Skip to content

Azure Web PubSub Key

Service Name: Azure Web PubSub

Service Description: Azure Web PubSub is a real-time messaging service that enables you to build real-time web applications with WebSockets. It simplifies the process of adding real-time communications to web applications by managing WebSocket connections for you and providing a simple publish-subscribe model for sending messages to connected clients.

Service Address: https://azure.microsoft.com/en-us/services/web-pubsub/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the service level through Azure networking features like Private Endpoints, Service Endpoints, and Network Security Groups.

Secret Access Scope: Grants access to publish and subscribe to messages in Azure Web PubSub service instances, manage client connections, and administer the service.

Secret Revokement URL: https://portal.azure.com/ (Navigate to your Web PubSub resource > Access keys > Regenerate keys)

Secret Example: Endpoint=https://mypubsub.webpubsub.azure.com;AccessKey=xJGOPsRUz8h5hLPeCv mXyzB7Ggv+VKJqz+JZIKFOeJg=;Version=1.0;

Suspicious Activity Investigation Instructions:

  • Review Azure Activity Logs for unusual operations on your Web PubSub resource
  • Check Azure Monitor metrics for unexpected spikes in connection or message counts
  • Examine IP addresses that have connected to your Web PubSub service

  • Review client connection patterns for anomalies

  • Check for unauthorized client groups or unauthorized message publishing

Mitigation Instructions:

  • Immediately regenerate the Web PubSub access key in the Azure Portal
  • Navigate to your Web PubSub resource in the Azure Portal
  • Select "Keys" from the left navigation menu
  • Click "Regenerate" for the compromised key
  • Update your applications with the new key
  • Consider implementing role-based access control (RBAC) for more granular permissions
  • Enable diagnostic logs for better monitoring and auditing
  • Configure network security rules to restrict access to trusted networks only
  • Review and update your application's authentication mechanisms