Managed identities for Azure SignalR Service

This article shows you how to create a managed identity for Azure SignalR Service and how to use it in serverless scenarios.

Important

Azure SignalR Service can support only one managed identity. That means you can add either a system-assigned identity or a user-assigned identity.

Add a system-assigned identity

To set up a managed identity in the Azure portal, you'll first create an Azure SignalR Service instance and then enable the feature.

1. Create an Azure SignalR Service instance in the portal as you normally would. Browse to it in the portal.

2. Select Identity.

3. On the System assigned tab, switch Status to On. Select Save.

   

Add a user-assigned identity

Creating an Azure SignalR Service instance with a user-assigned identity requires that you create the identity and then add its resource identifier to your service.

1. Create a user-assigned managed identity resource according to these instructions.

2. Create an Azure SignalR Service instance in the portal as you normally would. Browse to it in the portal.

3. Select Identity.

4. On the User assigned tab, select Add.

5. Search for the identity that you created earlier and selects it. Select Add.

   

Use a managed identity in serverless scenarios

Azure SignalR Service is a fully managed service, so you can't use a managed identity to get tokens manually. Instead, Azure SignalR Service uses the managed identity that you set to obtain an access token. The service then sets the access token into an Authorization header in an upstream request in serverless scenarios.

Enable managed identity authentication in upstream settings

1. Add a system-assigned identity or user-assigned identity.

2. Add one Upstream Setting and click any asterisk to get into a detailed page as shown below.

   

3. In the managed identity authentication settings, for Resource, you can specify the target resource. The resource will become an aud claim in the obtained access token, which can be used as a part of validation in your upstream endpoints. The resource can be one of the following:

   • Empty
   • Application (client) ID of the service principal
   • Application ID URI of the service principal
   • Resource ID of an Azure service

   Note

   If you validate an access token by yourself in your service, you can choose any one of the resource formats. Just make sure that the Resource value in Auth settings and the validation are consistent. If you use Azure role-based access control (Azure RBAC) for a data plane, you must use the resource that the service provider requests.

Validate access tokens

The token in the Authorization header is a Microsoft identity platform access token.

To validate access tokens, your app should also validate the audience and the signing tokens. These need to be validated against the values in the OpenID discovery document. For example, see the tenant-independent version of the document.

The Azure Active Directory (Azure AD) middleware has built-in capabilities for validating access tokens. You can browse through our samples to find one in the language of your choice.

We provide libraries and code samples that show how to handle token validation. There are also several open-source partner libraries available for JSON Web Token (JWT) validation. There's at least one option for almost every platform and language out there. For more information about Azure AD authentication libraries and code samples, see Microsoft identity platform authentication libraries.

Authentication in Function App

Setting access token validation in Function App is easy and efficient without code works.

1. In the Authentication (classic) page, switch App Service Authentication to On.

2. Select Log in with Azure Active Directory in Action to take when request is not authenticated.

3. In the Authentication Provider, click into Azure Active Directory

4. In the new page. Select Express and Create New AD App and then click OK

5. Navigate to SignalR Service and follow steps to add a system-assigned identity or user-assigned identity.

6. Get into Upstream settings in SignalR Service and choose Use Managed Identity and Select from existing Applications. Select the application you created previously.

After these settings, the Function App will reject requests without an access token in the header.

Important

To pass the authentication, the Issuer Url must match the iss claim in token. Currently, we only support v1 endpoint (see v1.0 and v2.0), so the Issuer Url should look like https://sts.windows.net/<tenant-id>/. Check the Issuer Url configured in Azure Function. For Authentication, go to Identity provider -> Edit -> Issuer Url and for Authentication (classic), go to Azure Active Directory -> Advanced -> Issuer Url

Use a managed identity for Key Vault reference

SignalR Service can access Key Vault to get secret using the managed identity.

1. Add a system-assigned identity or user-assigned identity for Azure SignalR Service.

2. Grant secret read permission for the managed identity in the Access policies in the Key Vault. See Assign a Key Vault access policy using the Azure portal

Currently, this feature can be used in the following scenarios:

• Reference secret in Upstream URL Pattern

Next steps

• Azure Functions development and configuration with Azure SignalR Service