Authorize request to Web PubSub resources with Microsoft Entra ID from Azure applications
Azure Web PubSub Service supports Microsoft Entra ID for authorizing requests from applications.
This article shows how to configure your Web PubSub resource and codes to authorize the request to a Web PubSub resource from an Azure application.
Register an application
The first step is to register an Azure application.
On the Azure portal, search for and select Microsoft Entra ID
Under Manage section, select App registrations.
Click New registration.
Enter a display Name for your application.
Click Register to confirm the register.
Once you have your application registered, you can find the Application (client) ID and Directory (tenant) ID under its Overview page. These GUIDs can be useful in the following steps.
To learn more about registering an application, see
You can add both certificates and client secrets (a string) as credentials to your confidential client app registration.
The application requires a client secret to prove its identity when requesting a token. To create a client secret, follow these steps.
- Under Manage section, select Certificates & secrets
- On the Client secrets tab, click New client secret.
- Enter a description for the client secret, and choose a expire time.
- Copy the value of the client secret and then paste it to a secure location.
The secret will display only once.
You can also upload a certification instead of creating a client secret.
To learn more about adding credentials, see
Add role assignments on Azure portal
This sample shows how to assign a
Web PubSub Service Owner role to a service principal (application) over a Web PubSub resource.
A role can be assigned to any scope, including management group, subscription, resource group or a single resource. To learn more about scope, see Understand scope for Azure RBAC
On the Azure portal, navigate to your Web PubSub resource.
Click Access Control (IAM) to display access control settings for the Azure Web PubSub.
Click the Role assignments tab to view the role assignments at this scope.
The following screenshot shows an example of the Access control (IAM) page for a Web PubSub resource.
Click Add > Add role assignment.
On the Roles tab, select
Web PubSub Service Owner.
On the Members tab, under Assign access to section, select User, group, or service principal.
Click Select Members
Search for and select the application that you would like to assign the role to.
Click Select to confirm the selection.
Click Review + assign to confirm the change.
Azure role assignments may take up to 30 minutes to propagate. To learn more about how to assign and manage Azure role assignments, see these articles:
- Assign Azure roles using the Azure portal
- Assign Azure roles using the REST API
- Assign Azure roles using Azure PowerShell
- Assign Azure roles using Azure CLI
- Assign Azure roles using Azure Resource Manager templates
Use Postman to get the Microsoft Entra token
For the method, select GET.
For the URI, enter
https://login.microsoftonline.com/<TENANT ID>/oauth2/token. Replace
<TENANT ID>with the Directory (tenant) ID value in the Overview tab of the application you created earlier.
On the Headers tab, add Content-Type key and
application/x-www-form-urlencodedfor the value.
Switch to the Body tab, and add the following keys and values.
- Select x-www-form-urlencoded.
grant_typekey, and type
client_credentialsfor the value.
client_idkey, and paste the value of Application (client) ID in the Overview tab of the application you created earlier.
client_secretkey, and paste the value of client secret you noted down earlier.
resourcekey, and type
https://webpubsub.azure.comfor the value.
Select Send to send the request to get the token. You see the token in the
Sample codes using Microsoft Entra authorization
We officially support 4 programming languages:
See the following related articles: