Skip to content

Azure SignalR Service Key

Service Name: Azure SignalR Service

Service Description: Azure SignalR Service is a fully managed service that enables real-time web functionality, allowing web applications to push content updates to connected clients. It simplifies the development of real-time web applications by handling the WebSocket connections and scaling to millions of connections.

Service Address: https://azure.microsoft.com/en-us/services/signalr-service/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured through Azure Network Security Groups and Private Endpoints.

Secret Access Scope: Grants access to manage and use Azure SignalR Service resources, including sending messages to clients, managing connections, and accessing service metrics.

Secret Revokement URL: https://portal.azure.com/ (Navigate to your SignalR Service resource > Access keys > Regenerate keys)

Secret Example: Endpoint=https://mysignalr.service.signalr.net;AccessKey=abcdefghijklmnopq rstuvwxyz0123456789ABCDEFGH=;Version=1.0;

Suspicious Activity Investigation Instructions:

  • Review Azure Activity Logs for unusual operations on your SignalR Service.
  • Check Azure Monitor metrics for unexpected spikes in connection counts or message volume.
  • Examine IP addresses accessing your SignalR Service for unauthorized locations.
  • Review application logs for unexpected connection patterns or message broadcasts.
  • Monitor for unauthorized changes to service configuration or networking settings.

Mitigation Instructions:

  • Immediately regenerate the SignalR Service access key in the Azure Portal.
  • Navigate to your SignalR Service resource in the Azure Portal.
  • Select "Keys" from the left navigation menu.
  • Click "Regenerate" for the compromised key.
  • Update your application configurations with the new key.
  • Consider implementing Azure Private Link to restrict network access.
  • Enable diagnostic logging for better monitoring and auditing.
  • Review and update network security groups to restrict access to trusted IP ranges.