Turn off local (access key) authentication

Azure Web PubSub resources can authenticate requests in two ways:

  • Microsoft Entra ID (recommended)
  • Access key

Microsoft Entra ID provides superior security and ease of use over an access key. If you use Microsoft Entra ID, you don't need to store the tokens in your code and risk potential security vulnerabilities. We recommend that you use Microsoft Entra ID for your Web PubSub resources when possible.

Important

Disabling local authentication might have the following results:

  • The current set of access keys is permanently deleted.
  • Tokens that are signed by using the current set of access keys become unavailable.
  • A signature will not be attached in the upstream request header. Learn how to validate an access token.

Turn off local authentication

You can turn off local authentication via access key by using:

  • The Azure portal
  • An Azure Resource Manager template
  • Azure Policy

Azure portal

To turn off local authentication by using the Azure portal:

  1. In the Azure portal, go to your Web PubSub resource.

  2. On the left menu under Settings, select Keys.

  3. For local authentication, select Disabled.

  4. Select Save.

Screenshot that shows turning off local authentication.

Azure Resource Manager template

You can turn off local authentication by setting the disableLocalAuth property to true as shown in the following Azure Resource Manager template:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "resource_name": {
      "defaultValue": "test-for-disable-aad",
      "type": "String"
    }
  },
  "variables": {},
  "resources": [
    {
      "type": "Microsoft.SignalRService/WebPubSub",
      "apiVersion": "2022-08-01-preview",
      "name": "[parameters('resource_name')]",
      "location": "eastus",
      "sku": {
        "name": "Premium_P1",
        "tier": "Premium",
        "size": "P1",
        "capacity": 1
      },
      "properties": {
        "tls": {
          "clientCertEnabled": false
        },
        "networkACLs": {
          "defaultAction": "Deny",
          "publicNetwork": {
            "allow": [
              "ServerConnection",
              "ClientConnection",
              "RESTAPI",
              "Trace"
            ]
          },
          "privateEndpoints": []
        },
        "publicNetworkAccess": "Enabled",
        "disableLocalAuth": true,
        "disableAadAuth": false
      }
    }
  ]
}

Azure Policy

You can assign the policy Azure Web PubSub Service should have local authentication methods disabled in Azure Policy to an Azure subscription or to a resource group. Assigning this policy turns off local authentication for all Web PubSub resources in the subscription or resource group.

Screenshot that shows turning off local authentication policy.