Authorize access to Event Hubs resources using Azure Active Directory

Azure Event Hubs supports using Azure Active Directory (Azure AD) to authorize requests to Event Hubs resources. With Azure AD, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, or an application service principal. To learn more about roles and role assignments, see Understanding the different roles.

Overview

When a security principal (a user, or an application) attempts to access an Event Hubs resource, the request must be authorized. With Azure AD, access to a resource is a two-step process.

  1. First, the security principal’s identity is authenticated, and an OAuth 2.0 token is returned. The resource name to request a token is https://eventhubs.azure.net/, and it's the same for all clouds/tenants. For Kafka clients, the resource to request a token is https://<namespace>.servicebus.windows.net.
  2. Next, the token is passed as part of a request to the Event Hubs service to authorize access to the specified resource.

The authentication step requires that an application request contains an OAuth 2.0 access token at runtime. If an application is running within an Azure entity such as an Azure VM, a virtual machine scale set, or an Azure Function app, it can use a managed identity to access the resources. To learn how to authenticate requests made by a managed identity to Event Hubs service, see Authenticate access to Azure Event Hubs resources with Azure Active Directory and managed identities for Azure Resources.

The authorization step requires that one or more Azure roles be assigned to the security principal. Azure Event Hubs provides Azure roles that encompass sets of permissions for Event Hubs resources. The roles that are assigned to a security principal determine the permissions that the principal will have. For more information about Azure roles, see Azure built-in roles for Azure Event Hubs.

Native applications and web applications that make requests to Event Hubs can also authorize with Azure AD. To learn how to request an access token and use it to authorize requests for Event Hubs resources, see Authenticate access to Azure Event Hubs with Azure AD from an application.

Assign Azure roles for access rights

Azure Active Directory (Azure AD) authorizes access rights to secured resources through Azure role-based access control (Azure RBAC). Azure Event Hubs defines a set of Azure built-in roles that encompass common sets of permissions used to access event hub data and you can also define custom roles for accessing the data.

When an Azure role is assigned to an Azure AD security principal, Azure grants access to those resources for that security principal. Access can be scoped to the level of subscription, the resource group, the Event Hubs namespace, or any resource under it. An Azure AD security principal may be a user, or an application service principal, or a managed identity for Azure resources.

Azure built-in roles for Azure Event Hubs

Azure provides the following Azure built-in roles for authorizing access to Event Hubs data using Azure AD and OAuth:

Role Description
Azure Event Hubs Data owner Use this role to give complete access to Event Hubs resources.
Azure Event Hubs Data sender Use this role to give the send access to Event Hubs resources.
Azure Event Hubs Data receiver Use this role to give the consuming/receiving access to Event Hubs resources.

For Schema Registry built-in roles, see Schema Registry roles.

Resource scope

Before you assign an Azure role to a security principal, determine the scope of access that the security principal should have. Best practices dictate that it's always best to grant only the narrowest possible scope.

The following list describes the levels at which you can scope access to Event Hubs resources, starting with the narrowest scope:

  • Consumer group: At this scope, role assignment applies only to this entity. Currently, the Azure portal doesn't support assigning an Azure role to a security principal at this level.
  • Event hub: Role assignment applies to the Event Hub entity and the consumer group under it.
  • Namespace: Role assignment spans the entire topology of Event Hubs under the namespace and to the consumer group associated with it.
  • Resource group: Role assignment applies to all the Event Hubs resources under the resource group.
  • Subscription: Role assignment applies to all the Event Hubs resources in all of the resource groups in the subscription.

Note

  • Keep in mind that Azure role assignments may take up to five minutes to propagate.
  • This content applies to both Event Hubs and Event Hubs for Apache Kafka. For more information on Event Hubs for Kafka support, see Event Hubs for Kafka - security and authentication.

For more information about how built-in roles are defined, see Understand role definitions. For information about creating Azure custom roles, see Azure custom roles.

Samples

Next steps

See the following related articles: