How-to
2 min read

Connect to Microsoft Azure

Learn how to configure your Microsoft Azure account to trust Vercel's OpenID Connect (OIDC) Identity Provider (IdP).
Table of Contents

Secure backend access with OIDC federation is available in Beta on all plans

To understand how Azure supports OIDC through Workload Identity Federation, consult the Azure documentation.

    • Navigate to All services
    • Select Identity
    • Select Manage Identities and select Create
    • Choose your Azure Subscription, Resource Group, Region and Name
    • Go to Federated credentials and select Add Credential
    • In the Federated credential scenario field select Other
    • In the Issuer URL field use: https://oidc.vercel.com
    • In the Subject identifier field use: owner:[TEAM_SLUG]:project[PROJECT_NAME]:environment:[preview | production | development]
    • In the Name field, use a name for your own reference such as: [Project name] - [Environment]
    • In the Audience field use: https://vercel.com/[TEAM_SLUG]
      • Replace [TEAM_SLUG] with your team identifier from the Vercel's team URL

    Azure does not allow for partial claim conditions so you must specify the Subject and Audience fields exactly. However, it is possible to create mutliple federated credentials on the same managed identity to allow for the various sub claims.

  1. In order to connect to the Azure service that you would like to use, you need to allow your Managed Identity to access it.

    For example, to use Azure CosmosDB, associate a role definition to the Managed Identity using the Azure CLI, as explained in the Azure CosmosDB documentation.

    You are now ready to connect to your Azure service from your project's code. Review the example below.

In the following example, you create a Vercel function in a Vercel project where you have defined Azure account environment variables. The function will connect to Azure using OIDC and use a specific resource that you have allowed the Managed Identity to access.

Install the following packages:

pnpm
yarn
npm
pnpm i @azure/identity @azure/cosmos @vercel/functions

In the API route for this function, use the following code to perform a database SELECT query from an Azure CosmosDB instance:

/api/azure-cosmosdb/route.ts
import {
  ClientAssertionCredential,
  AuthenticationRequiredError,
} from '@azure/identity';
import * as cosmos from '@azure/cosmos';
import { getVercelOidcToken } from '@vercel/functions/oidc';
 
/**
 * The Azure Active Directory tenant (directory) ID.
 * Added to environment variables
 */
const AZURE_TENANT_ID = process.env.AZURE_TENANT_ID!;
 
/**
 * The client (application) ID of an App Registration in the tenant.
 * Added to environment variables
 */
const AZURE_CLIENT_ID = process.env.AZURE_CLIENT_ID!;
const COSMOS_DB_ENDPOINT = process.env.COSMOS_DB_ENDPOINT!;
const COSMOS_DB_ID = process.env.COSMOS_DB_ID!;
const COSMOS_DB_CONTAINER_ID = process.env.COSMOS_DB_CONTAINER_ID!;
 
const tokenCredentials = new ClientAssertionCredential(
  AZURE_TENANT_ID,
  AZURE_CLIENT_ID,
  getVercelOidcToken,
);
 
const cosmosClient = new cosmos.CosmosClient({
  endpoint: COSMOS_DB_ENDPOINT,
  aadCredentials: tokenCredentials,
});
 
const container = cosmosClient
  .database(COSMOS_DB_ID)
  .container(COSMOS_DB_CONTAINER_ID);
 
export async function GET() {
  const { resources } = await container.items
    .query('SELECT * FROM my_table')
    .fetchAll();
 
  return Response.json(resources);
}
Last updated on July 20, 2024