Authenticate Azure Batch services with Microsoft Entra ID
Article
Azure Batch supports authentication with Microsoft Entra ID, Microsoft's multitenant cloud based directory and identity management service. Azure uses Microsoft Entra ID to authenticate its own customers, service administrators, and organizational users.
This article describes two ways to use Microsoft Entra authentication with Azure Batch:
Integrated authentication authenticates a user who's interacting with an application. The application gathers a user's credentials and uses those credentials to authenticate access to Batch resources.
A service principal authenticates an unattended application. The service principal defines the policy and permissions for the application and represents the application to access Batch resources at runtime.
To authenticate Batch applications with Microsoft Entra ID, you need to include the Microsoft Entra endpoint and Batch resource endpoint in your code.
Microsoft Entra endpoint
The base Microsoft Entra authority endpoint is https://login.microsoftonline.com/. To authenticate with Microsoft Entra ID, use this endpoint with the tenant ID that identifies the Microsoft Entra tenant to use for authentication:
https://login.microsoftonline.com/<tenant-id>
You can get your tenant ID from the main Microsoft Entra ID page in the Azure portal. You can also select Properties in the left navigation and see the Tenant ID on the Properties page.
Important
The tenant-specific Microsoft Entra endpoint is required when you authenticate by using a service principal.
When you authenticate by using integrated authentication, the tenant-specific endpoint is recommended, but optional. You can also use the Microsoft Entra common endpoint to provide a generic credential gathering interface when a specific tenant isn't provided. The common endpoint is https://login.microsoftonline.com/common.
Use the Batch resource endpoint https://batch.core.windows.net/ to acquire a token for authenticating requests to the Batch service.
Register your application with a tenant
The first step in using Microsoft Entra authentication is to register your application in a Microsoft Entra tenant. Once you register your application, you can call the Microsoft Authentication Library (MSAL) from your code. The MSAL provides an API for authenticating with Microsoft Entra ID from your application. Registering your application is required whether you use integrated authentication or a service principal.
When you register your application, you supply information about your application to Microsoft Entra ID. Microsoft Entra ID then provides an application ID, also called a client ID, that you use to associate your application with Microsoft Entra ID at runtime. For more information about the application ID, see Application and service principal objects in Microsoft Entra ID.
After you register your application, you can see the Application (client) ID on the application's Overview page.
Configure integrated authentication
To authenticate with integrated authentication, you need to grant your application permission to connect to the Batch service API. This step enables your application to use Microsoft Entra ID to authenticate calls to the Batch service API.
After you register your application, follow these steps to grant the application access to the Batch service:
In the Azure portal, search for and select app registrations.
On the App registrations page, select your application.
On your application's page, select API permissions from the left navigation.
On the API permissions page, select Add a permission.
On the Request API permissions page, select Azure Batch.
On the Azure Batch page, under Select permissions, select the checkbox next to user_impersonation, and then select Add permissions.
The API permissions page now shows that your Microsoft Entra application has access to both Microsoft Graph and Azure Batch. Permissions are granted to Microsoft Graph automatically when you register an app with Microsoft Entra ID.
Configure a service principal
To authenticate an application that runs unattended, you use a service principal. When your application authenticates by using a service principal, it sends both the application ID and a secret key to Microsoft Entra ID.
After you register your application, follow these steps in the Azure portal to configure a service principal:
Request a secret for your application.
Assign Azure role-based access control (Azure RBAC) to your application.
Request a secret for your application
Follow these steps to create and copy the secret key to use in your code:
In the Azure portal, search for and select app registrations.
On the App registrations page, select your application.
On your application's page, select Certificates & secrets from the left navigation.
On the Certificates & secrets page, select New client secret.
On the Add a client secret page, enter a description and select an expiration period for the secret.
Select Add to create the secret and display it on the Certificates & secrets page.
Copy the secret Value to a safe place, because you won't be able to access it again after you leave this page. If you lose access to your key, you can generate a new one.
In the Azure portal, navigate to the Batch account your application uses.
Select Access control (IAM) from the left navigation.
On the Access control (IAM) page, select Add role assignment.
On the Add role assignment page, select the Role tab, and then select one of Azure Batch built-in RBAC roles the role for your app.
Select the Members tab, and select Select members under Members.
On the Select members screen, search for and select your application, and then select Select.
Select Review + assign on the Add role assignment page.
Your application should now appear on the Role assignments tab of the Batch account's Access control (IAM) page.
Code examples
The code examples in this section show how to authenticate with Microsoft Entra ID by using integrated authentication or with a service principal. The code examples use .NET and Python, but the concepts are similar for other languages.
Note
A Microsoft Entra authentication token expires after one hour. When you use a long-lived BatchClient object, it's best to get a token from MSAL on every request to ensure that you always have a valid token.
To do this in .NET, write a method that retrieves the token from Microsoft Entra ID, and pass that method to a BatchTokenCredentials object as a delegate. Every request to the Batch service calls the delegate method to ensure that a valid token is provided. By default MSAL caches tokens, so a new token is retrieved from Microsoft Entra-only when necessary. For more information about tokens in Microsoft Entra ID, see Security tokens.
Code example: Use Microsoft Entra integrated authentication with Batch .NET
To authenticate with integrated authentication from Batch .NET:
Declare the following using statements in your code:
C#
using Microsoft.Azure.Batch;
using Microsoft.Azure.Batch.Auth;
using Microsoft.Identity.Client;
Reference the Microsoft Entra endpoint, including the tenant ID. You can get your tenant ID from the Microsoft Entra ID Overview page in the Azure portal.
Write a callback method to acquire the authentication token from Microsoft Entra ID. The following example calls MSAL to authenticate a user who's interacting with the application. The MSAL IConfidentialClientApplication.AcquireTokenByAuthorizationCode method prompts the user for their credentials. The application proceeds once the user provides credentials.
The authorizationCode parameter is the authorization code obtained from the authorization server after the user authenticates. WithRedirectUri specifies the redirect URI that the authorization server redirects the user to after authentication.
Call this method with the following code, replacing <authorization-code> with the authorization code obtained from the authorization server. The .default scope ensures that the user has permission to access all the scopes for the resource.
C#
var token = await GetTokenUsingAuthorizationCode("<authorization-code>", "RedirectUri", newstring[] { "BatchResourceUri/.default" });
Construct a BatchTokenCredentials object that takes the delegate as a parameter. Use those credentials to open a BatchClient object. Then use the BatchClient object for subsequent operations against the Batch service:
Declare the following using statements in your code:
C#
using Microsoft.Azure.Batch;
using Microsoft.Azure.Batch.Auth;
using Microsoft.Identity.Client;
Reference the Microsoft Entra endpoint, including the tenant ID. When you use a service principal, you must provide a tenant-specific endpoint. You can get your tenant ID from the Microsoft Entra ID Overview page in the Azure portal.
Specify the application (client) ID for your application. You can get the application ID from your application's Overview page in the Azure portal.
C#
privateconststring ClientId = "<application-id>";
Specify the secret key that you copied from the Azure portal.
C#
privateconststring ClientKey = "<secret-key>";
Write a callback method to acquire the authentication token from Microsoft Entra ID. The following ConfidentialClientApplicationBuilder.Create method calls MSAL for unattended authentication.
C#
publicstaticasync Task<string> GetAccessToken(string[] scopes)
{
var app = ConfidentialClientApplicationBuilder.Create(clientId)
.WithClientSecret(ClientKey)
.WithAuthority(new Uri(AuthorityUri))
.Build();
var result = await app.AcquireTokenForClient(scopes).ExecuteAsync();
return result.AccessToken;
}
Call this method by using the following code. The .default scope ensures that the application has permission to access all the scopes for the resource.
C#
var token = await GetAccessToken(newstring[] { $"{BatchResourceUri}/.default" });
Construct a BatchTokenCredentials object that takes the delegate as a parameter. Use those credentials to open a BatchClient object. Then use the BatchClient object for subsequent operations against the Batch service:
from azure.batch import BatchServiceClient
from azure.common.credentials import ServicePrincipalCredentials
To use a service principal, provide a tenant-specific endpoint. You can get your tenant ID from the Microsoft Entra ID Overview page or Properties page in the Azure portal.
Use the service principal credentials to open a BatchServiceClient object. Then use the BatchServiceClient object for subsequent operations against the Batch service.
Azure HPC is a purpose-built cloud capability for HPC & AI workload, using leading-edge processors and HPC-class InfiniBand interconnect, to deliver the best application performance, scalability, and value. Azure HPC enables users to unlock innovation, productivity, and business agility, through a highly available range of HPC & AI technologies that can be dynamically allocated as your business and technical needs change. This learning path is a series of modules that help you get started on Azure HPC - you
