Connecting to Azure Cache for Redis with Entra ID in Azure Government

I was working with a customer who was trying to connect an ASP.NET application to Azure Cache for Redis and specifically wanted to be able to connect to resources in Azure Government from developer workstations.

There are two ways to connect to Azure Cache for Redis: using access keys or through Entra ID. As with storage accounts and Azure Database for SQL, using static access keys or username/password authentication introduces potential vulnerabilities, while using Entra Identity via a service principal or managed identity provides stronger and more manageable authentication and authorization. Mechanism is provided.

The Azure.Identity library provides a class called DefaultAzureCredential that does some interesting things with associated credentials. You can read the full article here. hereBut in simple terms, using DefaultAzureCredential will try multiple authentication mechanisms in sequence until a token can be obtained successfully. The order of the chain is as follows:

1. Environment (by default Entra App Service Client ID/Secret or Certificate)
2. Workload Identity
3. Managed Identity
4. visual studio
5. Azure CLI
6. Azure Powershell
7. Azure developer CLI
8. interactive browser

This means you can use the same authentication code to authenticate in App Service using a managed identity, or locally in your Visual Studio development environment using an account configured for Azure service authentication. As long as you can use one of the options above, you don’t have to worry about how your app is authenticated in your environment.

according to the instructions of Azure Cache for Redis sample repositoriesThe customer configured the Azure Cache for Redis connection as follows:

var configurationOptions = await ConfigurationOptions.Parse($"{_redisHostName}:6380").ConfigureForAzureWithTokenCredentialAsync(new DefaultAzureCredential());

However, when I try to step through the code, I get the following error: “Failed to acquire token’ – CredentialUnavailableException: EnvironmentCredential authentication is not available. Environment variables are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/environmentcredential/“

I took a look and the first thing I noticed is that I need to specify an AuthorityHost value. This means you need to point your credentials at the Azure Government cloud like this:

var configurationOptions = await ConfigurationOptions.Parse($"{_redisHostName}:6380").ConfigureForAzureWithTokenCredentialAsync(new DefaultAzureCredential(new DefaultAzureCredentialOptions() { AuthorityHost=AzureAuthorityHosts.AzureGovernment}));

But this didn’t change my error at all. What’s going on?

Looking at the Microsoft.Azure.StackExchangeRedis library, the ConfigureForAzureWithTokenCredentialAsync method does not yet have a way to specify a sovereign cloud endpoint. If I’m reading your code correctly, ManagedIdentity is also one of the Sovereign Clouds). So what now?

As a result, the option to use a service principal allows you to specify which sovereign cloud you want to authenticate to. Creating a service principal in Entra is well documented on the portal. hereOr via a simple az cli command:

az ad sp create-for-rbac --name "myredissp"

After creating a service principal, you can use the service principal of your Redis resource to create a Redis user and connect to it in code using:

var configurationOptions = await ConfigurationOptions.Parse($"{_redisHostName}:6380").ConfigureForAzureWithServicePrincipalAsync(clientId, tenantId, clientSecret, null, Microsoft.Identity.Client.AzureCloudInstance.AzureUsGovernment, null);

In the future we will include the option to specify a target sovereign cloud to connect to Redis using DefaultAzureCredential, but for now you can use a service principal.