Authorize request to SignalR resources with Azure AD from managed identities

Azure SignalR Service supports Azure Active Directory (Azure AD) authorizing requests from Managed identities for Azure resources.

This article shows how to configure your SignalR resource and code to authorize a managed identity request to a SignalR resource.

Configure managed identities

The first step is to configure managed identities.

This example shows you how to configure System-assigned managed identity on a Virtual Machine using the Azure portal.

  1. Open Azure portal, Search for and select a Virtual Machine.
  2. Under Settings section, select Identity.
  3. On the System assigned tab, toggle the Status to On. Screenshot of an application
  4. Select the Save button to confirm the change.

To learn how to create user-assigned managed identities, see this article:

To learn more about configuring managed identities, see one of these articles:

For App service and Azure Functions

See How to use managed identities for App Service and Azure Functions.

Add role assignments on Azure portal

The following steps describe how to assign a SignalR App Server role to a system-assigned identity over a SignalR resource. For detailed steps, see Assign Azure roles using the Azure portal.

Note

A role can be assigned to any scope, including management group, subscription, resource group or a single resource. To learn more about scope, see Understand scope for Azure RBAC

  1. From the Azure portal, navigate to your SignalR resource.

  2. Select Access control (IAM).

  3. Select Add > Add role assignment.

    Screenshot that shows Access control (IAM) page with Add role assignment menu open.

  4. On the Role tab, select SignalR App Server.

  5. On the Members tab, select Managed identity, and then select Select members.

  6. Select your Azure subscription.

  7. Select System-assigned managed identity, search for a virtual machine to which would you'd like to assign the role, and then select it.

  8. On the Review + assign tab, select Review + assign to assign the role.

Important

Azure role assignments may take up to 30 minutes to propagate.

To learn more about how to assign and manage Azure role assignments, see these articles:

Configure your app

App Server

Using system-assigned identity

You can use either DefaultAzureCredential or ManagedIdentityCredential to configure your SignalR endpoints.

However, the best practice is to use ManagedIdentityCredential directly.

The system-assigned managed identity will be used by default, but make sure that you don't configure any environment variables that the EnvironmentCredential preserved if you were using DefaultAzureCredential. Otherwise it will fall back to use EnvironmentCredential to make the request and it will result to a Unauthorized response in most cases.

services.AddSignalR().AddAzureSignalR(option =>
{
    option.Endpoints = new ServiceEndpoint[]
    {
        new ServiceEndpoint(new Uri("https://<resource1>.service.signalr.net"), new ManagedIdentityCredential()),
    };
});

Using user-assigned identity

Provide ClientId while creating the ManagedIdentityCredential object.

Important

Use Client Id, not the Object (principal) ID even if they are both GUID!

services.AddSignalR().AddAzureSignalR(option =>
{
    option.Endpoints = new ServiceEndpoint[]
    {
        var clientId = "<your identity client id>";
        new ServiceEndpoint(new Uri("https://<resource1>.service.signalr.net"), new ManagedIdentityCredential(clientId)),
    };

Azure Functions SignalR bindings

Azure Functions SignalR bindings use application settings on portal or local.settings.json at local to configure managed identity to access your SignalR resources.

You might need a group of key-value pairs to configure an identity. The keys of all the key-value pairs must start with a connection name prefix (defaults to AzureSignalRConnectionString) and a separator (__ on portal and : at local). The prefix can be customized with binding property ConnectionStringSetting.

Using system-assigned identity

If you only configure the service URI, then the DefaultAzureCredential is used. This class is useful when you want to share the same configuration on Azure and local dev environment. To learn how DefaultAzureCredential works, see DefaultAzureCredential.

On Azure portal, use the following example to configure a DefaultAzureCredential. If don't configure any environment variables listed here, then the system-assigned identity will be used to authenticate.

<CONNECTION_NAME_PREFIX>__serviceUri=https://<SIGNALR_RESOURCE_NAME>.service.signalr.net

Here's a config sample of DefaultAzureCredential in the local.settings.json file. At the local scope there's no managed identity, and the authentication via Visual Studio, Azure CLI, and Azure PowerShell accounts will be attempted in order.

{
  "Values": {
    "<CONNECTION_NAME_PREFIX>:serviceUri": "https://<SIGNALR_RESOURCE_NAME>.service.signalr.net"
  }
}

If you want to use system-assigned identity independently and without the influence of other environment variables, you should set the credential key with connection name prefix to managedidentity. Here's an application settings sample:

<CONNECTION_NAME_PREFIX>__serviceUri = https://<SIGNALR_RESOURCE_NAME>.service.signalr.net
<CONNECTION_NAME_PREFIX>__credential = managedidentity

Using user-assigned identity

If you want to use user-assigned identity, you need to assign one more clientId key with connection name prefix compared to system-assigned identity. Here's the application settings sample:

<CONNECTION_NAME_PREFIX>__serviceUri = https://<SIGNALR_RESOURCE_NAME>.service.signalr.net
<CONNECTION_NAME_PREFIX>__credential = managedidentity
<CONNECTION_NAME_PREFIX>__clientId = <CLIENT_ID>

Next steps

See the following related articles: