Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Batch accounts can be authenticated in one of two ways, either via shared key or Microsoft Entra ID. Batch accounts with shared key authentication enabled have two keys associated with them to allow for key rotation scenarios.
Tip
It's highly recommended to avoid using shared key authentication with Batch accounts. The preferred authentication mechanism is through Microsoft Entra ID. You can disable shared key authentication during account creation or you can update allowed Authentication Modes for an active account.
Batch shared key rotation procedure
Azure Batch accounts have two shared keys, primary or secondary. It's important not to regenerate both
keys at the same time, and instead regenerate them one at a time to avoid potential downtime.
Warning
Once a key has been regenerated, it is no longer valid and the prior key cannot be recovered for use. Ensure that your application update process follows the recommended key rotation procedure to prevent losing access to your Batch account.
The typical key rotation procedure is as follows:
- Normalize your application code to use either the primary or secondary key. If you're using both keys in your
application simultaneously, then any rotation procedure leads to authentication errors. The following steps assume
that you're using the
primarykey in your application. - Regenerate the
secondarykey. - Update your application code to utilize the newly regenerated
secondarykey. Deploy these changes and ensure that everything is working as expected. - Regenerate the
primarykey. - Optionally update your application code to use the
primarykey and deploy. This step isn't strictly necessary as long as you're tracking which key is used in your application and deployed.
Rotation in Azure portal
First, sign in to the Azure portal. Then, navigate to the Keys blade of your
Batch account under Settings. Then select either Regenerate primary or Regenerate secondary to create a new key.
See also
- Learn more about Batch accounts.
- Learn how to authenticate with Batch Service APIs or Batch Management APIs with Microsoft Entra ID.