| title | description | author | ms.author | ms.date | ms.service | ms.custom | ms.topic |
|---|---|---|---|---|---|---|---|
Turn off local (access key) authentication |
Learn how to turn off local access key authentication and use only Microsoft Entra authorization for your Azure Web PubSub resource. |
terencefan |
tefa |
08/16/2024 |
azure-web-pubsub |
devx-track-arm-template |
conceptual |
Azure Web PubSub resources can authenticate requests in two ways:
- Microsoft Entra ID (recommended)
- Access key
Microsoft Entra ID provides superior security and ease of use over an access key. If you use Microsoft Entra ID, you don't need to store the tokens in your code and risk potential security vulnerabilities. We recommend that you use Microsoft Entra ID for your Web PubSub resources when possible.
Important
Disabling local authentication might have the following results:
- The current set of access keys is permanently deleted.
- Tokens that are signed by using the current set of access keys become unavailable.
- A signature will not be attached in the upstream request header. Learn how to validate an access token.
You can turn off local authentication via access key by using:
- The Azure portal
- An Azure Resource Manager template
- Azure Policy
To turn off local authentication by using the Azure portal:
-
In the Azure portal, go to your Web PubSub resource.
-
On the left menu under Settings, select Keys.
-
For local authentication, select Disabled.
-
Select Save.
:::image type="content" source="media/howto-disable-local-auth/disable-local-auth.png" alt-text="Screenshot that shows turning off local authentication.":::
You can turn off local authentication by setting the disableLocalAuth property to true as shown in the following Azure Resource Manager template:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"resource_name": {
"defaultValue": "test-for-disable-aad",
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.SignalRService/WebPubSub",
"apiVersion": "2022-08-01-preview",
"name": "[parameters('resource_name')]",
"location": "eastus",
"sku": {
"name": "Premium_P1",
"tier": "Premium",
"size": "P1",
"capacity": 1
},
"properties": {
"tls": {
"clientCertEnabled": false
},
"networkACLs": {
"defaultAction": "Deny",
"publicNetwork": {
"allow": [
"ServerConnection",
"ClientConnection",
"RESTAPI",
"Trace"
]
},
"privateEndpoints": []
},
"publicNetworkAccess": "Enabled",
"disableLocalAuth": true,
"disableAadAuth": false
}
}
]
}You can assign the policy Azure Web PubSub Service should have local authentication methods disabled in Azure Policy to an Azure subscription or to a resource group. Assigning this policy turns off local authentication for all Web PubSub resources in the subscription or resource group.
:::image type="content" source="media/howto-disable-local-auth/disable-local-auth-policy.png" alt-text="Screenshot that shows turning off local authentication policy.":::