We are pleased to share that Azure Active Directory managed Role Based Access Control (RBAC) for Azure Service Bus is now generally available.
Enterprises can now grant fine grained control over management and data endpoints for Azure Service Bus to any security principal, specific users, applications or service identities (MSI) from their Azure AD tenant using Azure Active Directory.
By default, all Azure Service Bus resources are secured, and are available only to the account owner. In the past, Azure Service Bus has offered shared access signatures to provide control over a client's access to resources. With MSI and RBAC capabilities, you can now manage fine grained control without having to store SAS tokens in your code or configuration.
Microsoft recommends using Azure AD when possible for maximum security and ease of use.
How does it work?
When a security principal attempts to access a Service Bus resource, the access must be authorized. With Azure Active Directory (Azure AD), access to a resource is a two-step process.
Thus with Azure AD to authenticate users and services, enterprises can leverage all capabilities that Azure AD provides along with the two-factor authentication, identity protection, conditional access and more. Enterprises can also use Azure AD Privileged Identity Management (PIM) to assign “just-in-time” roles to reduce the security risk of standing administrative access.
Managed Identities for Azure resources also help customers applications to securely access Service Bus resources without having to manage application secrets.
Built-in RBAC roles and resource scope
Azure Service Bus defines a set of built-in roles that encompass common set of permissions used to access service bus data and you can also define custom roles for accessing the data.
Our preview supported adding Service Bus data access privileges to Owner or Contributor role. However, data access privileges for Owner and Contributor role are no longer honored. If you are using the Owner or Contributor role, switch to using the Azure Service Bus Data Owner role.
Azure provides the following built-in RBAC roles for authorizing access to Service Bus data using Azure AD and OAuth:
The following list describes the levels at which you can scope access to Service Bus resources, starting with the narrowest scope:
These role assignments can be made through the Azure portal or through tools like Azure PowerShell, Azure CLI, or Azure Resource Manager templates.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.