Edit

Authenticate an application with Azure Active Directory to access Event Hubs resources

  • Article
  • 5 minutes to read

Microsoft Azure provides integrated access control management for resources and applications based on Azure Active Directory (Azure AD). A key advantage of using Azure AD with Azure Event Hubs is that you don't need to store your credentials in the code anymore. Instead, you can request an OAuth 2.0 access token from the Microsoft Identity platform. The resource name to request a token is https://eventhubs.azure.net/, and it's the same for all clouds/tenants (For Kafka clients, the resource to request a token is https://<namespace>.servicebus.windows.net). Azure AD authenticates the security principal (a user, group, or service principal) running the application. If the authentication succeeds, Azure AD returns an access token to the application, and the application can then use the access token to authorize request to Azure Event Hubs resources.

When a role is assigned to an Azure AD security principal, Azure grants access to those resources for that security principal. Access can be scoped to the level of subscription, the resource group, the Event Hubs namespace, or any resource under it. An Azure AD security can assign roles to a user, a group, an application service principal, or a managed identity for Azure resources.

Note

A role definition is a collection of permissions. Azure role-based access control (Azure RBAC) controls how these permissions are enforced through role assignment. A role assignment consists of three elements: security principal, role definition, and scope. For more information, see Understanding the different roles.

Built-in roles for Azure Event Hubs

Azure provides the following Azure built-in roles for authorizing access to Event Hubs data using Azure AD and OAuth:

For Schema Registry built-in roles, see Schema Registry roles.

Important

Our preview release supported adding Event Hubs data access privileges to Owner or Contributor role. However, data access privileges for Owner and Contributor role are no longer honored. If you are using the Owner or Contributor role, switch to using the Azure Event Hubs Data Owner role.

Authenticate from an application

A key advantage of using Azure AD with Event Hubs is that your credentials no longer need to be stored in your code. Instead, you can request an OAuth 2.0 access token from Microsoft identity platform. Azure AD authenticates the security principal (a user, a group, or service principal) running the application. If authentication succeeds, Azure AD returns the access token to the application, and the application can then use the access token to authorize requests to Azure Event Hubs.

The following sections show you how to configure your native application or web application for authentication with Microsoft identity platform 2.0. For more information about Microsoft identity platform 2.0, see Microsoft identity platform (v2.0) overview.

For an overview of the OAuth 2.0 code grant flow, see Authorize access to Azure Active Directory web applications using the OAuth 2.0 code grant flow.

Register your application with an Azure AD tenant

The first step in using Azure AD to authorize Event Hubs resources is registering your client application with an Azure AD tenant from the Azure portal. Follow steps in the Quickstart: Register an application with the Microsoft identity platform to register an application in Azure AD that represents your application trying to access Event Hubs resources.

When you register your client application, you supply information about the application to AD. Azure AD then provides a client ID (also called an application ID) that you can use to associate your application with Azure AD runtime. To learn more about the client ID, see Application and service principal objects in Azure Active Directory.

Note

If you register your application as a native application, you can specify any valid URI for the Redirect URI. For native applications, this value does not have to be a real URL. For web applications, the redirect URI must be a valid URI, because it specifies the URL to which tokens are provided.

After you've registered your application, you'll see the Application (client) ID under Settings:

Screenshot showing the app registration page with application ID highlighted.

Create a client secret

The application needs a client secret to prove its identity when requesting a token. Follow steps from Add a client secret to create a client secret for your app in Azure AD.

Assign Azure roles using the Azure portal

Assign one of the Event Hubs roles to the application's service principal at the desired scope (Event Hubs namespace, resource group, subscription). For detailed steps, see Assign Azure roles using the Azure portal.

Once you define the role and its scope, you can test this behavior with samples in this GitHub location. To learn more on managing access to Azure resources using Azure RBAC and the Azure portal, see this article.

Client libraries for token acquisition

Once you've registered your application and granted it permissions to send/receive data in Azure Event Hubs, you can add code to your application to authenticate a security principal and acquire OAuth 2.0 token. To authenticate and acquire the token, you can use either one of the Microsoft identity platform authentication libraries or another open-source library that supports OpenID or Connect 1.0. Your application can then use the access token to authorize a request against Azure Event Hubs.

For scenarios where acquiring tokens is supported, see the Scenarios section of the Microsoft Authentication Library (MSAL) for .NET GitHub repository.

Samples

Next steps

See the following related articles: