Merge pull request #232935 from terencefan/signalr/disable-local-auth

Add DisableLocalAuth docs for SignalR/Web PubSub

Author: PMEds28

articles/azure-signalr/TOC.yml

@@ -123,10 +123,12 @@
       href: howto-shared-private-endpoints-key-vault.md
     - name: Use managed identity
       href: howto-use-managed-identity.md
-    - name: Authorize from Azure Applications
+    - name: Authorize from Azure application
       href: signalr-howto-authorize-application.md
-    - name: Authorize from Managed Identity
+    - name: Authorize from managed identity
       href: signalr-howto-authorize-managed-identity.md
+    - name: Disable local authentication.
+      href: howto-disable-local-auth.md
     - name: Custom domain
       href: howto-custom-domain.md
   - name: Integrate
@@ -210,4 +212,4 @@
   - name: Twitter
     href: https://twitter.com/SignalR
   - name: ASP.NET forums
-    href: https://social.msdn.microsoft.com/Forums/en-US/home?forum=aspsignalr
+    href: https://social.msdn.microsoft.com/Forums/en-US/home?forum=aspsignalr

articles/azure-signalr/howto-disable-local-auth.md

@@ -0,0 +1,121 @@
+---
+title: Disable local (access key) authentication with Azure SignalR Service
+description: This article provides information about how to disable access key authentication and use only Azure AD authentication with Azure SignalR Service.
+author: terencefan
+
+ms.author: tefa
+ms.date: 03/31/2023
+ms.service: signalr
+ms.topic: conceptual
+---
+
+# Disable local (access key) authentication with Azure SignalR Service
+
+There are two ways to authenticate to Azure SignalR Service resources: Azure Active Directory (Azure AD) and Access Key. Azure AD provides superior security and ease of use over access key. With Azure AD, there’s no need to store the tokens in your code and risk potential security vulnerabilities. We recommend that you use Azure AD with your Azure SignalR Service resources when possible.
+
+> [!IMPORTANT]
+> Disabling local authentication can have following influences.
+> - The current set of access keys will be permanently deleted. 
+> - Tokens signed with current set of access keys will become unavailable. 
+
+## Use Azure portal
+
+In this section, you will learn how to use the Azure portal to disable local authentication.
+
+1. Navigate to your SignalR Service resource in the [Azure portal](https://portal.azure.com).
+
+2. in the **Settings** section of the menu sidebar, select **Keys** tab.
+
+3. Select **Disabled** for local authentication.
+
+4. Click **Save** button.
+
+![Screenshot of disabling local auth.](./media/howto-disable-local-auth/disable-local-auth.png)
+
+## Use Azure Resource Manager template
+
+You can disable local authentication by setting `disableLocalAuth` property to true as shown in the following Azure Resource Manager template.
+
+```json
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "resource_name": {
+            "defaultValue": "test-for-disable-aad",
+            "type": "String"
+        }
+    },
+    "variables": {},
+    "resources": [
+        {
+            "type": "Microsoft.SignalRService/SignalR",
+            "apiVersion": "2022-08-01-preview",
+            "name": "[parameters('resource_name')]",
+            "location": "eastus",
+            "sku": {
+                "name": "Premium_P1",
+                "tier": "Premium",
+                "size": "P1",
+                "capacity": 1
+            },
+            "kind": "SignalR",
+            "properties": {
+                "tls": {
+                    "clientCertEnabled": false
+                },
+                "features": [
+                    {
+                        "flag": "ServiceMode",
+                        "value": "Default",
+                        "properties": {}
+                    },
+                    {
+                        "flag": "EnableConnectivityLogs",
+                        "value": "True",
+                        "properties": {}
+                    }
+                ],
+                "cors": {
+                    "allowedOrigins": [
+                        "*"
+                    ]
+                },
+                "serverless": {
+                    "connectionTimeoutInSeconds": 30
+                },
+                "upstream": {},
+                "networkACLs": {
+                    "defaultAction": "Deny",
+                    "publicNetwork": {
+                        "allow": [
+                            "ServerConnection",
+                            "ClientConnection",
+                            "RESTAPI",
+                            "Trace"
+                        ]
+                    },
+                    "privateEndpoints": []
+                },
+                "publicNetworkAccess": "Enabled",
+                "disableLocalAuth": true,
+                "disableAadAuth": false
+            }
+        }
+    ]
+}
+```
+
+## Use Azure Policy
+
+You can assign the [Azure SignalR Service should have local authentication methods disabled](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff70eecba-335d-4bbc-81d5-5b17b03d498f) Azure policy to an Azure subscription or a resource group to enforce disabling of local authentication for all SignalR resources in the subscription or the resource group.
+
+![Screenshot of disabling local auth policy.](./media/howto-disable-local-auth/disable-local-auth-policy.png)
+
+## Next steps
+
+See the following docs to learn about authentication methods.
+
+- [Overview of Azure AD for SignalR](signalr-concept-authorize-azure-active-directory.md)
+- [Authenticate with Azure applications](./signalr-howto-authorize-application.md)
+- [Authenticate with managed identities](./signalr-howto-authorize-managed-identity.md)

articles/azure-signalr/media/howto-disable-local-auth/disable-local-auth-policy.png

@@ -17,6 +17,11 @@ Authorizing requests against SignalR with Azure AD provides superior security an
 <a id="security-principal"></a>
 *[1] security principal: a user/resource group, an application, or a service principal such as system-assigned identities and user-assigned identities.*
 
+> [!IMPORTANT]
+> Disabling local authentication can have following influences.
+> - The current set of access keys will be permanently deleted. 
+> - Tokens signed with access keys will no longer be available. 
+
 ## Overview of Azure AD for SignalR
 
 When a security principal attempts to access a SignalR resource, the request must be authorized. With Azure AD, access to a resource requires 2 steps. 
@@ -82,4 +87,7 @@ To learn more about roles and role assignments, see:
 
 To learn how to create custom roles, see:
 
-- [Steps to create a custom role](../role-based-access-control/custom-roles.md#steps-to-create-a-custom-role)
+- [Steps to create a custom role](../role-based-access-control/custom-roles.md#steps-to-create-a-custom-role)
+
+To learn how to use only Azure AD authentication, see
+- [Disable local authentication](./howto-disable-local-auth.md)