Managed identities for Azure SignalR Service
In Azure SignalR Service, you can use a managed identity from Azure Active Directory to:
- Obtain access tokens
- Access secrets in Azure Key Vault
The service supports only one managed identity; you can create either a system-assigned or user-assigned identity. A system-assigned identity is dedicated to your SignalR instance and is deleted when you delete the instance. A user-assigned identity is managed independently of your SignalR resource.
This article shows you how to create a managed identity for Azure SignalR Service and how to use it in serverless scenarios.
To use a managed identity, you must have the following items:
- An Azure subscription. If you don't have an Azure subscription, create a free account before you begin.
- An Azure SignalR resource.
- Upstream resources that you want to access. For example, an Azure Key Vault resource.
- An Azure Function app.
Add a managed identity to Azure SignalR Service
You can add a managed identity to Azure SignalR Service in the Azure portal or the Azure CLI. This article shows you how to add a managed identity to Azure SignalR Service in the Azure portal.
Add a system-assigned identity
To add a system-managed identity to your SignalR instance:
Browse to your SignalR instance in the Azure portal.
On the System assigned tab, switch Status to On.
Select Yes to confirm the change.
Add a user-assigned identity
To add a user-assigned identity to your SignalR instance, you need to create the identity then add it to your service.
- Create a user-assigned managed identity resource according to these instructions.
- Browse to your SignalR instance in the Azure portal.
- Select Identity.
- On the User assigned tab, select Add.
- Select the identity from the User assigned managed identities drop down menu.
- Select Add.
Use a managed identity in serverless scenarios
Azure SignalR Service is a fully managed service. It uses a managed identity to obtain an access token. In serverless scenarios, the service adds the access token into the
Authorization header in an upstream request.
Enable managed identity authentication in upstream settings
Browse to your SignalR instance.
Select Settings from the menu.
Select the Serverless service mode.
Enter the upstream endpoint URL pattern in the Add an upstream URL pattern text box. See URL template settings
Select Add one Upstream Setting and select any asterisk go to Upstream Settings.
Configure your upstream endpoint settings.
In the managed identity authentication settings, for Resource, you can specify the target resource. The resource will become an
audclaim in the obtained access token, which can be used as a part of validation in your upstream endpoints. The resource can be one of the following formats:
- Application (client) ID of the service principal
- Application ID URI of the service principal
- Resource ID of an Azure service (For a list of Azure services that support managed identities, see Azure services that support managed identities.)
If you manually validate an access token your service, you can choose any one of the resource formats. Make sure that the Resource value in Auth settings and the validation are consistent. When you use Azure role-based access control (Azure RBAC) for a data plane, you must use the resource format that the service provider requests.
Validate access tokens
The token in the
Authorization header is a Microsoft identity platform access token.
To validate access tokens, your app should also validate the audience and the signing tokens. These tokens need to be validated against the values in the OpenID discovery document. For example, see the tenant-independent version of the document.
The Azure Active Directory (Azure AD) middleware has built-in capabilities for validating access tokens. You can browse through our samples to find one in the language of your choice.
Libraries and code samples that show how to handle token validation are available. There are also several open-source partner libraries available for JSON Web Token (JWT) validation. There's at least one option for almost every platform and language. For more information about Azure AD authentication libraries and code samples, see Microsoft identity platform authentication libraries.
Authentication in Function App
You can easily set access validation for a Function App without code changes using the Azure portal.
- Go to the Function App in the Azure portal.
- Select Authentication from the menu.
- Select Add identity provider.
- In the Basics tab, select Microsoft from the Identity provider dropdown.
- Select Log in with Azure Active Directory in Action to take when request is not authenticated.
- Select Microsoft in the identity provider dropdown. The option to create a new registration is selected by default. You can change the name of the registration. For more information on enabling Azure AD provider, see Configure your App Service or Azure Functions app to use Azure AD login
- Navigate to SignalR Service and follow the steps to add a system-assigned identity or user-assigned identity.
- go to Upstream settings in SignalR Service and choose Use Managed Identity and Select from existing Applications. Select the application you created previously.
After you configure these settings, the Function App will reject requests without an access token in the header.
To pass the authentication, the Issuer Url must match the iss claim in token. Currently, we only support v1 endpoint (see v1.0 and v2.0).
To verify the Issuer Url format in your Function app:
- Go to the Function app in the portal.
- Select Authentication.
- Select Identity provider.
- Select Edit.
- Select Issuer Url.
- Verify that the Issuer Url has the format
Use a managed identity for Key Vault reference
SignalR Service can access Key Vault to get secrets using the managed identity.
- Add a system-assigned identity or user-assigned identity to your SignalR instance.
- Grant secret read permission for the managed identity in the Access policies in the Key Vault. See Assign a Key Vault access policy using the Azure portal
Currently, this feature can be used to Reference secret in Upstream URL Pattern