Authorize access to Azure App Configuration using Microsoft Entra ID

Besides using Hash-based Message Authentication Code (HMAC), Azure App Configuration supports using Microsoft Entra ID to authorize requests to App Configuration instances. Microsoft Entra ID allows you to use Azure role-based access control (Azure RBAC) to grant permissions to a security principal. A security principal may be a user, a managed identity, or an application service principal. To learn more about roles and role assignments, see Understanding different roles.

Overview

Requests made by a security principal to access an App Configuration resource must be authorized. With Microsoft Entra ID, access to a resource is a two-step process:

1. The security principal's identity is authenticated and an OAuth 2.0 token is returned. The resource name to request a token is https://login.microsoftonline.com/{tenantID} where {tenantID} matches the Microsoft Entra tenant ID to which the service principal belongs.
2. The token is passed as part of a request to the App Configuration service to authorize access to the specified resource.

The authentication step requires that an application request contains an OAuth 2.0 access token at runtime. If an application is running within an Azure entity, such as an Azure Functions app, an Azure Web App, or an Azure VM, it can use a managed identity to access the resources. To learn how to authenticate requests made by a managed identity to Azure App Configuration, see Authenticate access to Azure App Configuration resources with Microsoft Entra ID and managed identities for Azure Resources.

The authorization step requires that one or more Azure roles be assigned to the security principal. Azure App Configuration provides Azure roles that encompass sets of permissions for App Configuration resources. The roles that are assigned to a security principal determine the permissions provided to the principal. For more information about Azure roles, see Azure built-in roles for Azure App Configuration.

Assign Azure roles for access rights

Microsoft Entra authorizes access rights to secured resources through Azure role-based access control (Azure RBAC).

When an Azure role is assigned to a Microsoft Entra security principal, Azure grants access to those resources for that security principal. Access is scoped to the App Configuration resource. A Microsoft Entra security principal may be a user, a group, an application service principal, or a managed identity for Azure resources.

Azure built-in roles for Azure App Configuration

Azure provides the following Azure built-in roles for authorizing access to App Configuration data using Microsoft Entra ID:

• App Configuration Data Owner: Use this role to give read/write/delete access to App Configuration data. This role doesn't grant access to the App Configuration resource.
• App Configuration Data Reader: Use this role to give read access to App Configuration data. This role doesn't grant access to the App Configuration resource.
• Contributor or Owner: Use this role to manage the App Configuration resource. It grants access to the resource's access keys. While the App Configuration data can be accessed using access keys, this role doesn't grant direct access to the data using Microsoft Entra ID. This role is required if you access the App Configuration data via ARM template, Bicep, or Terraform during deployment. For more information, see deployment.
• Reader: Use this role to give read access to the App Configuration resource. This role doesn't grant access to the resource's access keys, nor to the data stored in App Configuration.

Note

After a role assignment is made for an identity, allow up to 15 minutes for the permission to propagate before accessing data stored in App Configuration using this identity.

Next steps

Learn more about using managed identities to administer your App Configuration service.