Loading...

Managed identities for Azure Maps

Managed identities for Azure Maps

In many enterprise organizations, there are strict processes for privacy, access, and handling of personally identifiable information (PII). Azure Maps is a global Azure service, which means it is available worldwide (except for China and South Korea), but it also needs to store metadata and logs somewhere. In addition, Azure Maps Creator is an addon for private indoor maps that also holds map data. So, where do we keep this data?

 

Even when Azure Maps stores almost no information, you still need to select in which region the metadata, logs, and private maps must be stored. When creating a new Azure Maps account, the region selection only affects your Azure Maps account's account management and metadata capabilities. Basically, you decide that all metadata, logs, and private map data stay in the selected region (the United States or Europe). Microsoft doesn't control or limit the locations from which your end users come to Azure Maps.

 

Azure Maps shares customer-provided address/location queries with third-party TomTom for mapping functionality purposes. These queries aren't linked to any customer or end-user when shared with TomTom and can't be used to identify individuals. TomTom is listed on our Online Services Subcontractor List.

 

Azure Maps Keys

When using Azure Maps Keys, you can access, modify, upload, and delete all the data associated with that Azure Maps account. Not the best choice for a production solution. We recommend using Azure Managed identities for Azure Maps, which give you several powerful security benefits and access controls. You can disable (also by policy) the use of Azure Maps Keys for development, testing, and production. The best thing about managed identities is that you do not need to store any secrets, and you can no longer accidentally leak any keys in your source code.

 

Setting up managed identities

You can set up managed identities easily using the Azure Portal (what we are doing here), or if you like, you can also use the Azure command line (CLI). Here, we have written a step-by-step guide on using managed identities with Azure Maps and .NET.

 

Before we start, you need an Azure Maps account, a Web App, and access to your Azure Active Directory to register a new App.

 

We start with your Web App, where you like to enable managed identities for. First, navigate to your Web App, select the Identity option, and enable the system-assigned identity. Next, click on the permissions button.

 

1.png

 

Azure manages this system-assigned identity; no need to know any secrets. Next, we need to assign what this managed identity can do and access it or not. Finally, click the plus button to add what role this managed identity needs.

 

2.png

 

Select the resource group where you have created your Azure Maps account. We can use many different roles, but we are only interested in the Azure Maps roles for this blog. Type Azure Maps to filter and select the role you need for your solution. More roles are available here.

 

Azure Role Definition

Description

Azure Maps Contributor

Grants access all Azure Maps resource management.

Azure Maps Data Contributor

Grants access to read, write, and delete access to map related data from an Azure maps account.

Azure Maps Data Reader

Grants access to read map related data from an Azure maps account

Azure Maps Search and Render Data Reader

Grants access to limited set of data APIs for common visual web scenarios. Specifically, render and search data APIs

 

3.png

 

Now we have enabled managed identities in our Web App and allowed it to access Azure Maps with the selected role. In the Web App, we can now create a token proxy that uses the managed identity to generate an Azure Maps token that we use in our client app. Example code in C#

 

 

using Azure.Core; using Azure.Identity; using Microsoft.AspNetCore.Mvc; namespace AzureMapsDemo.Controllers; public class ApiController : Controller { private static readonly DefaultAzureCredential tokenProvider = new(); public async Task<IActionResult> GetAzureMapsToken() { var accessToken = await tokenProvider.GetTokenAsync( new TokenRequestContext(new[] { "https://atlas.microsoft.com/.default" }) ); return new OkObjectResult(accessToken.Token); } }

 

 

This Azure Maps token proxy can then be used in the Azure Maps Web Control, which runs in your browser by the following JavaScript code. Tokens are short-lived and are automatically renewed by the Azure Maps Web Control.

 

 

// Add authentication details for connecting to Azure Maps. authOptions: { // Use Azure Active Directory authentication. authType: 'anonymous', // Your Azure Maps client id for accessing your Azure Maps account. clientId: '[YOUR_AZUREMAPS_CLIENT_ID]', getToken: function(resolve, reject, map) { // URL to your authentication service that retrieves // an Azure Active Directory Token. var tokenServiceUrl = "/api/GetAzureMapsToken"; fetch(tokenServiceUrl).then(r => r.text()).then(token => resolve(token)); } }

 

 

Do you need a step-by-step guide on how to use managed identities and authorization in a .NET web application, read our Azure Maps Web Application Authentication blog

Published on:

Learn more
Azure Maps articles
Azure Maps articles

Azure Maps articles

Share post:

Related posts

Building on Vercel’s eve + Azure Cosmos DB: An Agent That Remembers

Most “AI agent” demos forget everything the moment the process exits. That’s fine for a toy project, but useless for anythin...

1 day ago

Copilot Studio – Environment-level agent telemetry export to Azure Application Insights (Preview)

We are announcing the ability for administrators to export Copilot Studio agent telemetry at the environment level to Azure Application Insigh...

2 days ago

See our new Azure Cosmos DB Design Patterns

Design patterns are where good data modeling lives or dies. In a NoSQL database like Azure Cosmos DB, the difference between a schema that sca...

2 days ago

Need a different partition key in Azure Cosmos DB? Pick the right approach

Once you create a container, its partition key is fixed at creation, and you can’t change it in place. However, if your original key starts ca...

3 days ago

Azure SDK Release (June 2026)

Azure SDK releases every month. In this post, you'll find this month's highlights and release notes. The post Azure SDK Release (June 2026) ap...

3 days ago

Fundamentals of Azure DevOps with SQL projects

Building automated pipelines with your SQL database projects enables you to build a rich CI/CD ecosystem to ensure that your application is be...

7 days ago

Upcoming Change: NTLM Removal in Git (libcurl) – Impact to Azure DevOps Server Customers

Overview In September 2026, NTLM support will be removed from libcurl, which is used by Git for HTTP(S) operations. As a result, Git operation...

7 days ago

What’s new across Microsoft SQL in 2026 so far (SQL Server, Azure SQL, and SQL database in Fabric)

We’re halfway through 2026, and Microsoft SQL has not slowed down. Since SQLCon/FabCon in March (where we released a ton of things, and those ...

8 days ago

Power Automate Flow — HTTP Trigger to Azure OpenAI

Build the secure Power Automate HTTP trigger flow that receives free text from the portal, calls Azure OpenAI using your smart-form-extract de...

10 days ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy