Azure Authenticator

This topic describes the Conjur Azure Authenticator.


The Conjur Azure Authenticator is a highly secure method for authenticating Azure workloads to Conjur using their underlying Microsoft Azure attributes. A Conjur identity can be established at varying granularity, allowing for a collection of resources to be identified to Conjur as one, or for individual workloads to be uniquely identified. The method is based on Microsoft Azure AD Authentication, presenting developers with a familiar pattern.

The Azure Authenticator can be used instead of API key based authentication, leading to a higher security posture with no need to store a ‘secret-zero’.

The following diagram depicts the layered identification model:

This model offers the following options:

  • You can associate a set of workloads with one Conjur identity, defined by the subscription and resource group properties only

  • You can associate each individual Azure workload with a unique Conjur identity by including its user-assigned or system-assigned Azure managed identity in its definition.

    User-assigned managed identities are useful for pre-populating a Conjur host policy before the Azure resource is created. They can also be used to share the same Conjur identity among specific Azure resources within the resource group.

    System-assigned managed identities are created on the fly, so they need to be loaded into the Conjur host policy at run time after the resource is created as part of the pipeline automation.


This layered approach allows you to authenticate workloads whether or not you are working with Azure managed identities.

Supported Azure services

  • Azure Virtual Machines

  • Azure App Services

  • Azure Functions

  • Azure Container Instances

How it works

This section describes how an application running on an Azure resource authenticates with Conjur to retrieve secrets.

  1. An application requests its Azure AD token from the Azure Instance Metadata Service (IMDS).

  2. The IMDS responds with a signed JWT token.

  3. The application sends an authentication request to Conjur using the Authenticate using Azure Authenticator REST API.

  4. Conjur attempts to authenticate and authorize the request. If successful, Conjur sends a short-lived access token back to the application.

  5. The application can retrieve secrets stored in Conjur.

Configure the Azure Authenticator

To communicate with and retrieve secrets from Conjur, the application running in Azure needs to authenticate to Conjur and receive a Conjur access token.

This section describes how to configure the Azure Authenticator, and how to define applications to use the Azure Authenticator to authenticate to Conjur.

Retrieve an Azure AD token

To authenticate with Conjur, you need an Azure AD token.

The following procedure is an example of how to retrieve an Azure AD token from an Azure VM using the IMDS REST API:

  1. Make sure that you can access managed identities on the VM.

  2. Log in to the Azure VM.

  3. Run the following command, where <api_version> is the IMDS version. Use 2018-02-01 or greater:

    Token type Command

    User-assigned managed identity

    The following command requires the <client_ID> which can be found in the Azure portal.

    curl '<api_version>&client_id=<client_id>&' -H Metadata:true -s | jq -r '.access_token'

    System-assigned managed identity

    curl '<api_version>&' -H Metadata:true -s | jq -r '.access_token'

    When using a system-assigned managed identity, make sure that system-assigned managed identity is enabled in Azure. For details, see the Microsoft Azure documentation.

Send an Azure authentication request

Once the Azure Authenticator is configured, you can send an authentication request from the Azure instance to Conjur using the Azure Authenticator REST API.

Use the following URI to send an authentication request to Conjur:

POST https://<Conjur-server-hostname>/authn-azure/<service-id>/<account>/<host-id>/authenticate




The ID of your Azure Authenticator webservice , for example AzureWS1


The organization account name


The identity of the application running on the Azure VM.

This value should be the full hostname and should include URL encoding for the forward slash (/), for example, host%2Fazure-apps%2FazureVM.

Example of request:

curl -k --request POST '' --header 'Content-Type: application/x-www-form-urlencoded' --header "Accept-Encoding: base64" --data-urlencode 'jwt=eyJ0e......jjjkl'

For more details about sending authentication requests, see the Authenticate using Azure Authenticator REST API.

Troubleshooting the Azure Authenticator

This section lists issues that may arise and recommended solutions: