Skip to content

Azure Cache for Redis access keys are enabled#

Security · Azure Cache for Redis · Rule · 2025_09 · Important

Access keys allow depersonalized access to Azure Cache for Redis using a shared secret.

Description#

Azure Cache for Redis supports two forms of authentication: access keys and Entra ID (previously Azure AD) authentication. Access keys provide full access to the cache without granular permission controls. When access keys are used, anyone with the key can perform any operation on the cache.

Using Entra ID authentication offers several advantages:

  • Centralized identity management: Consistent authentication across all Azure services.
  • Granular access control: Use role-based access control (RBAC) to define specific permissions.
  • Enhanced security: No shared secrets that need to be rotated and managed.
  • Auditability: Better tracking of who accessed the cache and when.

You can disable access key authentication by setting the disableAccessKeyAuthentication property to true. When disabled, only Entra ID authentication will be accepted for connections to the cache.

Before you disable access keys:

  • Ensure that Microsoft Entra authentication is enabled and you have at least one Redis User configured.
  • Ensure all applications connecting to your cache instance switch to using Microsoft Entra Authentication.
  • Consider disabling access during the scheduled maintenance window for your cache instance.

For geo-replicated caches, you must:

  • Unlink the caches.
  • Disable access keys.
  • Relink the caches.

Recommendation#

Consider disabling access key authentication on Azure Cache for Redis and using Entra ID authentication exclusively.

Examples#

Configure with Bicep#

To deploy caches that pass this rule:

  • Set the properties.disableAccessKeyAuthentication property to true.

For example:

Azure Bicep snippet
resource cache 'Microsoft.Cache/redis@2024-11-01' = {
  name: name
  location: location
  properties: {
    redisVersion: '6'
    sku: {
      name: 'Premium'
      family: 'P'
      capacity: 1
    }
    redisConfiguration: {
      'aad-enabled': 'True'
      'maxmemory-reserved': '615'
    }
    enableNonSslPort: false
    publicNetworkAccess: 'Disabled'
    disableAccessKeyAuthentication: true
  }
  zones: [
    '1'
    '2'
    '3'
  ]
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/cache/redis:<version>

To use the latest version:

br/public:avm/res/cache/redis:0.9.0

Configure with Azure template#

To deploy caches that pass this rule:

  • Set the properties.disableAccessKeyAuthentication property to true.

For example:

Azure Template snippet
{
  "type": "Microsoft.Cache/redis",
  "apiVersion": "2024-11-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "redisVersion": "6",
    "sku": {
      "name": "Premium",
      "family": "P",
      "capacity": 1
    },
    "redisConfiguration": {
      "aad-enabled": "True",
      "maxmemory-reserved": "615"
    },
    "enableNonSslPort": false,
    "publicNetworkAccess": "Disabled",
    "disableAccessKeyAuthentication": true
  },
  "zones": [
    "1",
    "2",
    "3"
  ]
}

Configure with Azure Policy#

To address this issue at runtime use the following policies:

Notes#

See the Azure Cache for Redis documentation for requirements and limitations for configuring this feature.

Comments