Enable a managed identity for routing Azure Digital Twins events

This article describes how to use a managed identity for an Azure Digital Twins instance when forwarding events to supported routing destinations. Setting up a managed identity isn't required for routing, but it can help the instance to easily access other Azure AD-protected resources, such as Event Hubs, Service Bus destinations, and Azure Storage Container. Managed identities can be system-assigned or user-assigned.

Here are the steps that are covered in this article:

  1. Create an Azure Digital Twins instance with a managed identity, or enable managed identity on an existing Azure Digital Twins instance.
  2. Add an appropriate role or roles to the identity. For example, assign the Azure Event Hub Data Sender role to the identity if the endpoint is Event Hubs, or Azure Service Bus Data Sender role if the endpoint is Service Bus.
  3. Create an endpoint in Azure Digital Twins that can use managed identities for authentication.

Create an Azure Digital Twins instance with a managed identity

If you already have an Azure Digital Twins instance, ensure that you've enabled a managed identity for it.

If you don't have an Azure Digital Twins instance, follow the instructions in Create the instance with a managed identity to create an Azure Digital Twins instance with a managed identity for the first time.

Then, make sure you have Azure Digital Twins Data Owner role on the instance. You can find instructions in Set up user access permissions.

Assign Azure roles to the identity

Once a managed identity is created for your Azure Digital Twins instance, you'll need to assign it appropriate roles to authenticate with different types of endpoints for routing events to supported destinations. This section describes the role options and how to assign them to the managed identity.

Note

This is an important step—without it, the identity won't be able to access your endpoints and events won't be delivered.

Supported destinations and Azure roles

Here are the minimum roles that your Azure Digital Twins identity needs to access an endpoint, depending on the type of destination. Roles with higher permissions (like Data Owner roles) will also work.

Destination Azure role
Azure Event Hubs Azure Event Hubs Data Sender
Azure Service Bus Azure Service Bus Data Sender
Azure storage container Storage Blob Data Contributor

For more about endpoints, routes, and the types of destinations supported for routing in Azure Digital Twins, see Event routes.

Assign the role

Note

This section must be completed by an Azure user who has permissions to manage user access to Azure resources, including granting and delegating permissions. Common roles that meet this requirement are Owner, Account admin, or the combination of User Access Administrator and Contributor. For more information about permission requirements for Azure Digital Twins roles, see Set up an instance and authentication.

Use the tabs below to select instructions for your preferred experience.

To assign a role to the identity, start by opening the Azure portal in a browser.

  1. Navigate to your endpoint resource (your event hub, Service Bus topic, or storage container) by searching for its name in the portal search bar.

  2. Select Access control (IAM).

  3. Select Add > Add role assignment to open the Add role assignment page.

  4. Assign the desired role to the managed identity of your Azure Digital Twins instance, using the information below. For detailed steps, see Assign Azure roles using the Azure portal.

    Setting Value
    Role Select the desired role from the options.
    Assign access to Managed identity
    Members Select the user-assigned or system-assigned managed identity of your Azure Digital Twins instance that's being assigned the role. A user-assigned identity will have the name you chose when you created the identity, and a system-assigned identity will have a name that matches the name of your Azure Digital Twins instance.

    Screenshot of the 'Add role assignment' page for an Azure Digital Twins instance.

Create an endpoint with identity-based authentication

After setting up a managed identity for your Azure Digital Twins instance and assigning it the appropriate role(s), you can create Azure Digital Twins endpoints that can use the identity for authentication. This option is only available for Event Hubs and Service Bus-type endpoints (it's not supported for Event Grid).

Note

You cannot edit an endpoint that has already been created with key-based identity to change to identity-based authentication. You must choose the authentication type when the endpoint is first created.

Use the tabs below to select instructions for your preferred experience.

Start following the instructions to create an Azure Digital Twins endpoint.

When you get to the step of completing the details required for your endpoint type, select either System-assigned or User-assigned (preview) for the Authentication type.

Screenshot of creating an endpoint of type Event Hubs.

Finish setting up your endpoint and select Save.

Considerations for disabling managed identities

Because an identity is managed separately from the endpoints that use it, it's important to consider the effects that any changes to the identity or its roles can have on the endpoints in your Azure Digital Twins instance. If the identity is disabled, or a necessary role for an endpoint is removed from it, the endpoint can become inaccessible and the flow of events will be disrupted.

To continue using an endpoint that was set up with a managed identity that's now been disabled, you'll need to delete the endpoint and re-create it with a different authentication type. It may take up to an hour for events to resume delivery to the endpoint after this change.

Next steps

Learn more about managed identities in Azure AD: