Blog Post

Azure Maps Blog
4 MIN READ

Managed identities for Azure Maps

cschotte's avatar
cschotte
Icon for Microsoft rankMicrosoft
Oct 31, 2022

In many enterprise organizations, there are strict processes for privacy, access, and handling of personally identifiable information (PII). Azure Maps is a global Azure service, which means it is available worldwide (except for China and South Korea), but it also needs to store metadata and logs somewhere. In addition, Azure Maps Creator is an addon for private indoor maps that also holds map data. So, where do we keep this data?

 

Even when Azure Maps stores almost no information, you still need to select in which region the metadata, logs, and private maps must be stored. When creating a new Azure Maps account, the region selection only affects your Azure Maps account's account management and metadata capabilities. Basically, you decide that all metadata, logs, and private map data stay in the selected region (the United States or Europe). Microsoft doesn't control or limit the locations from which your end users come to Azure Maps.

 

Azure Maps shares customer-provided address/location queries with third-party TomTom for mapping functionality purposes. These queries aren't linked to any customer or end-user when shared with TomTom and can't be used to identify individuals. TomTom is listed on our Online Services Subcontractor List.

 

Azure Maps Keys

When using Azure Maps Keys, you can access, modify, upload, and delete all the data associated with that Azure Maps account. Not the best choice for a production solution. We recommend using Azure Managed identities for Azure Maps, which give you several powerful security benefits and access controls. You can disable (also by policy) the use of Azure Maps Keys for development, testing, and production. The best thing about managed identities is that you do not need to store any secrets, and you can no longer accidentally leak any keys in your source code.

 

Setting up managed identities

You can set up managed identities easily using the Azure Portal (what we are doing here), or if you like, you can also use the Azure command line (CLI). Here, we have written a step-by-step guide on using managed identities with Azure Maps and .NET.

 

Before we start, you need an Azure Account, a Web App and an Azure Maps instance.

 

We start with your Web App, where you like to enable managed identities for. First, navigate to your Web App, select the Identity option, and enable the system-assigned identity. Next, click on the permissions button.

 

 

Azure manages this system-assigned identity; no need to know any secrets. Next, we need to assign what this managed identity can do and access it or not. Finally, click the plus button to add what role this managed identity needs.

 

 

Select the resource group where you have created your Azure Maps account. We can use many different roles, but we are only interested in the Azure Maps roles for this blog. Type Azure Maps to filter and select the role you need for your solution. More roles are available here.

 

Azure Role Definition

Description

Azure Maps Contributor

Grants access all Azure Maps resource management.

Azure Maps Data Contributor

Grants access to read, write, and delete access to map related data from an Azure maps account.

Azure Maps Data Reader

Grants access to read map related data from an Azure maps account

Azure Maps Search and Render Data Reader

Grants access to limited set of data APIs for common visual web scenarios. Specifically, render and search data APIs

 

 

Now we have enabled managed identities in our Web App and allowed it to access Azure Maps with the selected role. In the Web App, we can now create a token proxy that uses the managed identity to generate an Azure Maps token that we use in our client app. Example code in C#:

 

 

 

using Azure.Core;
using Azure.Identity;
using Microsoft.AspNetCore.Mvc;

namespace AzureMapsDemo.Controllers;

public class ApiController : Controller
{
    private static readonly DefaultAzureCredential tokenProvider = new();

    public async Task<IActionResult> GetAzureMapsToken()
    {
        var accessToken = await tokenProvider.GetTokenAsync(
            new TokenRequestContext(new[] { "https://atlas.microsoft.com/.default" })
        );

        return new OkObjectResult(accessToken.Token);
    }
}

 

 

 

This Azure Maps token proxy can then be used in the Azure Maps Web Control, which runs in your browser by the following JavaScript code. Tokens are short-lived and are automatically renewed by the Azure Maps Web Control.

 

 

 

// Add authentication details for connecting to Azure Maps.
authOptions: {
    // Use Azure Active Directory authentication.
    authType: 'anonymous',
    // Your Azure Maps client id for accessing your Azure Maps account.
    clientId: '[YOUR_AZUREMAPS_CLIENT_ID]',
    getToken: function(resolve, reject, map) {
        // URL to your authentication service that retrieves
        // an Azure Active Directory Token.
        var tokenServiceUrl = "/api/GetAzureMapsToken";

        fetch(tokenServiceUrl).then(r => r.text()).then(token => resolve(token));
    }
}

 

 

 

We hope this blog helped you with setting up Managed Identities in the Azure Portal. If you need a step-by-step guide on how to use managed identities and authorization in a .NET web application, read our Azure Maps Web Application Authentication blog

Updated Mar 28, 2023
Version 5.0
  • Depending on how your AAD is configured, a token can expire around every 75 min. The Azure Maps Web Control automatically refreshes the token when needed. To see what is inside a token I recommend pasting the token in this tool https://jwt.ms/ and see the expiration time.

     

    When you like to change the lifetime of a token, please follow the steps in this article https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes

  • inside the token you will find the expiration time, so if you check this in your code you can also notify the user, the Azure Maps Web Control automatically refreshes the token when needed, so no need to notify the user,.

  • AMRajapaksha's avatar
    AMRajapaksha
    Copper Contributor

    Hi,

     

    I have wrote an Azure Function using the same code in here and it returns the Token. Token format is as below.

    {
    "token": "Token",
    "expiresOn": "2023-03-22T21:42:29.4581083+00:00"
    }

     

    I have doubts about the expiration of the token. 

     

    How long token is valid ? 

    Can we change the expiration time of the token ?

     

    Thank you. 

     

     

  • AMRajapaksha's avatar
    AMRajapaksha
    Copper Contributor

    Thanks a lot. I have another question.

    Let's say user has got the token and after sometime token is expired. Is there anyway to notify user that token has expired (like open a pop up) ? 

     

  • AMRajapaksha's avatar
    AMRajapaksha
    Copper Contributor

    Thanks a lot, I have implemented same way. 

     

    I have another questions. I did the console log of the token value that map is receiving. I have noticed that previous token also receiving after some period of time. For example at 1:27 PM I received one token, then at 1:59 PM it's a difference one. again at 2:42 PM I got the same token with same expiration. Do you have idea on that ? 

     

    1:27 PM
    {"token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiJodHRwczovL2F0bGFzLm1pY3Jvc29mdC5jb20iLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC84NmE2ZjEwNC00MGJiLTQyZjktODBiOC1kYjkyYzdmZjY4YjIvIiwiaWF0IjoxNjgyODM0OTc2LCJuYmYiOjE2ODI4MzQ5NzYsImV4cCI6MTY4MjkyMTY3NiwiYWlvIjoiRTJaZ1lHZzFpSzc0RTNLTE9aVHQ2TGRLMjRhSEFBPT0iLCJhcHBpZCI6ImFlODcxZmQxLTdjNzgtNGY1NC05MTdmLWQ1NTUwZTFmOTEwNSIsImFwcGlkYWNyIjoiMiIsImlkcCI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0Lzg2YTZmMTA0LTQwYmItNDJmOS04MGI4LWRiOTJjN2ZmNjhiMi8iLCJvaWQiOiI4NzI0MmE1NC1kMjAwLTRhNzYtYjcwZC0wYzhmMTE5N2ZiY2YiLCJyaCI6IjAuQVVFQUJQR21ocnRBLVVLQXVOdVN4Xzlvc2lLZ0hyb0hXTlZCdS1zcExINGM5ZlpCQUFBLiIsInN1YiI6Ijg3MjQyYTU0LWQyMDAtNGE3Ni1iNzBkLTBjOGYxMTk3ZmJjZiIsInRpZCI6Ijg2YTZmMTA0LTQwYmItNDJmOS04MGI4LWRiOTJjN2ZmNjhiMiIsInV0aSI6ImxhaHY1d0FqRFVLQzdQa0s5Smx1QUEiLCJ2ZXIiOiIxLjAifQ.C87TiaDzKjGgBMItgy_LBpStzql9_MebT5TuQ7pj04pwOYnr8fD4h3RwvpoKwrLGOwuuUqfWwLL0FWTcHv989Q5UzhBw5F52LD3gn4qlRFfPPBZbN5FppI8MTL1wZqGIzz6Hx8Qf248ObOOlk2otxVRMlQCcdIBgn4weFHB7bW9LDIds0FXTpKiG3PH1FkQtV6VwCDyuBpnQAdeaSqWhLGaGylJYGKKgPUgXM9kviHYqULSq2lPxKWq_e8l9q60GsM9wFs3Vme6PewBoeXm0CeK4Ae7RB6uwf1gWKHK8nZf4zUxPoNJtD_RGj_MOzU6Ff8V-HprQ0T49UdfuMEvSvQ","expiresOn":"2023-05-01T06:14:35.0387442+00:00"}

     

    1:29 PM
    {"token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiJodHRwczovL2F0bGFzLm1pY3Jvc29mdC5jb20iLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC84NmE2ZjEwNC00MGJiLTQyZjktODBiOC1kYjkyYzdmZjY4YjIvIiwiaWF0IjoxNjgyODkyNjI0LCJuYmYiOjE2ODI4OTI2MjQsImV4cCI6MTY4Mjk3OTMyNCwiYWlvIjoiRTJaZ1lQamlMTG50YVhyNS9Ka2VTbCthWis0SkFRQT0iLCJhcHBpZCI6ImFlODcxZmQxLTdjNzgtNGY1NC05MTdmLWQ1NTUwZTFmOTEwNSIsImFwcGlkYWNyIjoiMiIsImlkcCI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0Lzg2YTZmMTA0LTQwYmItNDJmOS04MGI4LWRiOTJjN2ZmNjhiMi8iLCJvaWQiOiI4NzI0MmE1NC1kMjAwLTRhNzYtYjcwZC0wYzhmMTE5N2ZiY2YiLCJyaCI6IjAuQVVFQUJQR21ocnRBLVVLQXVOdVN4Xzlvc2lLZ0hyb0hXTlZCdS1zcExINGM5ZlpCQUFBLiIsInN1YiI6Ijg3MjQyYTU0LWQyMDAtNGE3Ni1iNzBkLTBjOGYxMTk3ZmJjZiIsInRpZCI6Ijg2YTZmMTA0LTQwYmItNDJmOS04MGI4LWRiOTJjN2ZmNjhiMiIsInV0aSI6InBpUEN1N3FCRlVhNjFXQUJkSDlSQUEiLCJ2ZXIiOiIxLjAifQ.dbkDO1J8kscLQ_VREiZfcukrRjl-zGYQwgFRrlCl9pIk0jwWI3K8AMcHSbSRIVIErvxvEfyyykvjbz-mAUIHEAbtZvpFo-fblkQY8n0IpgyvFoup7AVpboj6sA-0MaFJDO8J0Nj0vk45oIH7BRhyg9TiSF9AudGWxCUIprd9QsopiYm7FzraSgDp_nYEyfxUcDYZEu-KPLDMGlyU8dL1N32slOPUHcnCtqiiXYlVBYq3iF2P-H4Eoo7zW5BCdVGS_5iBUqNtk0aawnGiFE63YSwhiXirAU5_INatkjNI7PUIfZhh968Fv1J4IzmzatFqQ9QGbSlcIrnnON-GnicTsg","expiresOn":"2023-05-01T22:15:22.6460391+00:00"}

     

    1:59 PM
    {"token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiJodHRwczovL2F0bGFzLm1pY3Jvc29mdC5jb20iLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC84NmE2ZjEwNC00MGJiLTQyZjktODBiOC1kYjkyYzdmZjY4YjIvIiwiaWF0IjoxNjgyODkyNjI0LCJuYmYiOjE2ODI4OTI2MjQsImV4cCI6MTY4Mjk3OTMyNCwiYWlvIjoiRTJaZ1lQamlMTG50YVhyNS9Ka2VTbCthWis0SkFRQT0iLCJhcHBpZCI6ImFlODcxZmQxLTdjNzgtNGY1NC05MTdmLWQ1NTUwZTFmOTEwNSIsImFwcGlkYWNyIjoiMiIsImlkcCI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0Lzg2YTZmMTA0LTQwYmItNDJmOS04MGI4LWRiOTJjN2ZmNjhiMi8iLCJvaWQiOiI4NzI0MmE1NC1kMjAwLTRhNzYtYjcwZC0wYzhmMTE5N2ZiY2YiLCJyaCI6IjAuQVVFQUJQR21ocnRBLVVLQXVOdVN4Xzlvc2lLZ0hyb0hXTlZCdS1zcExINGM5ZlpCQUFBLiIsInN1YiI6Ijg3MjQyYTU0LWQyMDAtNGE3Ni1iNzBkLTBjOGYxMTk3ZmJjZiIsInRpZCI6Ijg2YTZmMTA0LTQwYmItNDJmOS04MGI4LWRiOTJjN2ZmNjhiMiIsInV0aSI6InBpUEN1N3FCRlVhNjFXQUJkSDlSQUEiLCJ2ZXIiOiIxLjAifQ.dbkDO1J8kscLQ_VREiZfcukrRjl-zGYQwgFRrlCl9pIk0jwWI3K8AMcHSbSRIVIErvxvEfyyykvjbz-mAUIHEAbtZvpFo-fblkQY8n0IpgyvFoup7AVpboj6sA-0MaFJDO8J0Nj0vk45oIH7BRhyg9TiSF9AudGWxCUIprd9QsopiYm7FzraSgDp_nYEyfxUcDYZEu-KPLDMGlyU8dL1N32slOPUHcnCtqiiXYlVBYq3iF2P-H4Eoo7zW5BCdVGS_5iBUqNtk0aawnGiFE63YSwhiXirAU5_INatkjNI7PUIfZhh968Fv1J4IzmzatFqQ9QGbSlcIrnnON-GnicTsg","expiresOn":"2023-05-01T22:15:22.6460391+00:00"}

     

    2:42 PM
    {"token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiJodHRwczovL2F0bGFzLm1pY3Jvc29mdC5jb20iLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC84NmE2ZjEwNC00MGJiLTQyZjktODBiOC1kYjkyYzdmZjY4YjIvIiwiaWF0IjoxNjgyODM0OTc2LCJuYmYiOjE2ODI4MzQ5NzYsImV4cCI6MTY4MjkyMTY3NiwiYWlvIjoiRTJaZ1lHZzFpSzc0RTNLTE9aVHQ2TGRLMjRhSEFBPT0iLCJhcHBpZCI6ImFlODcxZmQxLTdjNzgtNGY1NC05MTdmLWQ1NTUwZTFmOTEwNSIsImFwcGlkYWNyIjoiMiIsImlkcCI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0Lzg2YTZmMTA0LTQwYmItNDJmOS04MGI4LWRiOTJjN2ZmNjhiMi8iLCJvaWQiOiI4NzI0MmE1NC1kMjAwLTRhNzYtYjcwZC0wYzhmMTE5N2ZiY2YiLCJyaCI6IjAuQVVFQUJQR21ocnRBLVVLQXVOdVN4Xzlvc2lLZ0hyb0hXTlZCdS1zcExINGM5ZlpCQUFBLiIsInN1YiI6Ijg3MjQyYTU0LWQyMDAtNGE3Ni1iNzBkLTBjOGYxMTk3ZmJjZiIsInRpZCI6Ijg2YTZmMTA0LTQwYmItNDJmOS04MGI4LWRiOTJjN2ZmNjhiMiIsInV0aSI6ImxhaHY1d0FqRFVLQzdQa0s5Smx1QUEiLCJ2ZXIiOiIxLjAifQ.C87TiaDzKjGgBMItgy_LBpStzql9_MebT5TuQ7pj04pwOYnr8fD4h3RwvpoKwrLGOwuuUqfWwLL0FWTcHv989Q5UzhBw5F52LD3gn4qlRFfPPBZbN5FppI8MTL1wZqGIzz6Hx8Qf248ObOOlk2otxVRMlQCcdIBgn4weFHB7bW9LDIds0FXTpKiG3PH1FkQtV6VwCDyuBpnQAdeaSqWhLGaGylJYGKKgPUgXM9kviHYqULSq2lPxKWq_e8l9q60GsM9wFs3Vme6PewBoeXm0CeK4Ae7RB6uwf1gWKHK8nZf4zUxPoNJtD_RGj_MOzU6Ff8V-HprQ0T49UdfuMEvSvQ","expiresOn":"2023-05-01T06:14:35.0387442+00:00"}

     

  • AMRajapaksha's avatar
    AMRajapaksha
    Copper Contributor

    Also, there is another error, I found map is giving unauthorized error though it has valid token. 

     

     

     

     

  • I suggest that you create a support ticket in the Azure portal under your Azure Maps account as it is a more efficient and faster way for us to assist you. Look for "New Support Request"