This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Every time you publish events to or consume events from an event hub, your client is trying to access Event Hubs resources. Every request to a secure resource must be authorized so that the service can ensure that the client has the required permissions to publish or consume the data.
Azure Event Hubs offers the following options for authorizing access to secure resources:
Note
This article applies to both Event Hubs and Apache Kafka scenarios.
Microsoft Entra integration with Event Hubs resources provides Azure role-based access control (RBAC) for fine-grained control over a client's access to resources. You can use Azure RBAC to grant permissions to security principal, which may be a user, a group, or an application service principal. Microsoft Entra authenticates the security principal and returns an OAuth 2.0 token. The token can be used to authorize a request to access an Event Hubs resource.
For more information about authenticating with Microsoft Entra ID, see the following articles:
Shared access signatures (SAS) for Event Hubs resources provide limited delegated access to Event Hubs resources. Adding constraints on time interval for which the signature is valid or on permissions it grants provides flexibility in managing resources. For more information, see Authenticate using shared access signatures (SAS).
Authorizing users or applications using an OAuth 2.0 token returned by Microsoft Entra ID provides superior security and ease of use over shared access signatures (SAS). With Microsoft Entra ID, there's no need to store the access tokens with your code and risk potential security vulnerabilities. While you can continue to use shared access signatures (SAS) to grant fine-grained access to Event Hubs resources, Microsoft Entra ID offers similar capabilities without the need to manage SAS tokens or worry about revoking a compromised SAS.
By default, all Event Hubs resources are secured, and are available only to the account owner. Although you can use any of the authorization strategies outlined above to grant clients access to Event Hubs resources. Microsoft recommends using Microsoft Entra ID when possible for maximum security and ease of use.
For more information about authorization using SAS, see Authorizing access to Event Hubs resources using Shared Access Signatures.
Training
Module
Explore Azure Event Hubs - Training
Learn how Azure Event Hubs captures events and how to scale your processing application.
Certification
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.
Documentation
Authorize access with Microsoft Entra ID - Azure Event Hubs
This article provides information on authorizing access to Event Hubs resources using Microsoft Entra ID.
Authenticate an application to access resources - Azure Event Hubs
This article provides information about authenticating an application with Microsoft Entra ID to access Azure Event Hubs resources
Authorize access with shared access signatures - Azure Event Hubs
This article provides information about authorizing access to Azure Event Hubs resources by using Shared Access Signatures (SAS).