Azure Event Hubs support for Azure Active Directory based access control generally available!
Published Aug 29 2019 11:41 PM 5,217 Views

We are pleased to share that Azure Active Directory (AD) managed Role-based access control for Azure Event Hubs is now generally available.


Enterprises can now grant fine grained control over management and data endpoints for Azure Event Hubs to any security principal – specific users, applications or service identities from their Azure AD tenant using Azure Active Directory.


Event Hubs offers shared access signatures and Azure Active Directory integration (to provide role based access control) for fine-grained control over a client’s access to resources. By default, all Event Hubs resources are secured, and are available only to the account owner. You can use either shared access signatures or Azure Active Directory integration as your authorization strategy to grant clients access to Event Hubs resources. Microsoft recommends using Azure AD when possible for maximum security and ease of use.

How does it work?

When a security principal attempts to access an Event Hubs resource, the access must be authorized. With Azure Active Directory (Azure AD), access to a resource is a two-step process.

  • The client application authenticates to the Azure AD token issuance endpoint and requests an access token.
  • The Azure AD token issuance endpoint issues the access token.
  • Next, the token is passed as a part of the request to Event Hubs service to authorize access to the specified resource

Thus with Azure AD to authenticate users and services, enterprises can leverage all capabilities that Azure AD provides along with the two-factor authentication, identity protection, conditional access and more. Enterprises can also use Azure AD Privileged Identity Management (PIM) to assign “just-in-time” roles to reduce the security risk of standing administrative access.

Managed Identities for Azure resources also help customers applications to securely access Event Hubs resources without having to manage application secrets.

Built-in RBAC roles and resource scope

Azure Event Hubs defines a set of built-in roles that encompass common set of permissions used to access event hub data and you can also define custom roles for accessing the data.




Our preview supported adding Event Hubs data access privileges to Owner or Contributor role. However, data access privileges for Owner and Contributor role are no longer honored. If you are using the Owner or Contributor role, switch to using the Azure Event Hubs Data Owner role.


Azure provides the following built-in RBAC roles for authorizing access to Event Hubs data using Azure AD and OAuth:


The following list describes the levels at which you can scope access to Event Hubs resources, starting with the narrowest scope:

  • Consumer group: At this scope, role assignment applies only to this entity. Currently, the Azure portal doesn't support assigning an RBAC role to a security principal at this level.
  • Event hub: Role assignment applies to the Event Hub entity and the consumer group under it.
  • Namespace: Role assignment spans the entire topology of Event Hubs under the namespace and to the consumer group associated with it.
  • Resource group: Role assignment applies to all the Event Hubs resources under the resource group.
  • Subscription: Role assignment applies to all the Event Hubs resources in all of the resource groups in the subscription.


These role assignments can be made through the Azure portal or through tools like Azure PowerShell, Azure CLI, or Azure Resource Manager templates.




Microsoft Azure provides integrated access control management for resources and applications based on Azure Active Directory (Azure AD). Azure Event Hubs now completely supports authorizing to Event Hubs resources using Azure Active Directory. Microsoft recommends using Azure AD with your Event Hubs applications when possible.

Developers are encouraged to evaluate Managed Identities for Azure resources to authenticate applications in Azure or Azure AD service principals for apps running outside Azure.


Note: Today Event Hubs integration with Azure Active Directory to provide role-based access control is scoped only to Event Hubs. In the near future we will extend this support to Event Hubs for Kafka.

Next Steps


Version history
Last update:
‎Jul 08 2020 01:02 PM
Updated by: