Cannot use managed identity to connect to service bus

Question

Cannot use managed identity to connect to service bus

Prajwal Pyakurel 0 Microsoft Employee

I am trying to connect to Service Bus from Azure synapse using managed identity but it is not letting me to. I need this so that I can disable local auth in Service Bus. Is it possible to connect to service bus from Synapse with local auth disabled in service bus? Please advise on SFI compliant way to access SB from Synapse.

I tried system assigned MI, and assigned service bus data owner access, but the access failed in synapse.

DefaultAzureCredential failed to retrieve a token from the included credentials. Attempted credentials: EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured. Visit https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot to troubleshoot this issue. ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no response from the IMDS endpoint. SharedTokenCacheCredential: SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache. AzureCliCredential: Azure CLI not found on path AzurePowerShellCredential: PowerShell is not installed AzureDeveloperCliCredential: Azure Developer CLI could not be found. Please visit https://aka.ms/azure-dev for installation instructions and then,once installed, authenticate to your Azure account using 'azd auth login'. To mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/python/identity/defaultazurecredential/troubleshoot. Unexpected error occurred (ClientAuthenticationError("DefaultAzureCredential failed to retrieve a token from the included credentials.\nAttempted credentials:\n\tEnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.\nVisit https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot to troubleshoot this issue.\n\tManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no response from the IMDS endpoint.\n\tSharedTokenCacheCredential: SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.\n\tAzureCliCredential: Azure CLI not found on path\n\tAzurePowerShellCredential: PowerShell is not installed\n\tAzureDeveloperCliCredential: Azure Developer CLI could not be found. Please visit https://aka.ms/azure-dev for installation instructions and then,once installed, authenticate to your Azure account using 'azd auth login'.\nTo mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/python/identity/defaultazurecredential/troubleshoot.")).).) Handler shutting down. Traceback (most recent call last):

Pilladi Padma Sai Manisha 920 Reputation points Microsoft External Staff Moderator

2025-12-19T23:33:06.5933333+00:00

Hi Prajwal Pyakurel,
Thank you for reaching out to Microsoft QA!
DefaultAzureCredential fails in Synapse notebooks with that IMDS endpoint error because Spark pools do not expose the IMDS endpoint, even after assigning Data Owner to the workspace managed identity. It is still possible and SFI-compliant to access Service Bus from Synapse after disabling local auth, but instead of direct SDK calls in notebooks, use Linked Services with the Synapse workspace’s system-assigned managed identity.

Why notebooks fail:
Spark runtime does not expose the standard IMDS endpoint, so ManagedIdentityCredential cannot obtain a token and has no valid fallbacks (no CLI/PowerShell/environment credentials in the runtime). User-assigned managed identities are also not supported in Synapse Spark notebooks.

SFI-compliant setup:

Disable local authentication on the Service Bus namespace (in the Service Bus resource: Settings > Local authentication > Disabled).

Get the Synapse workspace system-assigned managed identity Object ID from Synapse Studio under Manage > Access control.

Assign RBAC roles on the Service Bus namespace to that managed identity in Access control (IAM):

Azure Service Bus Data Sender (to send messages)

Azure Service Bus Data Receiver (to receive messages)

Azure Service Bus Data Owner (for full access/testing)

In Synapse Studio, create a Service Bus linked service using Authentication type = Managed identity, select the namespace, and use Test connection to validate.

How to use from Synapse:

In Synapse pipelines, use Service Bus Send/Receive activities that reference this linked service, so authentication flows through the workspace managed identity.

In notebooks, either trigger those pipelines or use components that rely on the linked service instead of instantiating DefaultAzureCredential in code.

After roles are assigned, allow some time for RBAC propagation and restart the Spark session before re-testing. This pattern keeps Service Bus local auth disabled and relies only on Microsoft Entra ID with managed identity, which aligns with SFI requirements.

1 answer

Your answer

Answer 1

To connect Azure Synapse to Azure Service Bus using managed identity, you need to ensure that the managed identity has the appropriate permissions assigned in Azure Service Bus. You can use Microsoft Entra ID for authentication and authorization, which is recommended over local authentication methods.

Assign Permissions: Ensure that the managed identity used by Azure Synapse has been assigned one of the built-in roles for Azure Service Bus, such as Azure Service Bus Data Sender or Azure Service Bus Data Receiver. This can be done through the Azure portal by navigating to the Access control (IAM) page of your Service Bus namespace and assigning the role to the managed identity.
Disable Local Authentication: You can disable local authentication for your Service Bus namespace, allowing only Microsoft Entra authentication. This is a secure method and is recommended for production environments. You can follow the steps outlined in the documentation to disable local authentication.

Connection Code: When connecting to Service Bus from Azure Synapse, use the managed identity to authenticate. Here's a sample code snippet for connecting:

   string fullyQualifiedNamespace = "<your namespace>.servicebus.windows.net>";
   string userAssignedClientId = "<your managed identity client ID>";
   
   var credential = new DefaultAzureCredential(
       new DefaultAzureCredentialOptions
       {
           ManagedIdentityClientId = userAssignedClientId
       });
   
   var sbusClient = new ServiceBusClient(fullyQualifiedNamespace, credential);

By following these steps, you should be able to connect to Azure Service Bus from Azure Synapse with local authentication disabled, using a managed identity in a secure manner.

Share via

Cannot use managed identity to connect to service bus

1 answer

Your answer