Local authentication is disabled by default on Azure resources

Starting in Aspire 9.4, local authentication is disabled by default for Azure EventHubs and Azure WebPubSub integrations. This change improves security by aligning with Azure environments that reject resources with local authentication enabled.

Version introduced

Aspire 9.4

Previous behavior

Previously, Azure EventHubs and Azure WebPubSub resources were created with local authentication enabled by default (disableLocalAuth = false).

New behavior

Now, Azure EventHubs and Azure WebPubSub resources are created with local authentication disabled by default (disableLocalAuth = true).

Type of breaking change

This is a behavioral change.

Reason for change

Disabling local authentication by default provides a more secure configuration. Some Azure environments reject resources with local authentication enabled, and this change ensures compatibility with those environments.

Recommended action

If you are using the Aspire client integrations for these services, no changes are required, and your application will continue to function as expected.

If you're using a SAS token or other connection string with an access key, you must either:

1. Re-enable local authentication using the ConfigureInfrastructure method.
2. Update your application to use Entra ID authentication.

Example: Re-enabling local authentication

1. In the corresponding Azure resource, chain a call to ConfigureInfrastructure.

2. Get the instance of the provisioning resource type in question, for example:

   • Azure Event Hubs: Azure.Provisioning.EventHubs.EventHubsNamespace.DisableLocalAuth. For more information on configuring infra, see Customize provisioning infrastructure.
   • Azure Web PubSub: Azure.Provisioning.WebPubSub.WebPubSubService.IsLocalAuthDisabled. For more information on configuring infra, see Customize provisioning infrastructure.

Affected APIs

• AddAzureEventHubs
• AddAzureWebPubSub