Merge pull request #296364 from terencefan/tefa/update-msi

v-ccolin · web-flow · commit e6a90960e722 · 2025-03-14T21:37:39.000Z
update signalr msi docs
diff --git a/articles/azure-signalr/includes/signalr-add-role-assignments.md b/articles/azure-signalr/includes/signalr-add-role-assignments.md
@@ -0,0 +1,62 @@
+---
+title: include file
+description: include file
+author: terencefan
+ms.service: azure-signalr-service
+ms.topic: include
+ms.date: 03/12/2025
+ms.author: tefa
+ms.custom: include file
+---
+
+The following steps describe how to assign a **SignalR App Server** role to a service principal or a managed identity for an Azure SignalR Service resource. For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.yml).
+
+> [!NOTE]
+> A role can be assigned to any scope, including management group, subscription, resource group, or single resource. To learn more about scope, see [Understand scope for Azure RBAC](../../role-based-access-control/scope-overview.md).
+
+1. In the [Azure portal](https://portal.azure.com/), go to your Azure SignalR Service resource.
+
+1. Select **Access control (IAM)** in the sidebar.
+
+1. Select **Add** > **Add role assignment**.
+
+   :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows the page for access control and selections for adding a role assignment.":::
+
+1. On the **Role** tab, select **SignalR App Server** or other SignalR built-in roles depends on your scenario.
+
+   | Role                                                                                              | Description                                                                                               | Use case                                                                                                                                     |
+   | ------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
+   | [SignalR App Server](../../role-based-access-control/built-in-roles.md#signalr-app-server)           | Access to the server connection creation and key generation APIs.                                                | Most commonly used for app server with Azure SignalR resource run in **Default** mode.                                                                                                             |
+   | [SignalR Service Owner](../../role-based-access-control/built-in-roles.md#signalr-service-owner)     | Full access to all data-plane APIs, including REST APIs, the server connection creation, and key/token generation APIs. | For negotiation server with Azure SignalR resource run in **Serverless** mode, as it requires both REST API permissions and authentication API permissions. |
+   | [SignalR REST API Owner](../../role-based-access-control/built-in-roles.md#signalr-rest-api-owner)   | Full access to data-plane REST APIs.                                                                      | For using [Azure SignalR Management SDK](/azure/azure-signalr/signalr-howto-use-management-sdk) to manage connections and groups, but does **NOT** make server connections or handle negotiation requests.                          |
+   | [SignalR REST API Reader](../../role-based-access-control/built-in-roles.md#signalr-rest-api-reader) | Read-only access to data-plane REST APIs.                                                                 | Use it when write a monitoring tool that calls readonly REST APIs.                                      |
+
+1. Select Next.
+
+
+1. For Microsoft Entra application.
+
+
+   1. In the `Assign access` to row, select **User, group, or service principal**.
+   1. In the `Members` row, click `select members`, then choose the identity in the pop-up window.
+
+1. For managed identity for Azure resources.
+
+   1. In the `Assign access` to row, select **Managed identity**.
+   1. In the `Members` row, click `select members`, then choose the application in the pop-up window.
+
+1. Select Next.
+
+
+1. Review your assignment, then click **Review + assign** to confirm the role assignment.
+
+> [!IMPORTANT]
+> Newly added role assignments might take up to 30 minutes to propagate.
+
+To learn more about how to assign and manage Azure roles, see these articles:
+
+- [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.yml)
+- [Assign Azure roles using the REST API](../../role-based-access-control/role-assignments-rest.md)
+- [Assign Azure roles using Azure PowerShell](../../role-based-access-control/role-assignments-powershell.md)
+- [Assign Azure roles using the Azure CLI](../../role-based-access-control/role-assignments-cli.md)
+- [Assign Azure roles using Azure Resource Manager templates](../../role-based-access-control/role-assignments-template.md)
diff --git a/articles/azure-signalr/signalr-concept-authorize-azure-active-directory.md b/articles/azure-signalr/signalr-concept-authorize-azure-active-directory.md
@@ -33,7 +33,7 @@ When a security principal tries to access an Azure SignalR Service resource, the
 
 When you use an access key, the key is shared between your app server (or function app) and the Azure SignalR Service resource. Azure SignalR Service authenticates the client connection request by using the shared key.
 
-When you use Microsoft Entra ID, there is no shared key. Instead, Azure SignalR Service uses a *temporary access key* for signing tokens used in client connections. The workflow contains four steps:
+When you use Microsoft Entra ID, there's no shared key. Instead, Azure SignalR Service uses a *temporary access key* for signing tokens used in client connections. The workflow contains four steps:
 
 1. The security principal requires an OAuth 2.0 token from Microsoft Entra ID to authenticate itself.
 2. The security principal calls the SignalR authentication API to get a temporary access key.
@@ -44,13 +44,27 @@ The temporary access key expires in 90 minutes. We recommend that you get a new
 
 The workflow is built in the [Azure SignalR Service SDK for app servers](https://github.com/Azure/azure-signalr).
 
+### Cross tenant access when using Microsoft Entra ID
+
+In some cases, your server and your Azure SignalR resource may not be in the same tenant due to security concerns.
+
+A [multitenant applications](/entra/identity-platform/single-and-multi-tenant-apps#best-practices-for-multitenant-apps) could help you in this scenario.
+
+If you've already registered a single-tenant app, see [convert your single-tenant app to multitenant](/entra/identity-platform/howto-convert-app-to-be-multi-tenant).
+
+Once you have registered the multitenant application in your `tenantA`, you should provision it as an enterprise application in your `tenantB`.
+
+[Create an enterprise application from a multitenant application in Microsoft Entra ID](/entra/identity/enterprise-apps/create-service-principal-cross-tenant?pivots=msgraph-powershell)
+
+The application registered in your `tenantA` and the enterprise application provisioned in your `tenantB` share the same Application (client) ID.
+
 ## Assign Azure roles for access rights
 
 Microsoft Entra ID authorizes access rights to secured resources through [Azure RBAC](../role-based-access-control/overview.md). Azure SignalR Service defines a set of Azure built-in roles that encompass common sets of permissions for accessing Azure SignalR Service resources. You can also define custom roles for access to Azure SignalR Service resources.
 
 ### Resource scope
 
-You might have to determine the scope of access that the security principal should have before you assign any Azure RBAC role to a security principal. We recommend that you grant only the narrowest possible scope. Azure RBAC roles defined at a broader scope are inherited by the resources beneath them.
+Before assigning Azure RBAC roles to a security principal, it’s essential to define the appropriate scope of access they should have. We advise granting the most limited scope necessary to minimize unnecessary permissions. Keep in mind that Azure RBAC roles assigned at a higher or broader scope are automatically inherited by the resources nested within that scope.
 
 You can scope access to Azure SignalR Service resources at the following levels, beginning with the narrowest scope.
 
@@ -65,16 +79,16 @@ You can scope access to Azure SignalR Service resources at the following levels,
 
 | Role                                                                                              | Description                                                                                               | Use case                                                                                                                                     |
 | ------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
-| [SignalR App Server](../role-based-access-control/built-in-roles.md#signalr-app-server)           | Access to the WebSocket connection creation API and authentication APIs.                                                | Most commonly used for an app server.                                                                                                             |
-| [SignalR Service Owner](../role-based-access-control/built-in-roles.md#signalr-service-owner)     | Full access to all data-plane APIs, including REST APIs, the WebSocket connection creation API, and authentication APIs. | Use for *serverless mode* for authorization with Microsoft Entra ID, because it requires both REST API permissions and authentication API permissions. |
-| [SignalR REST API Owner](../role-based-access-control/built-in-roles.md#signalr-rest-api-owner)   | Full access to data-plane REST APIs.                                                                      | Often used to write a tool that manages connections and groups, but does *not* make connections or call authentication APIs.                          |
-| [SignalR REST API Reader](../role-based-access-control/built-in-roles.md#signalr-rest-api-reader) | Read-only access to data-plane REST APIs.                                                                 | Commonly used to write a monitoring tool that calls *only* Azure SignalR Service data-plane read-only REST APIs.                                      |
+| [SignalR App Server](../role-based-access-control/built-in-roles.md#signalr-app-server)           | Access to the server connection creation and key generation APIs.                                                | Most commonly used for app server with Azure SignalR resource run in **Default** mode.                                                                                                             |
+| [SignalR Service Owner](../role-based-access-control/built-in-roles.md#signalr-service-owner)     | Full access to all data-plane APIs, including REST APIs, the server connection creation, and key/token generation APIs. | For negotiation server with Azure SignalR resource run in **Serverless** mode, as it requires both REST API permissions and authentication API permissions. |
+| [SignalR REST API Owner](../role-based-access-control/built-in-roles.md#signalr-rest-api-owner)   | Full access to data-plane REST APIs.                                                                      | For using [Azure SignalR Management SDK](./signalr-howto-use-management-sdk.md) to manage connections and groups, but does **NOT** make server connections or handle negotiation requests.                          |
+| [SignalR REST API Reader](../role-based-access-control/built-in-roles.md#signalr-rest-api-reader) | Read-only access to data-plane REST APIs.                                                                 | Use it when write a monitoring tool that calls readonly REST APIs.
 
 ## Next steps
 
-- To learn how to create an Azure application and use Microsoft Entra authorization, see [Authorize requests to Azure SignalR Service resources with Microsoft Entra applications](signalr-howto-authorize-application.md).
+- To learn how to create an Azure application and use Microsoft Entra authorization, see [Authorize requests to Azure SignalR Service resources with Microsoft Entra applications](./signalr-howto-authorize-application.md).
 
-- To learn how to configure a managed identity and use Microsoft Entra authorization, see [Authorize requests to Azure SignalR Service resources with Microsoft Entra managed identities](signalr-howto-authorize-managed-identity.md).
+- To learn how to configure a managed identity and use Microsoft Entra authorization, see [Authorize requests to Azure SignalR Service resources with Microsoft Entra managed identities](./signalr-howto-authorize-managed-identity.md).
 
 - To learn more about roles and role assignments, see [What is Azure role-based access control (Azure RBAC)?](../role-based-access-control/overview.md).
 
diff --git a/articles/azure-signalr/signalr-howto-authorize-application.md b/articles/azure-signalr/signalr-howto-authorize-application.md
@@ -12,7 +12,7 @@ ms.custom: subject-rbac-steps
 
 # Authorize requests to Azure SignalR Service resources with Microsoft Entra applications
 
-Azure SignalR Service supports Microsoft Entra ID for authorizing requests from [Microsoft Entra applications](/entra/identity-platform/app-objects-and-service-principals).
+Azure SignalR Service supports Microsoft Entra ID for authorizing requests with [Microsoft Entra applications](/entra/identity-platform/app-objects-and-service-principals).
 
 This article shows how to configure your Azure SignalR Service resource and codes to authorize requests to the resource from a Microsoft Entra application.
 
@@ -35,41 +35,17 @@ After registering an app, you can add **certificates, client secrets (a string),
 
 ## Add role assignments in the Azure portal
 
-The following steps describe how to assign a SignalR App Server role to a service principal (application) over an Azure SignalR Service resource. For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.yml).
+[!INCLUDE [add role assignments](includes/signalr-add-role-assignments.md)]
 
-> [!NOTE]
-> A role can be assigned to any scope, including management group, subscription, resource group, or single resource. To learn more about scope, see [Understand scope for Azure RBAC](../role-based-access-control/scope-overview.md).
-
-1. In the [Azure portal](https://portal.azure.com/), go to your Azure SignalR Service resource.
-
-1. Select **Access control (IAM)**.
-
-1. Select **Add** > **Add role assignment**.
-
-   :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows the page for access control and selections for adding a role assignment.":::
-
-1. On the **Role** tab, select **SignalR App Server**.
-
-1. On the **Members** tab, select **User, group, or service principal**, and then choose **Select members**.
-
-1. Search for and select the application to which you want to assign the role.
-
-1. On the **Review + assign** tab, select **Review + assign** to assign the role.
-
-> [!IMPORTANT]
-> Azure role assignments might take up to 30 minutes to propagate.
+## Configure Microsoft.Azure.SignalR app server SDK for C#
 
-To learn more about how to assign and manage Azure roles, see these articles:
-
-- [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.yml)
-- [Assign Azure roles using the REST API](../role-based-access-control/role-assignments-rest.md)
-- [Assign Azure roles using Azure PowerShell](../role-based-access-control/role-assignments-powershell.md)
-- [Assign Azure roles using the Azure CLI](../role-based-access-control/role-assignments-cli.md)
-- [Assign Azure roles using Azure Resource Manager templates](../role-based-access-control/role-assignments-template.md)
+[Azure SignalR server SDK for C#](https://github.com/Azure/azure-signalr)
 
-## Microsoft.Azure.SignalR app server SDK for C#
+The Azure SignalR server SDK leverages the [Azure.Identity library](/dotnet/api/overview/azure/identity-readme) to generate tokens for connecting to resources.
+Click to explore detailed usages.
 
-[Azure SignalR server SDK for C#](https://github.com/Azure/azure-signalr)
+> [!NOTE]
+> The tenantId must match the tenantId of the tenant where your SignalR resource is in.
 
 ### Use Microsoft Entra application with certificate
 ```csharp
@@ -98,9 +74,12 @@ services.AddSignalR().AddAzureSignalR(option =>
 
 ### Use Microsoft Entra application with Federated identity
 
+In the case of your organization disabled the usage of client secret/certificate, you can configure the application to trust a managed identity for authentication.
+
+To learn more about it, see [Configure an application to trust a managed identity (preview)](/entra/workload-id/workload-identity-federation-config-app-trust-managed-identity).
+
 > [!NOTE]
 > Configure an application to trust a managed identity is a preview feature. 
-> To learn more about it, see [Configure an application to trust a managed identity (preview)](/entra/workload-id/workload-identity-federation-config-app-trust-managed-identity).
 
 ```csharp
 services.AddSignalR().AddAzureSignalR(option =>
@@ -117,11 +96,15 @@ services.AddSignalR().AddAzureSignalR(option =>
     });
 
     option.Endpoints = [
-      new ServiceEndpoint(new Uri(), "https://<resource>.service.signalr.net"), credential);
+        new ServiceEndpoint(new Uri(), "https://<resource>.service.signalr.net"), credential);
     ];
 });
 ```
 
+This credential will use the user-assigned managed identity to generate a `clientAssertion` and use it to exchange for a `clientToken` for authentication.
+
+The `appClientId` and `tenantId` should be the enterprise application that you provisioned in the tenant of SignalR resource.
+
 ### Use multiple endpoints
 
 Credentials can be different for different endpoints.
@@ -142,6 +125,8 @@ services.AddSignalR().AddAzureSignalR(option =>
 });
 ```
 
+More sample can be found in this [Sample link](https://github.com/Azure/azure-signalr/blob/dev/samples/ChatSample/ChatSample/Startup.cs)
+
 ## Azure SignalR Service bindings in Azure Functions
 
 Azure SignalR Service bindings in Azure Functions use [application settings](../azure-functions/functions-how-to-use-azure-function-app-settings.md) in the portal or [local.settings.json](../azure-functions/functions-develop-local.md#local-settings-file) locally to configure Microsoft Entra application identities to access your Azure SignalR Service resources.
diff --git a/articles/azure-signalr/signalr-howto-authorize-managed-identity.md b/articles/azure-signalr/signalr-howto-authorize-managed-identity.md
