisites: SSL/TLS only, proper token acquisition and periodic renewal, using the scope https://redis.azure.com/.default. Microsoft Learn
• You must configure an “Authentication” tab in the Azure portal: enable Entra authentication, select the user/principal/managed identity, etc. Microsoft Learn
• Client libraries must use the user = object ID of the identity, password = the Entra access token.

1. There is no explicit statement that the Balanced B0 tier does not support Entra authentication.
2. Some older feature tables show “Microsoft Entra ID authentication: Yes” for OSS Balanced etc.
3. The table doesn’t go to SKU-level detail (ex: B0 vs B5 etc) for limitations on Entra.

Likely causes/Suggestions:

1. Ensure the tier supports Entra authentication. Balanced_B0 is labelled under the Balanced tier which shows “Microsoft Entra ID authentication: Yes” in feature matrix. So the tier should support it.
2. Check that Entra authentication is enabled on that cache instance (Authentication tab).
3. Make sure the managed identity that your NodeJS app uses is added as a Redis user in the “Data Access Configuration” with appropriate access policy (Data Reader / Data Contributor / Data Owner) on the cache.
4. When using @redis/entraid, ensure you are passing user - object ID (of the UAMI) and password = fresh token. If token is expired or invalid, you’ll get authentication errors.
5. With ioredis you will need to supply the correct AUTH command (username + token) ioredis may not have native Entra workflow, whereas @redis/entraid is built for it.
6. Ensure your connection is via TLS/SSL (required for Entra auth). Restriction: “Microsoft Entra authentication is supported for SSL connections only.”
7. Network/firewall/Privatelink: Ensure your AKS identity can reach the AMR endpoint (network setup, VNet integration, private endpoint if used).
8. If you are still using access keys in parallel or mis-configured roles, you may end up with wrong credentials (hence WRONGPASS).

Answer 2

Whenever we need to connect to AMR from AKS pod, make sure we should add the AKS associated UAMI as a redis user under the Authentication of the AMR.

Get the username created for the UAMI from the azure portal under the "Authentication" tab.

Use the same username during the redis client creation. This will make sure the connection is established using the proper username and password. Here password is the token generated for redis scope: "https://redis.azure.com/.default" from the identity package.

Thanks and Regards,

Shailesh