Authorize access to Event Hubs resources using Microsoft Entra ID

Azure Event Hubs supports using Microsoft Entra ID to authorize requests to Event Hubs resources. With Microsoft Entra ID, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which can be a user, or an application service principal. To learn more about roles and role assignments, see Understanding the different roles.

Overview

When a security principal (a user, or an application) attempts to access an Event Hubs resource, the request must be authorized. With Microsoft Entra ID, access to a resource is a two-step process.

  1. First, the security principal’s identity is authenticated, and an OAuth 2.0 token is returned. The resource name to request a token is https://eventhubs.azure.net/, and it's the same for all clouds/tenants. For Kafka clients, the resource to request a token is https://<namespace>.servicebus.windows.net.
  2. Next, the token is passed as part of a request to the Event Hubs service to authorize access to the specified resource.

The authentication step requires that an application request contains an OAuth 2.0 access token at runtime. If an application is running within an Azure entity such as an Azure VM, a virtual machine scale set, or an Azure Function app, it can use a managed identity to access the resources. To learn how to authenticate requests made by a managed identity to Event Hubs service, see Authenticate access to Azure Event Hubs resources with Microsoft Entra ID and managed identities for Azure Resources.

The authorization step requires that one or more Azure roles be assigned to the security principal. Azure Event Hubs provides Azure roles that encompass sets of permissions for Event Hubs resources. The roles that are assigned to a security principal determine the permissions that the principal will have. For more information about Azure roles, see Azure built-in roles for Azure Event Hubs.

Native applications and web applications that make requests to Event Hubs can also authorize with Microsoft Entra ID. To learn how to request an access token and use it to authorize requests for Event Hubs resources, see Authenticate access to Azure Event Hubs with Microsoft Entra ID from an application.

Assign Azure roles for access rights

Microsoft Entra authorizes access rights to secured resources through Azure role-based access control (Azure RBAC). Azure Event Hubs defines a set of Azure built-in roles that encompass common sets of permissions used to access event hub data and you can also define custom roles for accessing the data.

When an Azure role is assigned to a Microsoft Entra security principal, Azure grants access to those resources for that security principal. Access can be scoped to the level of subscription, the resource group, the Event Hubs namespace, or any resource under it. A Microsoft Entra security principal can be a user, or an application service principal, or a managed identity for Azure resources.

Azure built-in roles for Azure Event Hubs

Azure provides the following Azure built-in roles for authorizing access to Event Hubs data using Microsoft Entra ID and OAuth:

Role Description
Azure Event Hubs Data owner Use this role to give complete access to Event Hubs resources.
Azure Event Hubs Data sender Use this role to give the send access to Event Hubs resources.
Azure Event Hubs Data receiver Use this role to give the consuming/receiving access to Event Hubs resources.

For Schema Registry built-in roles, see Schema Registry roles.

Resource scope

Before you assign an Azure role to a security principal, determine the scope of access that the security principal should have. Best practices dictate that it's always best to grant only the narrowest possible scope.

The following list describes the levels at which you can scope access to Event Hubs resources, starting with the narrowest scope:

  • Consumer group: At this scope, role assignment applies only to this entity. Currently, the Azure portal doesn't support assigning an Azure role to a security principal at this level.
  • Event hub: Role assignment applies to event hubs and their consumer groups.
  • Namespace: Role assignment spans the entire topology of Event Hubs under the namespace and to the consumer group associated with it.
  • Resource group: Role assignment applies to all the Event Hubs resources under the resource group.
  • Subscription: Role assignment applies to all the Event Hubs resources in all of the resource groups in the subscription.

Note

  • Keep in mind that Azure role assignments might take up to five minutes to propagate.
  • This content applies to both Event Hubs and Event Hubs for Apache Kafka. For more information on Event Hubs for Kafka support, see Event Hubs for Kafka - security and authentication.

For more information about how built-in roles are defined, see Understand role definitions. For information about creating Azure custom roles, see Azure custom roles.

Samples

Next steps

See the following related articles: