Use Entra ID authentication with cache instances
March 21, 2025 ยท View on GitHub
SYNOPSIS
Use Entra ID authentication with cache instances.
DESCRIPTION
Azure Cache for Redis by default requires that all requests be authenticated. Two methods are supported for authenticating and authorizing requests to Redis cache instances.
- Access keys - Cryptographic keys are secret similar to a shared password,
and as a result have a number of limitations that impact security and maintainability.
- Access keys have a long number of characters, so are not easily guessable but once exposed grant full access.
- Auditing based on user or application is not possible when using access keys.
- Each access key must be stored securely within any applications or scripts that use it. This can introduce additional dependencies and code to maintain, that might not normally be required if using Entra ID. Azure Key Vault provides a secure storage for access keys as a secret.
- You have two keys (primary/ secondary) to manage, each should be rotated independently on a regular basis. Rotation should occur regularly using automation with a documented manual process as a backup.
- Microsoft Entra ID - An OAuth2 access token issued by Microsoft Entra ID provides advantages over access keys including:
- More granular access control instead of only full access.
- Strong identity protection methods such as Multi-Factor Authentication (MFA) and conditional access.
- Central management and auditing.
Currently Redis Enterprise and Redis Enterprise Flash tiers are not supported.
Entra ID authentication is supported on Basic, Standard, and Premium tiers.
RECOMMENDATION
Consider configuring and using Microsoft Entra ID to authenticate all connections to Redis cache instances.
EXAMPLES
Configure with Azure template
To deploy cache instances that pass this rule:
- Set the
properties.redisConfiguration.aad-enabledto"True".
For example:
{
"type": "Microsoft.Cache/redis",
"apiVersion": "2024-03-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"redisVersion": "6",
"sku": {
"name": "Premium",
"family": "P",
"capacity": 1
},
"redisConfiguration": {
"aad-enabled": "True",
"maxmemory-reserved": "615"
},
"enableNonSslPort": false,
"publicNetworkAccess": "Disabled"
},
"zones": [
"1",
"2",
"3"
]
}
Configure with Bicep
To deploy cache instances that pass this rule:
- Set the
properties.redisConfiguration.aad-enabledto'True'.
For example:
resource cache 'Microsoft.Cache/redis@2024-03-01' = {
name: name
location: location
properties: {
redisVersion: '6'
sku: {
name: 'Premium'
family: 'P'
capacity: 1
}
redisConfiguration: {
'aad-enabled': 'True'
'maxmemory-reserved': '615'
}
enableNonSslPort: false
publicNetworkAccess: 'Disabled'
}
zones: [
'1'
'2'
'3'
]
}
NOTES
Microsoft Entra ID based authentication isn't supported in the Enterprise/ Enterprise Flash tiers.