| title | Access Azure App Configuration using Microsoft Entra ID |
|---|---|
| description | Use Microsoft Entra ID and Azure role-based access control (RBAC) to access your Azure App Configuration store. |
| author | zhenlan |
| ms.author | zhenlwa |
| ms.date | 10/30/2025 |
| ms.topic | concept-article |
| ms.service | azure-app-configuration |
Azure App Configuration supports authorization of requests to App Configuration stores using Microsoft Entra ID. With Microsoft Entra ID, you can leverage Azure role-based access control (Azure RBAC) to grant permissions to security principals, which can be user principals, managed identities, or service principals.
Accessing an App Configuration store using Microsoft Entra ID involves two steps:
-
Authentication: Acquire a token of the security principal from Microsoft Entra ID for App Configuration. For more information, see Microsoft Entra authentication in App Configuration.
-
Authorization: Pass the token as part of a request to an App Configuration store. To authorize access to the specified App Configuration store, the security principal must be assigned the appropriate roles in advance. For more information, see Microsoft Entra authorization in App Configuration.
Azure provides the following built-in roles for authorizing access to App Configuration using Microsoft Entra ID:
Requests for data plane operations are sent to the endpoint of your App Configuration store. These requests pertain to App Configuration data.
- App Configuration Data Owner: Use this role to give read, write, and delete access to App Configuration data. This role doesn't grant access to the App Configuration resource.
- App Configuration Data Reader: Use this role to give read access to App Configuration data. This role doesn't grant access to the App Configuration resource.
All requests for control plane operations are sent to the Azure Resource Manager URL. These requests pertain to the App Configuration resource.
- App Configuration Contributor: Use this role to manage only App Configuration resource. This role does not grant access to manage other Azure resources. It grants access to the resource's access keys. While the App Configuration data can be accessed using access keys, this role doesn't grant direct access to the data using Microsoft Entra ID. It grants access to recover deleted App Configuration resource but not to purge them. To purge deleted App Configuration resources, use the Contributor role.
- App Configuration Reader: Use this role to read only App Configuration resource. This role does not grant access to read other Azure resources. It doesn't grant access to the resource's access keys, nor to the data stored in App Configuration.
- Contributor or Owner: Use this role to manage the App Configuration resource while also be able to manage other Azure resources. This role is a privileged administrator role. It grants access to the resource's access keys. While the App Configuration data can be accessed using access keys, this role doesn't grant direct access to the data using Microsoft Entra ID.
- Reader: Use this role to read App Configuration resource while also be able to read other Azure resources. This role doesn't grant access to the resource's access keys, nor to the data stored in App Configuration.
Note
After a role assignment is made for an identity, allow up to 15 minutes for the permission to propagate before accessing data stored in App Configuration using this identity.
To enable your application to authenticate with Microsoft Entra ID, the Azure Identity library supports various token credentials for Microsoft Entra ID authentication. For example, you might choose Visual Studio Credential when developing your application in Visual Studio, Workload Identity Credential when your application runs on Kubernetes, or Managed Identity Credential when your application is deployed in Azure services like Azure Functions.
The DefaultAzureCredential is a preconfigured chain of token credentials that automatically attempts an ordered sequence of the most common authentication methods. Using the DefaultAzureCredential allows you to keep the same code in both local development and Azure environments. However, it's important to know which credential is being used in each environment, as you need to grant the appropriate roles for authorization to work. For example, authorize your own account when you expect the DefaultAzureCredential to fall back to your user identity during local development. Similarly, enable managed identity in Azure Functions and assign it the necessary role when you expect the DefaultAzureCredential to fall back to the ManagedIdentityCredential when your Function App runs in Azure.
Regardless of which credential you use, you must assign it the appropriate roles before it can access your App Configuration store. If your application only needs to read data from your App Configuration store, assign it the App Configuration Data Reader role. If your application also needs to write data to your App Configuration store, assign it the App Configuration Data Owner role.
Follow these steps to assign App Configuration Data roles to your credential.
-
In the Azure portal, navigate to your App Configuration store and select Access control (IAM).
-
Select Add -> Add role assignment.
If you don't have permission to assign roles, the Add role assignment option will be disabled. Only users with Owner or User Access Administrator roles can make role assignments.
-
On the Role tab, select the App Configuration Data Reader role (or another App Configuration role as appropriate) and then select Next.
-
On the Members tab, follow the wizard to select the credential you're granting access to and then select Next.
-
Finally, on the Review + assign tab, select Review + assign to assign the role.
The audience for Microsoft Entra ID authentication defines who is permitted to access a specific resource. It identifies the intended recipient of the security token. App Configuration supports different audiences for different clouds.
For Azure App Configuration in the global Azure cloud, use the following audience:
https://appconfig.azure.com
For Azure App Configuration in the national clouds, use the applicable audience specified in the table below:
| National cloud | Audience |
|---|---|
| Azure Government | https://appconfig.azure.us |
| Microsoft Azure operated by 21Vianet | https://appconfig.azure.cn |
| Bleu | https://appconfig.sovcloud-api.fr |
When using Entra ID to authenticate with Azure App Configuration in clouds other than Azure cloud, Azure Government, and Microsoft Azure operated by 21Vianet, an appropriate Entra ID audience must be configured.
Tip
If you encounter the following error when connecting to Azure App Configuration, it’s typically because you’re using App Configuration in a specific cloud without explicitly configuring the Microsoft Entra ID audience.
AADSTS500011: The resource principal named https://appconfig.azure.com was not found in the tenant named msazurecloud.To resolve this issue, configure the appropriate Entra ID audience as shown in the code snippets below.
If your application uses any of the following packages, audience can be configured by utilizing the ConfigureClientOptions method. Use version 8.2.0 or later of any of the following packages to configure the audience.
Microsoft.Extensions.Configuration.AzureAppConfigurationMicrosoft.Azure.AppConfiguration.AspNetCoreMicrosoft.Azure.AppConfiguration.Functions.Worker
The following code snippet demonstrates how to add the Azure App Configuration provider into a .NET application with a cloud-specific audience.
builder.AddAzureAppConfiguration(o =>
{
o.Connect(
myStoreEndpoint,
new DefaultAzureCredential());
o.ConfigureClientOptions(clientOptions =>
clientOptions.Audience = "{Cloud specific audience here}");
});If your application uses the following package, audience can be configured in ConfigurationClientOptions when constructing the ConfigurationClient object. Use version 1.6.0 or later of the following package.
Azure.Data.AppConfiguration
The following code snippet demonstrates how to instantiate a configuration client with a cloud-specific audience.
var configurationClient = new ConfigurationClient(
myStoreEndpoint,
new DefaultAzureCredential(),
new ConfigurationClientOptions
{
Audience = "{Cloud specific audience here}"
});If your application uses any of the following packages, audience can be configured by customizing the ConfigurationClientBuilder through the ConfigurationClientCustomizer interface, then adding it to the bootstrap registry. Use version 5.22.0 or later of the following packages to configure the audience.
spring-cloud-azure-appconfiguration-configspring-cloud-azure-appconfiguration-config-web
The following code snippet demonstrates how to add the Azure App Configuration provider into a Spring Boot application with a cloud-specific audience.
import com.azure.data.appconfiguration.ConfigurationClientBuilder;
import com.azure.data.appconfiguration.models.ConfigurationAudience;
import com.azure.spring.cloud.appconfiguration.config.ConfigurationClientCustomizer;
public class CustomClient implements ConfigurationClientCustomizer {
@Override
public void customize(ConfigurationClientBuilder builder, String endpoint) {
builder.audience(ConfigurationAudience.fromString("{Cloud specific audience here}"));
}
}Then, register the CustomClient in the bootstrap registry.
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.AutoConfiguration;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import hello.impl.AppConfigClientImpl;
@SpringBootApplication
@AutoConfiguration
public class Application {
public static void main(String[] args) {
SpringApplication app = new SpringApplication(Application.class);
// Register the ConfigurationClientCustomizer in the bootstrap context
app.addBootstrapRegistryInitializer(registry -> {
registry.register(CustomClient.class, context -> new CustomClient());
});
app.run(args);
}
}If your application uses the following package, audience can be configured by passing the audience option to the ConfigurationClientBuilder when building a ConfigurationClient. Use version 1.8.0 or later of the following package.
azure-data-appconfiguration
The following code snippet demonstrates how to instantiate a configuration client with a cloud-specific audience.
ConfigurationClient configurationClient = new ConfigurationClientBuilder()
.endpoint(myStoreEndpoint)
.credential(new DefaultAzureCredentialBuilder().build())
.audience(ConfigurationAudience.fromString("{Cloud specific audience here}"))
.buildClient();If your application uses the following package, audience can be configured by passing the clientOptions with the audience property to the load function. Use version 1.0.0 or later of the following package.
@azure/app-configuration-provider
The following code snippet demonstrates how to load Azure App Configuration in a JavaScript application with a cloud-specific audience.
const appConfig = await load(myStoreEndpoint, credential, {
clientOptions: {
audience: "{Cloud specific audience here}"
}
});If your application uses the following package, audience can be configured by passing the audience option to the AppConfigurationClient constructor. Use version 1.9.0 or later of the following package.
@azure/app-configuration
The following code snippet demonstrates how to instantiate a configuration client with a cloud-specific audience.
const client = new AppConfigurationClient(myStoreEndpoint, new DefaultAzureCredential(), {
audience: "{Cloud specific audience here}",
});If your application uses the following package, audience can be configured by passing the keyword audience to the load method. Use version 2.4.0 or later of the following package.
azure-appconfiguration-provider
The following code snippet demonstrates how to load Azure App Configuration in a Python application with a cloud-specific audience.
from azure.appconfiguration.provider import load
from azure.identity import DefaultAzureCredential
config = load(
endpoint=myStoreEndpoint,
credential=DefaultAzureCredential(),
audience="{Cloud specific audience here}",
)If your application uses the following package, audience can be configured by passing the audience keyword to the AzureAppConfigurationClient constructor. Use version 1.8.0 or later of the following package.
azure-appconfiguration
The following code snippet demonstrates how to instantiate a configuration client with a cloud-specific audience.
from azure.appconfiguration import AzureAppConfigurationClient
from azure.identity import DefaultAzureCredential
client = AzureAppConfigurationClient(
myStoreEndpoint,
DefaultAzureCredential(),
audience="{Cloud specific audience here}",
)To configure the Entra ID audience, import the following packages in your Go application first:
import (
"github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
)If your application uses the following package, audience can be configured by passing the ClientOptions with the cloud configuration to the Load function. Use version 1.0.0 or later of the following package.
azureappconfiguration
The following code snippet demonstrates how to load Azure App Configuration in a Go application with a cloud-specific audience.
credential, _:= azidentity.NewDefaultAzureCredential(nil)
authOptions := azureappconfiguration.AuthenticationOptions{
Endpoint: myStoreEndpoint,
Credential: credential,
}
cloudConfig := cloud.Configuration{
Services: map[cloud.ServiceName]cloud.ServiceConfiguration{
azappconfig.ServiceName: {
Audience: "{Cloud specific audience here}",
},
},
}
options := &azureappconfiguration.Options{
ClientOptions: &azappconfig.ClientOptions{
ClientOptions: policy.ClientOptions{
Cloud: cloudConfig,
},
},
}
appConfig, _ := azureappconfiguration.Load(context.Background(), authOptions, options)If your application uses the following package, audience can be configured by utilizing the cloud configuration. Use version 2.1.0 or later of the following package.
azappconfig
The following code snippet demonstrates how to instantiate a configuration client with a cloud-specific audience.
credential, _:= azidentity.NewDefaultAzureCredential(nil)
cloudConfig := cloud.Configuration{
Services: map[cloud.ServiceName]cloud.ServiceConfiguration{
azappconfig.ServiceName: {
Audience: "{Cloud specific audience here}",
},
},
}
clientOptions := &azappconfig.ClientOptions{
ClientOptions: policy.ClientOptions{
Cloud: cloudConfig,
},
}
client, _ := azappconfig.NewClient(myStoreEndpoint, credential, clientOptions)If your application runs on Kubernetes and you use the Azure App Configuration Kubernetes Provider, the audience configuration depends on how the provider is installed.
- AKS extension: No audience configuration is needed. The extension automatically determines the audience based on the cloud where it runs.
- Helm chart: The audience can be configured at installation time by setting the
env.azureAppConfigurationAudienceparameter. Use version 2.6.0 or later of the Azure App Configuration Kubernetes Provider to configure the audience.
The following command demonstrates how to install the Azure App Configuration Kubernetes Provider via Helm with a cloud-specific audience.
helm install azureappconfiguration.kubernetesprovider \
oci://mcr.microsoft.com/azure-app-configuration/helmchart/kubernetes-provider \
--namespace azappconfig-system \
--create-namespace \
--set env.azureAppConfigurationAudience="{Cloud specific audience here}"Learn how to use managed identities to access your App Configuration store.