Connect to Microsoft Azure

Learn how to configure your Microsoft Azure account to trust Vercel's OpenID Connect (OIDC) Identity Provider (IdP).
Table of Contents

Secure backend access with OIDC federation is available on all plans

To understand how Azure supports OIDC through Workload Identity Federation, consult the Azure documentation.

    • Navigate to All services
    • Select Identity
    • Select Manage Identities and select Create
    • Choose your Azure Subscription, Resource Group, Region and Name
    • Go to Federated credentials and select Add Credential
    • In the Federated credential scenario field select Other
    • Enter the Issuer URL, the URL will depend on the issuer mode setting:
      • Team: https://oidc.vercel.com/[TEAM_SLUG], replacing [TEAM_SLUG] with the path from your Vercel team URL
      • Global: https://oidc.vercel.com
    • In the Subject identifier field use: owner:[TEAM_SLUG]:project[PROJECT_NAME]:environment:[preview | production | development]
    • In the Name field, use a name for your own reference such as: [Project name] - [Environment]
    • In the Audience field use: https://vercel.com/[TEAM_SLUG]
      • Replace [TEAM_SLUG] with your team identifier from the Vercel's team URL

    Azure does not allow for partial claim conditions so you must specify the Subject and Audience fields exactly. However, it is possible to create mutliple federated credentials on the same managed identity to allow for the various sub claims.

  1. In order to connect to the Azure service that you would like to use, you need to allow your Managed Identity to access it.

    For example, to use Azure CosmosDB, associate a role definition to the Managed Identity using the Azure CLI, as explained in the Azure CosmosDB documentation.

    You are now ready to connect to your Azure service from your project's code. Review the example below.

In the following example, you create a Vercel function in a Vercel project where you have defined Azure account environment variables. The function will connect to Azure using OIDC and use a specific resource that you have allowed the Managed Identity to access.

Install the following packages:

pnpm i @azure/identity @azure/cosmos @vercel/functions

In the API route for this function, use the following code to perform a database SELECT query from an Azure CosmosDB instance:

/api/azure-cosmosdb/route.ts
import {
  ClientAssertionCredential,
  AuthenticationRequiredError,
} from '@azure/identity';
import * as cosmos from '@azure/cosmos';
import { getVercelOidcToken } from '@vercel/functions/oidc';
 
/**
 * The Azure Active Directory tenant (directory) ID.
 * Added to environment variables
 */
const AZURE_TENANT_ID = process.env.AZURE_TENANT_ID!;
 
/**
 * The client (application) ID of an App Registration in the tenant.
 * Added to environment variables
 */
const AZURE_CLIENT_ID = process.env.AZURE_CLIENT_ID!;
const COSMOS_DB_ENDPOINT = process.env.COSMOS_DB_ENDPOINT!;
const COSMOS_DB_ID = process.env.COSMOS_DB_ID!;
const COSMOS_DB_CONTAINER_ID = process.env.COSMOS_DB_CONTAINER_ID!;
 
const tokenCredentials = new ClientAssertionCredential(
  AZURE_TENANT_ID,
  AZURE_CLIENT_ID,
  getVercelOidcToken,
);
 
const cosmosClient = new cosmos.CosmosClient({
  endpoint: COSMOS_DB_ENDPOINT,
  aadCredentials: tokenCredentials,
});
 
const container = cosmosClient
  .database(COSMOS_DB_ID)
  .container(COSMOS_DB_CONTAINER_ID);
 
export async function GET() {
  const { resources } = await container.items
    .query('SELECT * FROM my_table')
    .fetchAll();
 
  return Response.json(resources);
}
Last updated on October 23, 2024