How to use Managed Identity with Azure Communication Services

Azure Communication Services is a fully managed communication platform that enables developers to build real-time communication features into their applications. By using Managed Identity with Azure Communication Services, you can simplify the authentication process for your application, while also increasing its security. This document covers how to use Managed Identity with Azure Communication Services.

Using Managed Identity with Azure Communication Services

Azure Communication Services supports using Managed Identity to authenticate with the service. By using Managed Identity, you can eliminate the need to manage your own access tokens and credentials.

Your Azure Communication Services resource can be assigned two types of identity:

  1. A System Assigned Identity which is tied to your resource and is deleted when your resource is deleted. Your resource can only have one system-assigned identity.
  2. A User Assigned Identity which is an Azure resource that can be assigned to your Azure Communication Services resource. This identity isn't deleted when your resource is deleted. Your resource can have multiple user-assigned identities.

To use Managed Identity with Azure Communication Services, follow these steps:

  1. Grant your Managed Identity access to the Communication Services resource. This assignment can be through the Azure portal, Azure CLI and the Azure Communication Management SDKs.
  2. Use the Managed Identity to authenticate with Azure Communication Services. Authentication can be done through the Azure SDKs or REST APIs that support Managed Identity.

Add a system-assigned identity

  1. In the left navigation of your app's page, scroll down to the Settings group.

  2. Select Identity.

  3. Within the System assigned tab, switch Status to On. Select Save. Screenshot that shows how to enable system assigned managed identity.

Add a user-assigned identity

Assigning a user-assigned identity to your Azure Communication Services resource requires that you first create the identity and then add its resource identifier to your Communication service resource.

First, you need to create a user-assigned managed identity resource.

  1. Create a user-assigned managed identity resource according to these instructions.

  2. In the left navigation for your app's page, scroll down to the Settings group.

  3. Select Identity.

  4. Select User assigned > Add.

  5. Search for the identity you created earlier, select it, and select Add. Screenshot that shows how to enable user assigned managed identity.

Managed Identity using Azure Communication Services management SDKs

Managed Identity can also be assigned to your Azure Communication Services resource using the Azure Communication Management SDKs. This assignment can be achieved by introducing the identity property in the resource definition either on creation or when updating the resource.

You can assign your managed identity to your Azure Communication Services resource using the Azure Communication Management SDK for .NET by setting the Identity property on the CommunicationServiceResourceData .

For example:

public async Task CreateResourceWithSystemAssignedManagedIdentity()
{
    ArmClient armClient = new ArmClient(new DefaultAzureCredential());
    SubscriptionResource subscription = await armClient.GetDefaultSubscriptionAsync();

    //Create Resource group
    ResourceGroupCollection rgCollection = subscription.GetResourceGroups();
    // With the collection, we can create a new resource group with an specific name
    string rgName = "myRgName";
    AzureLocation location = AzureLocation.WestUS2;
    ArmOperation<ResourceGroupResource> lro = await rgCollection.CreateOrUpdateAsync(WaitUntil.Completed, rgName, new ResourceGroupData(location));
    ResourceGroupResource resourceGroup = lro.Value;

    // get resource group collection
    CommunicationServiceResourceCollection collection = resourceGroup.GetCommunicationServiceResources();
    string communicationServiceName = "myCommunicationService";
    
    // Create Communication Service Resource
    var identity = new ManagedServiceIdentity(ManagedServiceIdentityType.SystemAssigned);
    CommunicationServiceResourceData data = new CommunicationServiceResourceData("global")
    {
        DataLocation = "UnitedStates",
        Identity = identity
    };
    var communicationServiceLro = await collection.CreateOrUpdateAsync(WaitUntil.Completed, communicationServiceName, data);
    var resource = communicationServiceLro.Value;
}

For more information on using the .NET Management SDK, see Azure Communication Management SDK for .NET.

For more information specific to managing your resource instance, see Managing your Communication Service Resource instance

Note

A resource can have both system-assigned and user-assigned identities at the same time. In this case, the type property would be SystemAssigned,UserAssigned.

Removing all managed identity assignments from a resource can also be acheived by specifying the type property as None.

Next steps

Now that you have learned how to enable Managed Identity with Azure Communication Services. Consider implementing this feature in your own applications to simplify your authentication process and improve security.