Use Entra ID authentication with cache instances

March 21, 2025 ยท View on GitHub

SYNOPSIS

Use Entra ID authentication with cache instances.

DESCRIPTION

Azure Cache for Redis by default requires that all requests be authenticated. Two methods are supported for authenticating and authorizing requests to Redis cache instances.

  • Access keys - Cryptographic keys are secret similar to a shared password, and as a result have a number of limitations that impact security and maintainability.
    • Access keys have a long number of characters, so are not easily guessable but once exposed grant full access.
    • Auditing based on user or application is not possible when using access keys.
    • Each access key must be stored securely within any applications or scripts that use it. This can introduce additional dependencies and code to maintain, that might not normally be required if using Entra ID. Azure Key Vault provides a secure storage for access keys as a secret.
    • You have two keys (primary/ secondary) to manage, each should be rotated independently on a regular basis. Rotation should occur regularly using automation with a documented manual process as a backup.
  • Microsoft Entra ID - An OAuth2 access token issued by Microsoft Entra ID provides advantages over access keys including:
    • More granular access control instead of only full access.
    • Strong identity protection methods such as Multi-Factor Authentication (MFA) and conditional access.
    • Central management and auditing.

Currently Redis Enterprise and Redis Enterprise Flash tiers are not supported. Entra ID authentication is supported on Basic, Standard, and Premium tiers.

RECOMMENDATION

Consider configuring and using Microsoft Entra ID to authenticate all connections to Redis cache instances.

EXAMPLES

Configure with Azure template

To deploy cache instances that pass this rule:

  • Set the properties.redisConfiguration.aad-enabled to "True".

For example:

{
  "type": "Microsoft.Cache/redis",
  "apiVersion": "2024-03-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "redisVersion": "6",
    "sku": {
      "name": "Premium",
      "family": "P",
      "capacity": 1
    },
    "redisConfiguration": {
      "aad-enabled": "True",
      "maxmemory-reserved": "615"
    },
    "enableNonSslPort": false,
    "publicNetworkAccess": "Disabled"
  },
  "zones": [
    "1",
    "2",
    "3"
  ]
}

Configure with Bicep

To deploy cache instances that pass this rule:

  • Set the properties.redisConfiguration.aad-enabled to 'True'.

For example:

resource cache 'Microsoft.Cache/redis@2024-03-01' = {
  name: name
  location: location
  properties: {
    redisVersion: '6'
    sku: {
      name: 'Premium'
      family: 'P'
      capacity: 1
    }
    redisConfiguration: {
      'aad-enabled': 'True'
      'maxmemory-reserved': '615'
    }
    enableNonSslPort: false
    publicNetworkAccess: 'Disabled'
  }
  zones: [
    '1'
    '2'
    '3'
  ]
}

NOTES

Microsoft Entra ID based authentication isn't supported in the Enterprise/ Enterprise Flash tiers.