SignalR: Cross tenant authorization with Microsoft Entra

terencefan · web-flow · commit 9fbbe7f791ff · 2025-03-15T14:13:58.000+08:00
diff --git a/articles/azure-signalr/signalr-concept-authorize-azure-active-directory.md b/articles/azure-signalr/signalr-concept-authorize-azure-active-directory.md
@@ -1,14 +1,14 @@
 ---
 title: Authorize access with Microsoft Entra ID for Azure SignalR Service
-description: This article provides information on authorizing access to Azure SignalR Service resources by using Microsoft Entra ID.
-author: vicancy
-ms.author: lianwei
-ms.date: 09/06/2021
+description: This article explains how to authorize requests to Azure SignalR Service resources using Microsoft Entra ID. 
+author: terencefan
+ms.author: tefa
+ms.date: 03/12/2025
 ms.service: azure-signalr-service
 ms.topic: conceptual
 ---
 
-# Authorize access with Microsoft Entra ID for Azure SignalR Service
+# Microsoft Entra ID for Azure SignalR Service
 
 Azure SignalR Service supports Microsoft Entra ID for authorizing requests to its resources. With Microsoft Entra ID, you can use role-based access control (RBAC) to grant permissions to a *security principal*. A security principal is a user/resource group, an application, or a service principal such as system-assigned identities and user-assigned identities.
 
@@ -86,12 +86,20 @@ You can scope access to Azure SignalR Service resources at the following levels,
 
 ## Next steps
 
-- To learn how to create an Azure application and use Microsoft Entra authorization, see [Authorize requests to Azure SignalR Service resources with Microsoft Entra applications](./signalr-howto-authorize-application.md).
+- To learn how to configure Microsoft Entra authorization, see:
 
-- To learn how to configure a managed identity and use Microsoft Entra authorization, see [Authorize requests to Azure SignalR Service resources with Microsoft Entra managed identities](./signalr-howto-authorize-managed-identity.md).
+  - [Authorize requests to Azure SignalR Service resources with Microsoft Entra applications](./signalr-howto-authorize-application.md).
+  - [Authorize requests to Azure SignalR Service resources with Managed identities for Azure resources](./signalr-howto-authorize-managed-identity.md).
 
-- To learn more about roles and role assignments, see [What is Azure role-based access control (Azure RBAC)?](../role-based-access-control/overview.md).
+- To learn more about roles-based access control and role, see:
 
-- To learn how to create custom roles, see [Steps to create a custom role](../role-based-access-control/custom-roles.md#steps-to-create-a-custom-role).
+  - [What is Azure role-based access control (Azure RBAC)?](../role-based-access-control/overview.md).
+  - [Steps to create a custom role](../role-based-access-control/custom-roles.md#steps-to-create-a-custom-role).
 
-- To learn how to use only Microsoft Entra authentication, see [Disable local authentication](./howto-disable-local-auth.md).
+- To learn how to configure cross tenant authorization with Microsoft Entra, see:
+
+  - [How to configure cross tenant authorization with Microsoft Entra](signalr-howto-authorize-cross-tenant.md)
+
+- To learn how to disable connection string and use only Microsoft Entra authentication, see:
+
+  - [How to disable local authentication](./howto-disable-local-auth.md).
diff --git a/articles/azure-signalr/signalr-howto-authorize-application.md b/articles/azure-signalr/signalr-howto-authorize-application.md
@@ -3,7 +3,7 @@ title: Authorize requests to Azure SignalR Service resources with Microsoft Entr
 description: This article provides information about authorizing requests to Azure SignalR Service resources by using Microsoft Entra applications.
 author: terencefan
 ms.author: tefa
-ms.date: 03/14/2023
+ms.date: 03/12/2023
 ms.service: azure-signalr-service
 ms.topic: how-to
 ms.devlang: csharp
@@ -195,6 +195,7 @@ In the Azure portal, add settings as follows:
 
 See the following related articles:
 
-- [Authorize access with Microsoft Entra ID for Azure SignalR Service](signalr-concept-authorize-azure-active-directory.md)
-- [Authorize requests to Azure SignalR Service resources with Microsoft Entra managed identities](signalr-howto-authorize-managed-identity.md)
-- [Disable local authentication](./howto-disable-local-auth.md)
+- [Microsoft Entra ID for Azure SignalR Service](signalr-concept-authorize-azure-active-directory.md)
+- [Authorize requests to Azure SignalR Service resources with Managed identities for Azure resources](./signalr-howto-authorize-managed-identity.md).
+- [How to configure cross tenant authorization with Microsoft Entra](signalr-howto-authorize-cross-tenant.md)
+- [How to disable local authentication](./howto-disable-local-auth.md)
diff --git a/articles/azure-signalr/signalr-howto-authorize-cross-tenant.md b/articles/azure-signalr/signalr-howto-authorize-cross-tenant.md
@@ -0,0 +1,192 @@
+---
+title: Cross tenant authorization with Microsoft Entra
+description: This article provides information about building multitenant applications and configure authorization in SignalR.
+author: terencefan
+ms.author: tefa
+ms.date: 03/12/2023
+ms.service: azure-signalr-service
+ms.topic: how-to
+ms.devlang: csharp
+ms.custom: subject-rbac-steps
+---
+
+# Cross tenant authorization with Microsoft Entra
+
+For security reasons, your server may host in a independent tenant from your Azure SignalR resource.
+
+Since managed identity can not be used across tenants, you'll need to register an application in `tenantA` and then provision it as an enterprise application in `tenantB`.
+
+This doc will help you create an application in `tenantA` and use it to connect to a SignalR resource in `tenantB`.
+
+## Register a multitenant application in tenant A
+
+The first step is to create a multitenant application.
+
+> In the case that you've already have a single tenant application.
+>
+> [Convert single-tenant app to multitenant on Microsoft Entra ID](/entra/identity-platform/howto-convert-app-to-be-multi-tenant)
+
+[Quickstart: Register an application in Microsoft Entra ID](/entra/identity-platform/quickstart-register-app)
+
+There will be 4 account types:
+
+1. Accounts in this organizational directory
+2. Accounts in any organizational directory	
+3. Accounts in any organizational directory and personal Microsoft accounts
+4. Personal Microsoft accounts
+
+Be sure to select either 2 or 3 when creating the application.
+
+![Screenshot of overview information for a registered application.](./media/signalr-howto-authorize-application/application-overview.png)
+
+Note down the **Application (client) ID** and **Directory (tenant) ID**, they can be useful in the following steps.
+
+## Provision the application in tenant B
+
+The role cannot be assigned to the application registered in other tenants. We have to provision it as an external enterprise application in the tenant B.
+
+Click to learn [differences between App registration and Enterprise applications](/answers/questions/270680/app-registration-vs-enterprise-applications).
+
+For short, the enterprise application is a service principal, while the app registration is not. The enterprise application will inherit certain properties from the application object, such as **Application (client) ID**. 
+
+A default service principal will be created in the tenant where the app is registered. For other tenants, you'll need to provision the app to get an enterprice application service principal, see:
+
+[Create an enterprise application from a multitenant application in Microsoft Entra ID](/entra/identity/enterprise-apps/create-service-principal-cross-tenant)
+
+Enterprise applications in different tenant will have different **Directory (tenant) ID**, but share the same **Application (client) ID**.
+
+## Assign roles to the enterprise application
+
+Once you have the enterprise application provisioned in your tenant B. You will be able to assign roles to it.
+
+[!INCLUDE [add role assignments](includes/signalr-add-role-assignments.md)]
+
+## Configure SignalR SDK to use the enterprise application
+
+There are 3 different types of credentials for an application to authenticate itself:
+
+- Certificates
+- Client secrets
+- Federated identity
+
+We strongly recommend you to use the first 2 ways to make cross tenant requests.
+
+### Use Certificates or Client secrets
+
+- `tenantId` should be the ID of your **Tenant B**.
+- `clientId` in both tenants are equal.
+- `clientSecret` and `clientCert` should be configured in **Tenant A**, see [Add credentials](/entra/identity-platform/quickstart-register-app?tabs=certificate%2Cexpose-a-web-api#add-credentials)
+
+If you are not sure about your tenant ID, see [Find your Microsoft Entra tenant](/azure/azure-portal/get-subscription-tenant-id#find-your-microsoft-entra-tenant)
+
+```csharp
+services.AddSignalR().AddAzureSignalR(option =>
+{
+    var credential1 = new ClientSecretCredential("tenantId", "clientId", "clientSecret");
+    var credential2 = new ClientCertificateCredential("tenantId", "clientId", "path-to-cert");
+
+    option.Endpoints = new ServiceEndpoint[]
+    {
+        new ServiceEndpoint(new Uri("https://<resource1>.service.signalr.net"), credential1),
+        new ServiceEndpoint(new Uri("https://<resource2>.service.signalr.net"), credential2),
+    };
+});
+```
+
+### Use Federated identity
+
+However, for security reasons, certificates and client secrets might be disabled in your subscription. In this case, you'll need to either use an external identity providor or try the preview support for managed identity.
+
+- [Configure an app to trust an external identity provider](/entra/workload-id/workload-identity-federation-create-trust)
+- [Configure an application to trust a managed identity (preview)](/entra/workload-id/workload-identity-federation-config-app-trust-managed-identity)
+
+You can check this repo: [Entra Cross-Tenant Application Federated Identity Credential (FIC)](https://github.com/arsenvlad/entra-cross-tenant-app-fic-managed-identity) for detailed info and video guide.
+
+When using managed identity as an identity provider, the code should look like this:
+
+- `tenantId` should be the ID of your **Tenant B**.
+- `clientId` in both tenants are equal.
+
+```csharp
+services.AddSignalR().AddAzureSignalR(option =>
+{
+    var msiCredential = new ManagedIdentityCredential("msiClientId");
+
+    var credential = new ClientAssertionCredential("tenantId", "appClientId", async (ctoken) =>
+    {
+        // Entra ID US Government: api://AzureADTokenExchangeUSGov
+        // Entra ID China operated by 21Vianet: api://AzureADTokenExchangeChina
+        var request = new TokenRequestContext([$"api://AzureADTokenExchange/.default"]);
+        var response = await msiCredential.GetTokenAsync(request, ctoken).ConfigureAwait(false);
+        return response.Token;
+    });
+
+    option.Endpoints = [
+        new ServiceEndpoint(new Uri(), "https://<resource>.service.signalr.net"), credential);
+    ];
+});
+```
+
+When using enternal identity providers, the code should look like this:
+
+```csharp
+services.AddSignalR().AddAzureSignalR(option =>
+{
+    var credential = new ClientAssertionCredential("tenantId", "appClientId", async (ctoken) =>
+    {
+        // Find your own way to get a token from the external identity provider.
+        // The audience of the token should be "api://AzureADTokenExchange", as it is the recommended value.
+        return "TheTokenYouGetFromYourExternalIdentityProvider";
+    });
+
+    option.Endpoints = [
+        new ServiceEndpoint(new Uri(), "https://<resource>.service.signalr.net"), credential);
+    ];
+});
+```
+
+Debugging token acquisition with the SignalR SDK can be challenging since it depends on the token results. 
+We recommend testing the token acquisition process locally before integrating with the SignalR SDK.
+
+```csharp
+var assertion = new ClientAssertionCredential("tenantId", "appClientId", async (ctoken) =>
+{
+    // Find your own way to get a token from the external identity provider.
+    // The audience of the token should be "api://AzureADTokenExchange", as it is the recommended value.
+    return TheTokenYouGetFromYourExternalIdentityProvider;
+});
+
+var request = new TokenRequestContext(["https://signalr.azure.com/.default");
+var token = await assertion.GetTokenAsync(assertion);
+Console.log(token.Token);
+```
+
+The key point is to use an inner credential to get a `clientAssertion` from `api://AzureADTokenExchange` or other trusted identity platforms. Then use it to exchange for a token with `https://signalr.azure.com/.default` audience to access your resource.
+
+Your goal is to get a token with following claims. Use [jwt.io](https://jwt.io/) to help you decode the token:
+
+- **oid**
+
+  This should be equal to your enterprise application object ID. 
+
+  If you don't know where to get it, see [How Retrieve Enterprise Object Id](/answers/questions/1007608/how-retrieve-enterprise-object-id-from-azure-activ)
+
+- **tid**
+
+  This should be equal to the Directory ID of your tenant B. 
+
+  If you are not sure about your tenant ID, see [Find your Microsoft Entra tenant](/azure/azure-portal/get-subscription-tenant-id#find-your-microsoft-entra-tenant)
+
+- **audience**
+
+  Has to be `https://signalr.azure.com/.default` to access SignalR resources.
+
+Good luck :)
+
+## Next steps
+
+See the following related articles:
+
+- [Microsoft Entra ID for Azure SignalR Service](signalr-concept-authorize-azure-active-directory.md)
+- [Authorize requests to Azure SignalR Service resources with Microsoft Entra applications](signalr-howto-authorize-application.md)
+- [Authorize requests to Azure SignalR Service resources with Managed identities for Azure resources](./signalr-howto-authorize-managed-identity.md).
diff --git a/articles/azure-signalr/signalr-howto-authorize-managed-identity.md b/articles/azure-signalr/signalr-howto-authorize-managed-identity.md
@@ -3,7 +3,7 @@ title: Authorize requests to Azure SignalR Service resources with Microsoft Entr
 description: This article provides information about authorizing requests to Azure SignalR Service resources by using Microsoft Entra managed identities.
 author: terencefan
 ms.author: tefa
-ms.date: 03/14/2025
+ms.date: 03/12/2023
 ms.service: azure-signalr-service
 ms.topic: how-to
 ms.devlang: csharp
@@ -130,6 +130,7 @@ If you want to use a user-assigned identity, you need to assign `clientId` in ad
 
 See the following related articles:
 
-- [Authorize access with Microsoft Entra ID for Azure SignalR Service](signalr-concept-authorize-azure-active-directory.md)
+- [Microsoft Entra ID for Azure SignalR Service](signalr-concept-authorize-azure-active-directory.md)
 - [Authorize requests to Azure SignalR Service resources with Microsoft Entra applications](signalr-howto-authorize-application.md)
-- [Disable local authentication](./howto-disable-local-auth.md)
+- [How to configure cross tenant authorization with Microsoft Entra](signalr-howto-authorize-cross-tenant.md)
+- [How to disable local authentication](./howto-disable-local-auth.md)
