Turn off local (access key) authentication
Azure Web PubSub resources can authenticate requests in two ways:
- Microsoft Entra ID (recommended)
- Access key
Microsoft Entra ID provides superior security and ease of use over an access key. If you use Microsoft Entra ID, you don't need to store the tokens in your code and risk potential security vulnerabilities. We recommend that you use Microsoft Entra ID for your Web PubSub resources when possible.
Important
Disabling local authentication might have the following results:
- The current set of access keys is permanently deleted.
- Tokens that are signed by using the current set of access keys become unavailable.
- A signature will not be attached in the upstream request header. Learn how to validate an access token.
Turn off local authentication
You can turn off local authentication via access key by using:
- The Azure portal
- An Azure Resource Manager template
- Azure Policy
Azure portal
To turn off local authentication by using the Azure portal:
In the Azure portal, go to your Web PubSub resource.
On the left menu under Settings, select Keys.
For local authentication, select Disabled.
Select Save.
Azure Resource Manager template
You can turn off local authentication by setting the disableLocalAuth
property to true
as shown in the following Azure Resource Manager template:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"resource_name": {
"defaultValue": "test-for-disable-aad",
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.SignalRService/WebPubSub",
"apiVersion": "2022-08-01-preview",
"name": "[parameters('resource_name')]",
"location": "eastus",
"sku": {
"name": "Premium_P1",
"tier": "Premium",
"size": "P1",
"capacity": 1
},
"properties": {
"tls": {
"clientCertEnabled": false
},
"networkACLs": {
"defaultAction": "Deny",
"publicNetwork": {
"allow": [
"ServerConnection",
"ClientConnection",
"RESTAPI",
"Trace"
]
},
"privateEndpoints": []
},
"publicNetworkAccess": "Enabled",
"disableLocalAuth": true,
"disableAadAuth": false
}
}
]
}
Azure Policy
You can assign the policy Azure Web PubSub Service should have local authentication methods disabled in Azure Policy to an Azure subscription or to a resource group. Assigning this policy turns off local authentication for all Web PubSub resources in the subscription or resource group.