| title | Migrate applications to use passwordless authentication with Azure Queue Storage |
|---|---|
| titleSuffix | Azure Storage |
| description | Learn to migrate existing applications away from Shared Key authorization with the account key to instead use Microsoft Entra ID and Azure RBAC for enhanced security with Azure Storage Queues. |
| author | pauljewellmsft |
| ms.author | pauljewell |
| ms.date | 07/28/2025 |
| ms.service | azure-queue-storage |
| ms.topic | how-to |
| ms.custom | devx-track-csharp, passwordless-java, passwordless-js, passwordless-python, passwordless-dotnet, passwordless-go, devx-track-azurecli, devx-track-azurepowershell |
[!INCLUDE passwordless-intro]
Passwordless connections can be configured to work for both local and Azure-hosted environments. In this section, you'll apply configurations to allow individual users to authenticate to Azure Queue Storage for local development.
[!INCLUDE assign-roles-storage-queues]
[!INCLUDE default-azure-credential-sign-in]
The Azure Identity client library, for each of the following ecosystems, provides a DefaultAzureCredential class that handles passwordless authentication to Azure:
DefaultAzureCredential supports multiple authentication methods. The method to use is determined at runtime. This approach enables your app to use different authentication methods in different environments (local vs. production) without implementing environment-specific code. See the preceding links for the order and locations in which DefaultAzureCredential looks for credentials.
-
To use
DefaultAzureCredentialin a .NET application, install theAzure.Identitypackage:dotnet add package Azure.Identity -
At the top of your file, add the following code:
using Azure.Identity;
-
Identify the locations in your code that create a
QueueClientobject to connect to Azure Queue Storage. Update your code to match the following example:DefaultAzureCredential credential = new(); QueueClient queueClient = new( new Uri($"https://{storageAccountName}.queue.core.windows.net/{queueName}"), new DefaultAzureCredential());
-
To use
DefaultAzureCredentialin a Go application, install theazidentitymodule:go get -u github.com/Azure/azure-sdk-for-go/sdk/azidentity
-
At the top of your file, add the following code:
import ( "github.com/Azure/azure-sdk-for-go/sdk/azidentity" )
-
Identify the locations in your code that create a
QueueClientinstance to connect to Azure Queue Storage. Update your code to match the following example:cred, err := azidentity.NewDefaultAzureCredential(nil) if err != nil { // handle error } serviceURL := fmt.Sprintf("https://%s.queue.core.windows.net/", storageAccountName) client, err := azqueue.NewQueueClient(serviceURL, cred, nil) if err != nil { // handle error }
-
To use
DefaultAzureCredentialin a Java application, install theazure-identitypackage via one of the following approaches: -
At the top of your file, add the following code:
import com.azure.identity.DefaultAzureCredentialBuilder;
-
Identify the locations in your code that create a
QueueClientobject to connect to Azure Queue Storage. Update your code to match the following example:DefaultAzureCredential credential = new DefaultAzureCredentialBuilder() .build(); String endpoint = String.format("https://%s.queue.core.windows.net/", storageAccountName); QueueClient queueClient = new QueueClientBuilder() .endpoint(endpoint) .queueName(queueName) .credential(credential) .buildClient();
-
To use
DefaultAzureCredentialin a Node.js application, install the@azure/identitypackage:npm install --save @azure/identity
-
At the top of your file, add the following code:
import { DefaultAzureCredential } from "@azure/identity"; -
Identify the locations in your code that create a
QueueClientobject to connect to Azure Queue Storage. Update your code to match the following example:const credential = new DefaultAzureCredential(); const queueClient = new QueueClient( `https://${storageAccountName}.queue.core.windows.net/${queueName}`, credential );
-
To use
DefaultAzureCredentialin a Python application, install theazure-identitypackage:pip install azure-identity
-
At the top of your file, add the following code:
from azure.identity import DefaultAzureCredential
-
Identify the locations in your code that create a
QueueClientobject to connect to Azure Queue Storage. Update your code to match the following example:credential = DefaultAzureCredential() queue_client = QueueClient( account_url = "https://%s.queue.core.windows.net" % storage_account_name, queue_name = queue_name, credential = credential )
-
Make sure to update the storage account name in the URI of your
QueueClientobject. You can find the storage account name on the overview page of the Azure portal.:::image type="content" source="../blobs/media/storage-quickstart-blobs-dotnet/storage-account-name.png" alt-text="Screenshot showing how to find the storage account name." lightbox="../blobs/media/storage-quickstart-blobs-dotnet/storage-account-name.png":::
After making these code changes, run your application locally. The new configuration should pick up your local credentials, such as the Azure CLI, Visual Studio, or IntelliJ. The roles you assigned to your user in Azure allows your app to connect to the Azure service locally.
Once your application is configured to use passwordless connections and runs locally, the same code can authenticate to Azure services after it's deployed to Azure. The sections that follow explain how to configure a deployed application to connect to Azure Queue Storage using a managed identity. Managed identities provide an automatically managed identity in Microsoft Entra ID for applications to use when connecting to resources that support Microsoft Entra authentication. Learn more about managed identities:
[!INCLUDE create-user-assigned-managed-identity]
You need to configure your web app to use the managed identity you created. Assign the identity to your app using either the Azure portal or the Azure CLI.
Complete the following steps in the Azure portal to associate an identity with your app. These same steps apply to the following Azure services:
- Azure Spring Apps
- Azure Container Apps
- Azure virtual machines
- Azure Kubernetes Service
-
Navigate to the overview page of your web app.
-
Select Identity from the left navigation.
-
On the Identity page, switch to the User assigned tab.
-
Select + Add to open the Add user assigned managed identity flyout.
-
Select the subscription you used previously to create the identity.
-
Search for the MigrationIdentity by name and select it from the search results.
-
Select Add to associate the identity with your app.
:::image type="content" source="
/reusable-content/ce-skilling/azure/media/storage/create-user-assigned-identity-small.png" alt-text="Screenshot showing how to create a user assigned identity." lightbox="/reusable-content/ce-skilling/azure/media/storage/create-user-assigned-identity.png":::
[!INCLUDE associate-managed-identity-cli]
[!INCLUDE service-connector-commands-storage-queue]
Next, you need to grant permissions to the managed identity you created to access your storage account. Grant permissions by assigning a role to the managed identity, just like you did with your local development user.
-
Navigate to your storage account overview page and select Access Control (IAM) from the left navigation.
-
Choose Add role assignment
:::image type="content" source="../../../includes/passwordless/media/migration-add-role-small.png" alt-text="Screenshot showing how to add a role to a managed identity." lightbox="../../../includes/passwordless/media/migration-add-role.png" :::
-
In the Role search box, search for Storage Queue Data Contributor, which is a common role used to manage data operations for queues. You can assign whatever role is appropriate for your use case. Select the Storage Queue Data Contributor from the list and choose Next.
-
On the Add role assignment screen, for the Assign access to option, select Managed identity. Then choose +Select members.
-
In the flyout, search for the managed identity you created by name and select it from the results. Choose Select to close the flyout menu.
:::image type="content" source="../../../includes/passwordless/media/migration-select-identity-small.png" alt-text="Screenshot showing how to select the assigned managed identity." lightbox="../../../includes/passwordless/media/migration-select-identity.png":::
-
Select Next a couple times until you're able to select Review + assign to finish the role assignment.
To assign a role at the resource level using the Azure CLI, you first must retrieve the resource ID using the az storage account show command. You can filter the output properties using the --query parameter.
az storage account show \
--resource-group '<your-resource-group-name>' \
--name '<your-storage-account-name>' \
--query id
Copy the output ID from the preceding command. You can then assign roles using the az role assignment command of the Azure CLI.
az role assignment create \
--assignee "<your-username>" \
--role "Storage Queue Data Contributor" \
--scope "<your-resource-id>"
If you connected your services using Service Connector you don't need to complete this step. The necessary role configurations were handled for you when you ran the Service Connector CLI commands.
[!INCLUDE Code changes to use user-assigned managed identity]
After deploying the updated code, browse to your hosted application in the browser. Your app should be able to connect to the storage account successfully. Keep in mind that it may take several minutes for the role assignments to propagate through your Azure environment. Your application is now configured to run both locally and in a production environment without the developers having to manage secrets in the application itself.
In this tutorial, you learned how to migrate an application to passwordless connections.
You can read the following resources to explore the concepts discussed in this article in more depth:
- Authorize access to blobs using Microsoft Entra ID
- To learn more about .NET, see Get started with .NET in 10 minutes.