How can we improve Azure Maps?

Protect Map account by site URI checking.

Currently Azure Map account protected by the key, generated on Azure Portal. This is not enough for SPA JS sites. Let say you have a public server-less map App that allows to use anonymously. Map key could easily discovered and stolen. Hence your map account could be used by others for your expense.
Expected: add ability to specify one or more site URI where legal traffic could come from. Azure should check incoming requests against this list and reject unknown sites. This should support "localhost:port" for test purposes as well as real domain names for production.

13 votes
Sign in
(thinking…)
Sign in with: oidc
Signed in as (Sign out)

We’ll send you updates on this idea

Vitaly Zayko shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
completed  ·  Adminazuremaps (Azure Maps, Microsoft Azure) responded  · 

I’m happy to report that last week the Azure Maps team announced a high security option for Azure Maps which uses Azure Active Directory (AAD) for authentication. The announcement can be found here: https://azure.microsoft.com/en-us/blog/announcing-azure-maps/

Here is some related documentation:
- https://docs.microsoft.com/en-us/azure/azure-maps/azure-maps-authentication
- https://docs.microsoft.com/en-us/azure/azure-maps/how-to-use-map-control

8 comments

Sign in
(thinking…)
Sign in with: oidc
Signed in as (Sign out)
Submitting...
  • James Rogers commented  ·   ·  Flag as inappropriate

    I echo André's comment. Azure AD does not solve the problem. Please re-open this request.

  • André Silva de Jesus commented  ·   ·  Flag as inappropriate

    @azuremaps Are you out of your mind? This has nothing to do with AAD. We want referer authentication, just like Google Maps.

  • Kevin Flood commented  ·   ·  Flag as inappropriate

    This is a critical issue really. It allows anyone use (and bill) your account. e.g. the key listed in this simple map widget demo https://docs.microsoft.com/en-us/azure/azure-maps/map-create can also be used by anyone for free access to billable API calls on any Azure map service (geocode, etc.).

    Brief overview of Google's approach: https://developers.google.com/maps/faq#using-google-maps-apis
    so basically, their web-level APIs (e.g. embedded map widget) support whitelisting websites/ip addresses and their server-level APIs (e.g. geocoding, directions) support signing requests with a shared secret. This worked well for us,

  • Anonymous commented  ·   ·  Flag as inappropriate

    There must surely be a better way of using the JS API without exposing your API key. In the docs Microsoft tell us to secure our keys using KeyVault - why on Earth should I do that if I have to expose my key anyway?

  • Craig Neeson commented  ·   ·  Flag as inappropriate

    Bumping this as our team would also benefit from the same security features. Hesitant to invest too much time with the Azure Maps JS components until they can actually be secured properly.

  • rbrundritt commented  ·   ·  Flag as inappropriate

    URI checking provides a false sense of security as it is fairly easy to spoof a URI. It only protects you from honest reverse engineers. That said, there are plans to provide increased security options in the near future.

Feedback and Knowledge Base