Proposed Pull Request Change

📄 Document Links

View on GitHub View on Microsoft Learn

--- title: Use Microsoft Entra for cache authentication with Azure Managed Redis description: Learn how to use Microsoft Entra with Azure Managed Redis. ms.date: 02/12/2026 ms.topic: conceptual ms.custom: - references_regions - ignite-2024 - build-2025 appliesto: - ✅ Azure Managed Redis --- # Use Microsoft Entra ID for cache authentication with Azure Managed Redis Azure Managed Redis offers a password-free authentication mechanism by integrating with [Microsoft Entra ID](/azure/active-directory/fundamentals/active-directory-whatis). Azure Managed Redis caches use Microsoft Entra ID by default. When you create a new cache, managed identity is enabled. Although access key authentication is still available, it comes with a set of challenges around security and password management. For contrast, in this article, you learn how to use a Microsoft Entra token for cache authentication. In this article, you learn how to use your service principal or managed identity to connect to your Redis instance. ## Prerequisites and limitations - Microsoft Entra authentication is supported for SSL connections only. - Microsoft Entra groups aren't supported. - Some Redis commands are blocked. For a full list of blocked commands, see [Redis commands not supported in Azure Managed Redis](best-practices-client-libraries.md#blocked-commands). > [!IMPORTANT] > After a connection is established by using a Microsoft Entra token, client applications must periodically refresh the Microsoft Entra token before expiry. Then the apps must send an `AUTH` command to the Redis server to avoid disrupting connections. For more information, see [Configure your Redis client to use Microsoft Entra](#configure-your-redis-client-to-use-microsoft-entra). ## Configure your Redis client to use Microsoft Entra If you have used access keys in the past for authentication, you need to update your client workflow to support authentication by using Microsoft Entra ID. In this section, you learn how to connect to Azure Managed Redis using a Microsoft Entra ID. ### Add users or System principal to your cache 1. Connect to your cache in the Azure portal. 1. On the Resource menu, select **Authentication**. 1. On the **Microsoft Entra Authentication** tab, select **User or service principal** and then **+ Select member**. 1. Type the name of the user who you want to run the program. Select the user to add in the list and **Select**. The user is added to the list of Redis users. :::image type="content" source="media/entra-for-authentication/redis-add-user.png" alt-text="Screenshot of the authentication tab in a Redis cache on the Azure portal."::: ### Microsoft Entra client workflow 1. Configure your client application to acquire a Microsoft Entra token for scope, `https://redis.azure.com/.default`, or `acca5fbb-b7e4-4009-81f1-37e38fd66d78/.default`, by using the [Microsoft Authentication Library (MSAL)](/azure/active-directory/develop/msal-overview). 1. Update your Redis connection logic to use the following `User` and `Password`: - `User` = Object ID of your managed identity or service principal - `Password` = Microsoft Entra token that you acquired by using MSAL 1. Ensure that your client executes a Redis [`AUTH` command](https://redis.io/commands/auth/) automatically before your Microsoft Entra token expires by using: - `User` = Object ID of your managed identity or service principal - `Password` = Microsoft Entra token refreshed periodically ### Best practices for Microsoft Entra authentication - Configure private links or firewall rules to protect your cache from a denial of service attack. - Ensure that your client application sends a new Microsoft Entra token at least three minutes before token expiry to avoid connection disruption. - When you call the Redis server `AUTH` command periodically, consider adding a jitter so that the `AUTH` commands are staggered. In this way, your Redis server doesn't receive too many `AUTH` commands at the same time. ## Troubleshooting Microsoft Entra ID and your cache If you encounter authentication issues with Microsoft Entra ID on your Azure Managed Redis instance, you can use the Azure CLI to test connectivity or validate your tokens using a PowerShell script. ### Test connectivity with Azure CLI You can use the Azure CLI to quickly test if you can connect to your Redis cluster. The [az redisenterprise test-connection](/cli/azure/redisenterprise#az_redisenterprise_test_connection) command is helpful for debugging connection issues and verifies end-to-end connectivity by sending a `ping` command. For prerequisites to use the Azure CLI with Azure Managed Redis, see [Manage an Azure Managed Redis cache using the Azure CLI](scripts/create-manage-cache.md). To test connection with Microsoft Entra ID authentication (the default), run the following command: ```azurecli az redisenterprise test-connection --name <cache-name> --resource-group <resource-group-name> ``` Or explicitly specify Entra authentication: ```azurecli az redisenterprise test-connection --name <cache-name> --resource-group <resource-group-name> --auth entra ``` > [!NOTE] > This command uses the credential established through `az login`, which supports user accounts, managed identities, or service principals. ### Validate Microsoft Entra tokens If your application fails to access the Azure Managed Redis instance through Microsoft Entra ID, you can also use the following PowerShell script: [EntraTokenValidation](https://github.com/AzureManagedRedis/DiagnosticTools/tree/main/EntraTokenValidation) This PowerShell script validates Microsoft Entra ID tokens for Azure Managed Redis Cache resources. The script checks tokens and verifies access policies to help you diagnose authentication issues. ## Client library support The library [`Microsoft.Azure.StackExchangeRedis`](https://www.nuget.org/packages/Microsoft.Azure.StackExchangeRedis) is an extension of `StackExchange.Redis` that enables you to use Microsoft Entra to authenticate connections from a Redis client application to an Azure Managed Redis. The extension manages the authentication token, including proactively refreshing tokens before they expire to maintain persistent Redis connections over multiple days. [This code sample](https://github.com/Azure/Microsoft.Azure.StackExchangeRedis) demonstrates how to use the `Microsoft.Azure.StackExchangeRedis` NuGet package to connect to your Azure Managed Redis instance by using Microsoft Entra. The following table includes links to code samples. They demonstrate how to connect to your Azure Managed Redis instance by using a Microsoft Entra token. Various client libraries are included in multiple languages. | Client library | Language | Link to sample code | |---------------------|----------|------------------------------------------------------------------------------------------------| | StackExchange.Redis | .NET | [StackExchange.Redis code sample](https://github.com/Azure/Microsoft.Azure.StackExchangeRedis) | | redis-py | Python | [redis-py code sample](https://redis.io/docs/latest/develop/clients/redis-py/amr/) | | Jedis | Java | [Jedis code sample](https://redis.io/docs/latest/develop/clients/jedis/amr/) | | Lettuce | Java | [Lettuce code sample](https://redis.io/docs/latest/develop/clients/lettuce/amr/) | | node-redis | Node.js | [node-redis code sample](https://redis.io/docs/latest/develop/clients/nodejs/amr/) | | go-redis | Go | [go code sample](https://redis.io/docs/latest/develop/clients/go/amr) | ## Disable access key authentication on your cache If you have a cache using access keys, we recommend switching to Microsoft Entra ID as the secure way to connect your cache and disabling access keys. When you disable access keys, the system terminates all existing client connections, regardless of whether they use access keys or Microsoft Entra ID authentication. Before you disable access keys on geo-replicated caches, you must: 1. Unlink the caches. 1. Disable access keys. 1. Relink the caches. To disable access keys, follow this procedure: 1. In the Azure portal, select the Azure Managed Redis instance where you want to disable access keys. 1. On the **Resource** menu, select **Authentication**. 1. On the working pane, select **Access keys**. 1. Select the **Access Keys Authentication** control to disable access keys. 1. Confirm that you want to update your configuration by selecting **Yes**. > [!IMPORTANT] > When the **Access Keys Authentication** setting is changed for a cache, all existing client connections, using access keys or Microsoft Entra, are terminated. Follow the best practices to implement proper retry mechanisms for reconnecting Microsoft Entra-based connections. For more information, see [Connection resilience](best-practices-connection.md). ## Related content - [Reference pages for identity](/cli/azure/redis/identity)