Disable local (access key) authentication with Azure Web PubSub Service

There are two ways to authenticate to Azure Web PubSub Service resources: Microsoft Entra ID and Access Key. Microsoft Entra ID provides superior security and ease of use over access key. With Microsoft Entra ID, there’s no need to store the tokens in your code and risk potential security vulnerabilities. We recommend that you use Microsoft Entra ID with your Azure Web PubSub Service resources when possible.

Important

Disabling local authentication can have following influences.

• The current set of access keys will be permanently deleted.
• Tokens signed with current set of access keys will become unavailable.
• Signature will NOT be attached in the upstream request header. Please visit how to validate access token to learn how to validate requests via Microsoft Entra token.

Use Azure portal

In this section, you will learn how to use the Azure portal to disable local authentication.

1. Navigate to your Web PubSub Service resource in the Azure portal.

2. in the Settings section of the menu sidebar, select Keys tab.

3. Select Disabled for local authentication.

4. Click Save button.

Use Azure Resource Manager template

You can disable local authentication by setting disableLocalAuth property to true as shown in the following Azure Resource Manager template.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "resource_name": {
      "defaultValue": "test-for-disable-aad",
      "type": "String"
    }
  },
  "variables": {},
  "resources": [
    {
      "type": "Microsoft.SignalRService/WebPubSub",
      "apiVersion": "2022-08-01-preview",
      "name": "[parameters('resource_name')]",
      "location": "eastus",
      "sku": {
        "name": "Premium_P1",
        "tier": "Premium",
        "size": "P1",
        "capacity": 1
      },
      "properties": {
        "tls": {
          "clientCertEnabled": false
        },
        "networkACLs": {
          "defaultAction": "Deny",
          "publicNetwork": {
            "allow": [
              "ServerConnection",
              "ClientConnection",
              "RESTAPI",
              "Trace"
            ]
          },
          "privateEndpoints": []
        },
        "publicNetworkAccess": "Enabled",
        "disableLocalAuth": true,
        "disableAadAuth": false
      }
    }
  ]
}

Use Azure Policy

You can assign the Azure Web PubSub Service should have local authentication methods disabled Azure policy to an Azure subscription or a resource group to enforce disabling of local authentication for all Web PubSub resources in the subscription or the resource group.

Next steps

See the following docs to learn about authentication methods.

• Overview of Microsoft Entra ID for Web PubSub
• Authenticate with Azure applications
• Authenticate with managed identities