Disable Access Keys Authentication for Azure Cache for Redis Servers

Risk Level: High (not acceptable risk)

Ensure that your Microsoft Azure Cache for Redis servers are configured to use Microsoft Entra ID for authentication rather than access keys. Microsoft Entra Authentication is a password-free mechanism that integrates with Microsoft Entra ID and incorporates Role-Based Access Control (RBAC) functionality, facilitated through Access Control Lists (ACLs) supported in open-source Redis.

Security

Using access keys for authentication can result in serious security vulnerabilities due to the potential leakage of secrets to source control systems and their exposure to the public. To ensure optimal security, it is recommended to utilize Microsoft Entra ID with managed identities to authorize requests to your Redis cache. This method offers superior security and ease of use compared to shared access key authorization. Enabling Microsoft Entra Authentication allows connections via a user, service principal, or managed identity. After configuring your Azure Cache for Redis server with Microsoft Entra Authentication, you can create and configure Redis users and Data Access policies.

Disabling access key authentication for a Redis cache server will terminate all client connections, regardless of the authentication method. Consider performing this operation during low traffic or outside of business hours.

Audit

To determine the authentication method configured for your Azure Cache for Redis servers, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Azure Cache for Redis for Value, then choose Apply to list the Azure Cache for Redis servers available in the selected subscription.

05 Click on the name (link) of the Azure Cache for Redis server that you want to examine.

06 In the resource navigation panel, under Settings, select Authentication to access the authentication settings configured for Redis cache.

07 Select the Microsoft Entra Authentication tab and check the Enable Microsoft Entra Authentication setting checkbox. Select the Access keys tab and verify the Disable Access Keys Authentication configuration setting status. If the Enable Microsoft Entra Authentication setting checkbox is not checked and the Disable Access Keys Authentication setting is inactive (cannot be configured), the selected Azure Cache for Redis server is configured to use access keys instead of Microsoft Entra ID for authentication.

08 Repeat steps no. 5 - 7 for each Azure Cache for Redis server deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run redis list command (Windows/macOS/Linux) with custom output filters to list the identifier (ID) of each Azure Cache for Redis server available in the selected subscription:

az redis list
	--query '[*].id'

05 The command output should return the requested cache server IDs:

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Cache/Redis/cc-project5-redis-cache",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Cache/Redis/cc-webapp-cache-server"
]

06 Run redis show command (Windows/macOS/Linux) with the ID of the Azure Cache for Redis server that you want to examine as the identifier parameter, to determine the authentication method configured for the selected cache server by checking the Disable Access Keys Authentication setting status:

az redis show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Cache/Redis/cc-project5-redis-cache"
	--query '{disableAccessKeyAuthentication:disableAccessKeyAuthentication}'

07 The command output should return the status of the Disable Access Keys Authentication configuration setting:

{
	"disableAccessKeyAuthentication": false
}

If the redis show command output returns false for "disableAccessKeyAuthentication", the Disable Access Keys Authentication setting is not disabled. Therefore, the selected Azure Cache for Redis server is configured to use access keys instead of Microsoft Entra ID for authentication.

08 Repeat step no. 6 and 7 for each Azure Cache for Redis server available within the current Azure subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

Using Microsoft Entra Authentication is the secure way to connect your Redis cache. To disable access key authentication and enable Microsoft Entra Authentication for your Azure Cache for Redis servers, perform the following operations:

Modifying existing authentication configuration for Azure Cache for Redis servers using Azure Command Line Interface (Azure CLI) is not currently supported.

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

05 Click on the name (link) of the Azure Cache for Redis server that you want to configure.

06 In the resource navigation panel, under Settings, select Authentication, and perform the following actions to enable Microsoft Entra Authentication and disable access key authentication for your Redis cache server. Note that modifying authentication configuration will reset connections on your cache:

Select the Microsoft Entra Authentication tab, check the Enable Microsoft Entra Authentication setting checkbox, use the appropriate search box to search and select the user, managed identity, or service principal to connect to your cache server, and choose Save to apply the changes. Select Yes for confirmation. This will enable Microsoft Entra Authentication for the selected Azure Cache for Redis server. The identity you choose will automatically receive the Data Owner access policy.
Once the Microsoft Entra Authentication is enabled, select the Access key tab, check the Disable Access Keys Authentication setting checkbox, and choose Save to apply the changes. Select Yes for confirmation. This will disable access key authentication for the selected Redis cache server.

07 Repeat steps no. 5 and 6 for each Azure Cache for Redis server available within the selected subscription.

08 Repeat steps no. 3 – 7 for each Azure subscription created in your Microsoft Azure cloud account.

References

Azure Command Line Interface (CLI) Documentation
az account list
az account set
az redis list
az redis show

Publication date May 12, 2025

Audit

Using Azure Portal

Using Azure CLI

Remediation / Resolution

Using Azure Portal

References

Related RedisCache rules