Edit

Disable local or shared access key authentication with Azure Service Bus

  • Article

There are two ways to authenticate to Azure Service Bus resources: Microsoft Entra ID and Shared Access Signatures (SAS). Microsoft Entra ID provides superior security and ease of use over shared access signatures (SAS). With Microsoft Entra ID, there’s no need to store the tokens in your code and risk potential security vulnerabilities. We recommend that you use Microsoft Entra ID with your Azure Service Bus applications when possible.

This article explains how to disable SAS key authentication and use only Microsoft Entra ID for authentication.

Use portal to disable local auth

In this section, you learn how to use the Azure portal to disable local authentication.

  1. Navigate to your Service Bus namespace in the Azure portal.

  2. In the Essentials section of the Overview page, select Enabled, for Local Authentication.

    Image showing the Overview page of a Service Bus namespace with Local Authentication set to Enabled.

  3. On the Local Authentication page, select Disabled, and select OK.

    Disable location.

Use Resource Manager template to disable local auth

You can disable local authentication for a Service Bus namespace by setting disableLocalAuth property to true as shown in the following Azure Resource Manager template.

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "namespace_name": {
            "defaultValue": "spcontososbusns",
            "type": "String"
        }
    },
    "variables": {},
    "resources": [
        {
            "type": "Microsoft.ServiceBus/namespaces",
            "apiVersion": "2021-06-01-preview",
            "name": "[parameters('namespace_name')]",
            "location": "East US",
            "sku": {
                "name": "Standard",
                "tier": "Standard"
            },
            "properties": {
                "disableLocalAuth": true,
                "zoneRedundant": false
            }
        }
    ]
}

Parameters.json

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "namespace_name": {
            "value": null
        }
    }
}

Azure policy

You can assign the disable local auth Azure policy to an Azure subscription or a resource group to enforce disabling of local authentication for all Service Bus namespaces in the subscription or the resource group.

Azure policy to disable location authentication.

Next steps

See the following to learn about Microsoft Entra ID and SAS authentication.