Authorize access to Event Hubs resources using Azure Active Directory

Azure Event Hubs supports using Azure Active Directory (Azure AD) to authorize requests to Event Hubs resources. With Azure AD, you can use role-based access control (RBAC) to grant permissions to a security principal, which may be a user, or an application service principal. To learn more about roles and role assignments, see Understanding the different roles.

Overview

When a security principal (a user, or an application) attempts to access an Event Hubs resource, the request must be authorized. With Azure AD, access to a resource is a two-step process.

  1. First, the security principal’s identity is authenticated, and an OAuth 2.0 token is returned. The resource name to request a token is https://eventhubs.azure.net/.
  2. Next, the token is passed as part of a request to the Event Hubs service to authorize access to the specified resource.

The authentication step requires that an application request contains an OAuth 2.0 access token at runtime. If an application is running within an Azure entity such as an Azure VM, a virtual machine scale set, or an Azure Function app, it can use a managed identity to access the resources. To learn how to authenticate requests made by a managed identity to Event Hubs service, see Authenticate access to Azure Event Hubs resources with Azure Active Directory and managed identities for Azure Resources.

The authorization step requires that one or more RBAC roles be assigned to the security principal. Azure Event Hubs provides RBAC roles that encompass sets of permissions for Event Hubs resources. The roles that are assigned to a security principal determine the permissions that the principal will have. For more information about RBAC roles, see Built-in RBAC roles for Azure Event Hubs.

Native applications and web applications that make requests to Event Hubs can also authorize with Azure AD. To learn how to request an access token and use it to authorize requests for Event Hubs resources, see Authenticate access to Azure Event Hubs with Azure AD from an application.

Assign RBAC roles for access rights

Azure Active Directory (Azure AD) authorizes access rights to secured resources through role-based access control (RBAC). Azure Event Hubs defines a set of built-in RBAC roles that encompass common sets of permissions used to access event hub data and you can also define custom roles for accessing the data.

When an RBAC role is assigned to an Azure AD security principal, Azure grants access to those resources for that security principal. Access can be scoped to the level of subscription, the resource group, the Event Hubs namespace, or any resource under it. An Azure AD security principal may be a user, or an application service principal, or a managed identity for Azure resources.

Built-in RBAC roles for Azure Event Hubs

Azure provides the following built-in RBAC roles for authorizing access to Event Hubs data using Azure AD and OAuth:

Resource scope

Before you assign an RBAC role to a security principal, determine the scope of access that the security principal should have. Best practices dictate that it's always best to grant only the narrowest possible scope.

The following list describes the levels at which you can scope access to Event Hubs resources, starting with the narrowest scope:

  • Consumer group: At this scope, role assignment applies only to this entity. Currently, the Azure portal doesn't support assigning an RBAC role to a security principal at this level.
  • Event hub: Role assignment applies to the Event Hub entity and the consumer group under it.
  • Namespace: Role assignment spans the entire topology of Event Hubs under the namespace and to the consumer group associated with it.
  • Resource group: Role assignment applies to all the Event Hubs resources under the resource group.
  • Subscription: Role assignment applies to all the Event Hubs resources in all of the resource groups in the subscription.

Note

Keep in mind that RBAC role assignments may take up to five minutes to propagate.

For more information about how built-in roles are defined, see Understand role definitions. For information about creating custom RBAC roles, see Create custom roles for Azure Role-Based Access Control.

Next steps

See the following related articles: