Merge pull request #296166 from terencefan/tefa/update-signalr-aad-application

ttorble · web-flow · commit 88449a196947 · 2025-03-14T07:59:20.000Z
update signalr howto-authorize-application
diff --git a/articles/azure-signalr/signalr-howto-authorize-application.md b/articles/azure-signalr/signalr-howto-authorize-application.md
@@ -1,9 +1,9 @@
 ---
 title: Authorize requests to Azure SignalR Service resources with Microsoft Entra applications
 description: This article provides information about authorizing requests to Azure SignalR Service resources by using Microsoft Entra applications.
-author: vicancy
-ms.author: lianwei
-ms.date: 02/03/2023
+author: terencefan
+ms.author: tefa
+ms.date: 03/14/2023
 ms.service: azure-signalr-service
 ms.topic: how-to
 ms.devlang: csharp
@@ -12,52 +12,26 @@ ms.custom: subject-rbac-steps
 
 # Authorize requests to Azure SignalR Service resources with Microsoft Entra applications
 
-Azure SignalR Service supports Microsoft Entra ID for authorizing requests from [Microsoft Entra applications](../active-directory/develop/app-objects-and-service-principals.md).
+Azure SignalR Service supports Microsoft Entra ID for authorizing requests from [Microsoft Entra applications](/entra/identity-platform/app-objects-and-service-principals).
 
 This article shows how to configure your Azure SignalR Service resource and codes to authorize requests to the resource from a Microsoft Entra application.
 
-## Register an application
+## Register an application in Microsoft Entra ID
 
-The first step is to register a Microsoft Entra application:
-
-1. In the [Azure portal](https://portal.azure.com/), search for and select **Microsoft Entra ID**.
-2. Under **Manage**, select **App registrations**.
-3. Select **New registration**. The **Register an application** pane opens.
-
-   ![Screenshot of the pane for registering an application.](./media/signalr-howto-authorize-application/register-an-application.png)
-5. For **Name**, enter a display name for your application.
-6. Select **Register** to confirm the registration.
+The first step is to [Register an application in Microsoft Entra ID](/entra/identity-platform/quickstart-register-app):
 
 After you register your application, you can find the **Application (client) ID** and **Directory (tenant) ID** values on the application's overview page. These GUIDs can be useful in the following steps.
 
 ![Screenshot of overview information for a registered application.](./media/signalr-howto-authorize-application/application-overview.png)
 
-To learn more about registering an application, see [Quickstart: Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md).
-
 ## Add credentials
 
-You can add both certificates and client secrets (a string) as credentials to your confidential client app registration.
-
-### Client secret
-
-The application requires a client secret to prove its identity when it's requesting a token. To create a client secret, follow these steps:
-
-1. Under **Manage**, select **Certificates & secrets**.
-1. On the **Client secrets** tab, select **New client secret**.
-
-   ![Screenshot of selections for creating a client secret.](./media/signalr-howto-authorize-application/new-client-secret.png)
-1. Enter a description for the client secret, and choose an expiration time.
-1. Copy the value of the client secret and then paste it in a secure location.
-   > [!NOTE]
-   > The secret appears only once.
+After registering an app, you can add **certificates, client secrets (a string), or federated identity credentials** as credentials to your confidential client app registration. Credentials allow your application to authenticate as itself, requiring no interaction from a user at runtime, and are used by confidential client applications that access a web API.
 
-### Certificate
+- [Add a certificate](/entra/identity-platform/quickstart-register-app?tabs=certificate#add-credentials)
+- [Add a client secret](/entra/identity-platform/quickstart-register-app?tabs=client-secret#add-credentials)
+- [Add a federated credential](/entra/identity-platform/quickstart-register-app?tabs=federated-credential#add-credentials)
 
-You can upload a certificate instead of creating a client secret.
-
-![Screenshot of selections for uploading a certificate.](./media/signalr-howto-authorize-application/upload-certificate.png)
-
-To learn more about adding credentials, see [Add credentials](../active-directory/develop/quickstart-register-app.md#add-credentials).
 
 ## Add role assignments in the Azure portal
 
@@ -93,58 +67,72 @@ To learn more about how to assign and manage Azure roles, see these articles:
 - [Assign Azure roles using the Azure CLI](../role-based-access-control/role-assignments-cli.md)
 - [Assign Azure roles using Azure Resource Manager templates](../role-based-access-control/role-assignments-template.md)
 
-## Configure your app
+## Microsoft.Azure.SignalR app server SDK for C#
 
-### App server
+[Azure SignalR server SDK for C#](https://github.com/Azure/azure-signalr)
 
-The best practice is to configure identity and credentials in your environment variables:
+### Use Microsoft Entra application with certificate
+```csharp
+services.AddSignalR().AddAzureSignalR(option =>
+{
+    var credential = new ClientCertificateCredential("tenantId", "clientId", "path-to-cert");
 
-| Variable                        | Description                                                                                                     |
-| ------------------------------- | --------------------------------------------------------------------------------------------------------------- |
-| `AZURE_TENANT_ID`               | The Microsoft Entra tenant ID.                                                                                  |
-| `AZURE_CLIENT_ID`               | The client (application) ID of an app registration in the tenant.                                                |
-| `AZURE_CLIENT_SECRET`           | A client secret that was generated for the app registration.                                                    |
-| `AZURE_CLIENT_CERTIFICATE_PATH` | A path to a certificate and private key pair in PEM or PFX format, which can authenticate the app registration. |
-| `AZURE_USERNAME`                | The username, also known as User Principal Name (UPN), of a Microsoft Entra user account.                                            |
-| `AZURE_PASSWORD`                | The password of the Microsoft Entra user account. A password isn't supported for accounts with multifactor authentication enabled.       |
+    option.Endpoints = [
+      new ServiceEndpoint(new Uri(), "https://<resource>.service.signalr.net"), credential);
+    ];
+});
+```
 
-You can use either [DefaultAzureCredential](/dotnet/api/azure.identity.defaultazurecredential) or [EnvironmentCredential](/dotnet/api/azure.identity.environmentcredential) to configure your Azure SignalR Service endpoints. Here's the code for `DefaultAzureCredential`:
+### Use Microsoft Entra application with client secret
 
-```C#
+```csharp
 services.AddSignalR().AddAzureSignalR(option =>
 {
-    option.Endpoints = new ServiceEndpoint[]
-    {
-        new ServiceEndpoint(new Uri("https://<resource-name>.service.signalr.net"), new DefaultAzureCredential())
-    };
+    var credential = new ClientSecretCredential("tenantId", "clientId", "clientSecret");
+
+    option.Endpoints = [
+      new ServiceEndpoint(new Uri(), "https://<resource>.service.signalr.net"), credential);
+    ];
 });
 ```
 
-Here's the code for `EnvironmentCredential`:
+### Use Microsoft Entra application with Federated identity
 
-```C#
+> [!NOTE]
+> Configure an application to trust a managed identity is a preview feature. 
+> To learn more about it, see [Configure an application to trust a managed identity (preview)](/entra/workload-id/workload-identity-federation-config-app-trust-managed-identity).
+
+```csharp
 services.AddSignalR().AddAzureSignalR(option =>
 {
-    option.Endpoints = new ServiceEndpoint[]
+    var msiCredential = new ManagedIdentityCredential("msiClientId");
+
+    var credential = new ClientAssertionCredential("tenantId", "appClientId", async (ctoken) =>
     {
-        new ServiceEndpoint(new Uri("https://<resource-name>.service.signalr.net"), new EnvironmentCredential())
-    };
+        // Entra ID US Government: api://AzureADTokenExchangeUSGov
+        // Entra ID China operated by 21Vianet: api://AzureADTokenExchangeChina
+        var request = new TokenRequestContext([$"api://AzureADTokenExchange/.default"]);
+        var response = await msiCredential.GetTokenAsync(request, ctoken).ConfigureAwait(false);
+        return response.Token;
+    });
+
+    option.Endpoints = [
+      new ServiceEndpoint(new Uri(), "https://<resource>.service.signalr.net"), credential);
+    ];
 });
 ```
 
-To learn how `DefaultAzureCredential` works, see [DefaultAzureCredential class](/dotnet/api/overview/azure/identity-readme#defaultazurecredential).
-
-#### Use endpoint-specific credentials
+### Use multiple endpoints
 
-In your organization, you might want to use different credentials for different endpoints.
+Credentials can be different for different endpoints.
 
-In this scenario, you can use [ClientSecretCredential](/dotnet/api/azure.identity.clientsecretcredential) or [ClientCertificateCredential](/dotnet/api/azure.identity.clientcertificatecredential):
+In this sample, the Azure SignalR SDK will connect to `resource1` with client secret and connect to `resource2` with certificate.
 
 ```csharp
 services.AddSignalR().AddAzureSignalR(option =>
 {
     var credential1 = new ClientSecretCredential("tenantId", "clientId", "clientSecret");
-    var credential2 = new ClientCertificateCredential("tenantId", "clientId", "pathToCert");
+    var credential2 = new ClientCertificateCredential("tenantId", "clientId", "path-to-cert");
 
     option.Endpoints = new ServiceEndpoint[]
     {
@@ -154,15 +142,15 @@ services.AddSignalR().AddAzureSignalR(option =>
 });
 ```
 
-### Azure SignalR Service bindings in Azure Functions
+## Azure SignalR Service bindings in Azure Functions
 
 Azure SignalR Service bindings in Azure Functions use [application settings](../azure-functions/functions-how-to-use-azure-function-app-settings.md) in the portal or [local.settings.json](../azure-functions/functions-develop-local.md#local-settings-file) locally to configure Microsoft Entra application identities to access your Azure SignalR Service resources.
 
 First, you need to specify the service URI of Azure SignalR Service. The key of the service URI is `serviceUri`. It starts with a connection name prefix (which defaults to `AzureSignalRConnectionString`) and a separator. The separator is an underscore (`__`) in the Azure portal and a colon (`:`) in the *local.settings.json* file. You can customize the connection name by using the binding property [`ConnectionStringSetting`](../azure-functions/functions-bindings-signalr-service.md). Continue reading to find the sample.
 
 Then, you choose whether to configure your Microsoft Entra application identity in [predefined environment variables](#configure-an-identity-in-predefined-environment-variables) or in [SignalR-specified variables](#configure-an-identity-in-signalr-specified-variables).
 
-#### Configure an identity in predefined environment variables
+### Configure an identity in predefined environment variables
 
 See [Environment variables](/dotnet/api/overview/azure/identity-readme#environment-variables) for the list of predefined environment variables. When you have multiple services, we recommend that you use the same application identity, so that you don't need to configure the identity for each service. Other services might also use these environment variables, based on the settings of those services.
 
@@ -188,7 +176,7 @@ AZURE_TENANT_ID = ...
 AZURE_CLIENT_SECRET = ...
 ```
 
-#### Configure an identity in SignalR-specified variables
+### Configure an identity in SignalR-specified variables
 
 SignalR-specified variables share the same key prefix with the `serviceUri` key. Here's the list of variables that you might use:
 
