Microsoft Security | Microsoft Graph
An API that connects multiple Microsoft services, enabling data access and automation across platforms
Using RBAC to authorize Graph API Notifications sent to Eventhub
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 63%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
More, Santosh
1
Reputation point
Hi All,
We have requirement to use RBAC instead of SAS to get the Graph API change notifications delivered to Eventhub.
Does the Microsoft Graph Change Tracking application support RBAC permissions ?
It seems same question was asked by someone earlier here https://stackoverflow.com/questions/66264825/use-rbac-to-authorize-ms-graph-api-to-send-change-notifications-to-azure-event-h
Is there any solution would following configuration work ? Any suggestions would be very much appreciated.
- Assign the "Azure Event Hubs Data Sender" role to the "Microsoft Graph Change Tracking" principal,
- update the notification URL of my graph subscription requests to remove the access key. The URL is still stored in an azure keyvault (as per docs), in the form Endpoint=sb://<my namespace>.servicebus.windows.net/;EntityPath=<my ehub name>
Thanks,
Santosh
Microsoft Security | Microsoft Graph
Sign in to answer