Azure Cache for Redis access keys are enabled
September 20, 2025 ยท View on GitHub
SYNOPSIS
Access keys allow depersonalized access to Azure Cache for Redis using a shared secret.
DESCRIPTION
Azure Cache for Redis supports two forms of authentication: access keys and Entra ID (previously Azure AD) authentication. Access keys provide full access to the cache without granular permission controls. When access keys are used, anyone with the key can perform any operation on the cache.
Using Entra ID authentication offers several advantages:
- Centralized identity management: Consistent authentication across all Azure services.
- Granular access control: Use role-based access control (RBAC) to define specific permissions.
- Enhanced security: No shared secrets that need to be rotated and managed.
- Auditability: Better tracking of who accessed the cache and when.
You can disable access key authentication by setting the disableAccessKeyAuthentication property to true.
When disabled, only Entra ID authentication will be accepted for connections to the cache.
Before you disable access keys:
- Ensure that Microsoft Entra authentication is enabled and you have at least one Redis User configured.
- Ensure all applications connecting to your cache instance switch to using Microsoft Entra Authentication.
- Consider disabling access during the scheduled maintenance window for your cache instance.
For geo-replicated caches, you must:
- Unlink the caches.
- Disable access keys.
- Relink the caches.
RECOMMENDATION
Consider disabling access key authentication on Azure Cache for Redis and using Entra ID authentication exclusively.
EXAMPLES
Configure with Bicep
To deploy caches that pass this rule:
- Set the
properties.disableAccessKeyAuthenticationproperty totrue.
For example:
resource cache 'Microsoft.Cache/redis@2024-11-01' = {
name: name
location: location
properties: {
redisVersion: '6'
sku: {
name: 'Premium'
family: 'P'
capacity: 1
}
redisConfiguration: {
'aad-enabled': 'True'
'maxmemory-reserved': '615'
}
enableNonSslPort: false
publicNetworkAccess: 'Disabled'
disableAccessKeyAuthentication: true
}
zones: [
'1'
'2'
'3'
]
}
Configure with Azure template
To deploy caches that pass this rule:
- Set the
properties.disableAccessKeyAuthenticationproperty totrue.
For example:
{
"type": "Microsoft.Cache/redis",
"apiVersion": "2024-11-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"redisVersion": "6",
"sku": {
"name": "Premium",
"family": "P",
"capacity": 1
},
"redisConfiguration": {
"aad-enabled": "True",
"maxmemory-reserved": "615"
},
"enableNonSslPort": false,
"publicNetworkAccess": "Disabled",
"disableAccessKeyAuthentication": true
},
"zones": [
"1",
"2",
"3"
]
}
Configure with Azure Policy
To address this issue at runtime use the following policies:
- Azure Cache for Redis should not use access keys for authentication
/providers/Microsoft.Authorization/policyDefinitions/3827af20-8f80-4b15-8300-6db0873ec901
NOTES
See the Azure Cache for Redis documentation for requirements and limitations for configuring this feature.