Edit

Use Azure Active Directory for cache authentication

  • Article

Azure Cache for Redis offers two methods to authenticate to your cache instance:

Although access key authentication is simple, it comes with a set of challenges around security and password management. In this article, you learn how to use an Azure Active Directory (Azure AD) token for cache authentication.

Azure Cache for Redis offers a password-free authentication mechanism by integrating with Azure Active Directory. This integration also includes role-based access control functionality provided through access control lists (ACLs) supported in open source Redis.

To use the ACL integration, your client application must assume the identity of an Azure Active Directory entity, like service principal or managed identity, and connect to your cache. In this article, you learn how to use your service principal or managed identity to connect to your cache, and how to grant your connection predefined permissions based on the Azure AD artifact being used for the connection.

Scope of availability

Tier Basic, Standard, Premium Enterprise, Enterprise Flash
Availability Yes (preview) No

Prerequisites and limitations

  • To enable Azure AD token-based authentication for your Azure Cache for Redis instance, at least one Redis user must be configured under the Data Access Policy setting in the Resource menu.
  • Azure AD-based authentication is supported for SSL connections and TLS 1.2 only.
  • Azure AD-based authentication isn't supported on Azure Cache for Redis instances that run Redis version 4.
  • Azure AD-based authentication isn't supported on Azure Cache for Redis instances that depend on Cloud Services.
  • Azure AD based authentication isn't supported in the Enterprise tiers of Azure Cache for Redis Enterprise.
  • Some Redis commands are blocked. For a full list of blocked commands, see Redis commands not supported in Azure Cache for Redis.

Important

Once a connection is established using Azure AD token, client applications must periodically refresh Azure AD token before expiry, and send an AUTH command to Redis server to avoid disruption of connections. For more information, see Configure your Redis client to use Azure Active Directory.

Enable Azure AD token based authentication on your cache

  1. In the Azure portal, select the Azure Cache for Redis instance where you'd like to configure Azure AD token-based authentication.

  2. Select (PREVIEW) Data Access Configuration from the Resource menu.

  3. Select "Add" and choose New Redis User.

  4. On the Access Policy tab, select one the available policies in the table: Owner, Contributor, or Reader. Then, select the Next:Redis Users.

    Screenshot showing the available Access Policies.

  5. Choose either the User or service principal or Managed Identity to determine how you want to use for authenticate to your Azure Cache for Redis instance.

  6. Then, select Select members and select Select. Then, select Next : Review + Design. Screenshot showing members to add as New Redis Users.

  7. From the Resource menu, select Advanced settings.

  8. Check the box labeled (PREVIEW) Enable Azure AD Authorization and select OK. Then, select Save.

    Screenshot of Azure AD access authorization.

  9. A dialog box displays a popup notifying you that upgrading is permanent and might cause a brief connection blip. Select Yes.

    Important

    Once the enable operation is complete, the nodes in your cache instance reboots to load the new configuration. We recommend performing this operation during your maintenance window or outside your peak business hours. The operation can take up to 30 minutes.

Configure your Redis client to use Azure Active Directory

Because most Azure Cache for Redis clients assume that a password/access key is used for authentication, you likely need to update your client workflow to support authentication using Azure AD. In this section, you learn how to configure your client applications to connect to Azure Cache for Redis using an Azure AD token.

Architecture diagram showing the flow of a token from Azure AD to a customer application to a cache.

Azure AD Client Workflow

  1. Configure your client application to acquire an Azure AD token for scope acca5fbb-b7e4-4009-81f1-37e38fd66d78/.default using the Microsoft Authentication Library (MSAL).

  2. Update your Redis connection logic to use following UserName and Password:

    • UserName = Object ID of your managed identity or service principal

    • Password = Azure AD token that you acquired using MSAL

  3. Ensure that your client executes a Redis AUTH command automatically before your Azure AD token expires using:

    • UserName = Object ID of your managed identity or service principal

    • Password = Azure AD token refreshed periodically

Client library support

The library Microsoft.Azure.StackExchangeRedis is an extension of StackExchange.Redis that enables you to use Azure Active Directory to authenticate connections from a Redis client application to an Azure Cache for Redis. The extension manages the authentication token, including proactively refreshing tokens before they expire to maintain persistent Redis connections over multiple days.

This code sample demonstrates how to use the Microsoft.Azure.StackExchangeRedis NuGet package to connect to your Azure Cache for Redis instance using Azure Active Directory.

The following table includes links to code samples, which demonstrate how to connect to your Azure Cache for Redis instance using an Azure AD token. A wide variety of client libraries are included in multiple languages.

Client library Language Link to sample code
StackExchange.Redis .NET StackExchange.Redis code sample
redis-py Python redis-py code Sample
Jedis Java Jedis code sample
Lettuce Java Lettuce code sample
Redisson Java Redisson code sample
ioredis Node.js ioredis code sample
node-redis Node.js node-redis code sample

Best practices for Azure AD authentication

  • Configure private links or firewall rules to protect your cache from a Denial of Service attack.

  • Ensure that your client application sends a new Azure AD token at least 3 minutes before token expiry to avoid connection disruption.

  • When calling the Redis server AUTH command periodically, consider adding a jitter so that the AUTH commands are staggered, and your Redis server doesn't receive lot of AUTH commands at the same time.

Next steps