แก้ไข

แชร์ผ่าน


Authorize requests to Azure Web PubSub resources with Microsoft Entra applications

Azure Web PubSub Service supports Microsoft Entra ID for authorizing requests with Microsoft Entra applications.

This article explains how to set up your resource and code to authenticate requests to the resource using a Microsoft Entra application.

Register an application in Microsoft Entra ID

The first step is to Register an application in Microsoft Entra ID:

After you register your application, you can find the Application (client) ID and Directory (tenant) ID values on the application's overview page. These GUIDs can be useful in the following steps.

Screenshot of overview information for a registered application.

Add credentials

After registering an app, you can add certificates, client secrets (a string), or federated identity credentials as credentials to your confidential client app registration. Credentials allow your application to authenticate as itself, requiring no interaction from a user at runtime, and are used by confidential client applications that access a web API.

Add role assignments in the Azure portal

This section shows how to assign a Web PubSub Service Owner role to a service principal or managed identity for a Web PubSub resource. For detailed steps, see Assign Azure roles using the Azure portal.

Note

A role can be assigned to any scope, including management group, subscription, resource group, or single resource. To learn more about scope, see Understand scope for Azure RBAC.

  1. In the Azure portal, go to your Web PubSub resource.

  2. Select Access control (IAM) in the sidebar.

  3. Select Add > Add role assignment.

    Screenshot that shows the page for access control and selections for adding a role assignment.

  4. On the Role tab, select Web PubSub Service Owner or other Web PubSub built-in roles depends on your scenario.

    Role Description Use case
    Web PubSub Service Owner Full access to data-plane APIs, including read/write REST APIs and Auth APIs. Most commonly used for building a upstream server that handles negotiation requests and client events.
    Web PubSub Service Reader Readonly access to data-plane APIs. Use it when write a monitoring tool that calls readonly REST APIs.
  5. Select Next.

  6. For Microsoft Entra application.

    1. In the Assign access to row, select User, group, or service principal.
    2. In the Members row, click select members, then choose the identity in the pop-up window.
  7. For managed identity for Azure resources.

    1. In the Assign access to row, select Managed identity.
    2. In the Members row, click select members, then choose the application in the pop-up window.
  8. Select Next.

  9. Review your assignment, then click Review + assign to confirm the role assignment.

Important

Newly added role assignments might take up to 30 minutes to propagate.

To learn more about how to assign and manage Azure roles, see these articles:

Code samples with Microsoft Entra authorization

Check out our samples that show how to use Microsoft Entra authorization in programming languages we officially support.