Skip to content

Use Entra ID authentication with cache instances#

Security · Azure Cache for Redis · Rule · 2024_06 · Critical

Use Entra ID authentication with cache instances.

Description#

Azure Cache for Redis provides two authentication methods for accessing cache instances: access keys and Microsoft Entra ID. Entra ID authentication offers centralized identity management and enhanced security features.

Some advantages of using Entra ID authentication over access keys include:

  • Support for Azure Multi-Factor Authentication (MFA).
  • Conditional access policies with Conditional Access.

Disabling local authentication methods is not supported. However, regenerating the access keys will invalidate any previously used access keys, rendering them unusable for accessing the cache instance.

See documentation references below for additional limitations and important information.

Recommendation#

Consider using Entra ID authentication with cache instances.

Examples#

Configure with Azure template#

To deploy cache instances that pass this rule:

  • Set the properties.redisConfiguration.aad-enabled to 'True'.

For example:

Azure Template snippet
{
  "type": "Microsoft.Cache/redis",
  "apiVersion": "2023-08-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "minimumTlsVersion": "1.2",
    "redisVersion": "latest",
    "sku": {
      "name": "Premium",
      "family": "P",
      "capacity": 1
    },
    "redisConfiguration": {
      "aad-enabled": "True"
    }
  }
}

Configure with Bicep#

To deploy cache instances that pass this rule:

  • Set the properties.redisConfiguration.aad-enabled to 'True'.

For example:

Azure Bicep snippet
resource cache 'Microsoft.Cache/redis@2023-08-01' = {
  name: name
  location: location
  properties: {
    minimumTlsVersion: '1.2'
    redisVersion: 'latest'
    sku: {
      name: 'Premium'
      family: 'P'
      capacity: 1
    }
    redisConfiguration: {
      'aad-enabled': 'True'
    }
  }
}

Notes#

Microsoft Entra ID based authentication isn't supported in the Enterprise tiers of Azure Cache for Redis Enterprise.

Comments