Edit

Authorize request to Web PubSub resources with Microsoft Entra ID from Azure applications

  • Article

Azure Web PubSub Service supports Microsoft Entra ID for authorizing requests from applications.

This article shows how to configure your Web PubSub resource and codes to authorize the request to a Web PubSub resource from an Azure application.

Register an application

The first step is to register an Azure application.

  1. On the Azure portal, search for and select Microsoft Entra ID

  2. Under Manage section, select App registrations.

  3. Click New registration.

    Screenshot of registering an application.

  4. Enter a display Name for your application.

  5. Click Register to confirm the register.

Once you have your application registered, you can find the Application (client) ID and Directory (tenant) ID under its Overview page. These GUIDs can be useful in the following steps.

Screenshot of an application.

To learn more about registering an application, see

Add credentials

You can add both certificates and client secrets (a string) as credentials to your confidential client app registration.

Client secret

The application requires a client secret to prove its identity when requesting a token. To create a client secret, follow these steps.

  1. Under Manage section, select Certificates & secrets
  2. On the Client secrets tab, click New client secret. Screenshot of creating a client secret.
  3. Enter a description for the client secret, and choose a expire time.
  4. Copy the value of the client secret and then paste it to a secure location.

    Note

    The secret will display only once.

Certificate

You can also upload a certification instead of creating a client secret.

Screenshot of uploading a certification.

To learn more about adding credentials, see

Add role assignments on Azure portal

This sample shows how to assign a Web PubSub Service Owner role to a service principal (application) over a Web PubSub resource.

Note

A role can be assigned to any scope, including management group, subscription, resource group or a single resource. To learn more about scope, see Understand scope for Azure RBAC

  1. On the Azure portal, navigate to your Web PubSub resource.

  2. Click Access Control (IAM) to display access control settings for the Azure Web PubSub.

  3. Click the Role assignments tab to view the role assignments at this scope.

    The following screenshot shows an example of the Access control (IAM) page for a Web PubSub resource.

    Screenshot of access control.

  4. Click Add > Add role assignment.

  5. On the Roles tab, select Web PubSub Service Owner.

  6. Click Next.

    Screenshot of adding role assignment.

  7. On the Members tab, under Assign access to section, select User, group, or service principal.

  8. Click Select Members

  9. Search for and select the application that you would like to assign the role to.

  10. Click Select to confirm the selection.

  11. Click Next.

    Screenshot of assigning role to service principals.

  12. Click Review + assign to confirm the change.

Important

Azure role assignments may take up to 30 minutes to propagate. To learn more about how to assign and manage Azure role assignments, see these articles:

Use Postman to get the Microsoft Entra token

  1. Launch Postman

  2. For the method, select GET.

  3. For the URI, enter https://login.microsoftonline.com/<TENANT ID>/oauth2/token. Replace <TENANT ID> with the Directory (tenant) ID value in the Overview tab of the application you created earlier.

  4. On the Headers tab, add Content-Type key and application/x-www-form-urlencoded for the value.

    Screenshot of the basic info using postman to get the token.

  5. Switch to the Body tab, and add the following keys and values.

    1. Select x-www-form-urlencoded.
    2. Add grant_type key, and type client_credentials for the value.
    3. Add client_id key, and paste the value of Application (client) ID in the Overview tab of the application you created earlier.
    4. Add client_secret key, and paste the value of client secret you noted down earlier.
    5. Add resource key, and type https://webpubsub.azure.com for the value.

    Screenshot of the body parameters when using postman to get the token.

  6. Select Send to send the request to get the token. You see the token in the access_token field.

    Screenshot of the response token when using postman to get the token.

Sample codes using Microsoft Entra authorization

We officially support 4 programming languages:

Next steps

See the following related articles: