We are pleased to share that Azure Active Directory managed Role Based Access Control (RBAC) for Azure Service Bus is now generally available.
Enterprises can now grant fine grained control over management and data endpoints for Azure Service Bus to any security principal, specific users, applications or service identities (MSI) from their Azure AD tenant using Azure Active Directory.
By default, all Azure Service Bus resources are secured, and are available only to the account owner. In the past, Azure Service Bus has offered shared access signatures to provide control over a client's access to resources. With MSI and RBAC capabilities, you can now manage fine grained control without having to store SAS tokens in your code or configuration.
Microsoft recommends using Azure AD when possible for maximum security and ease of use.
How does it work?
When a security principal attempts to access a Service Bus resource, the access must be authorized. With Azure Active Directory (Azure AD), access to a resource is a two-step process.
- The client application authenticates to the Azure AD token issuance endpoint and requests an access token.
- The Azure AD token issuance endpoint issues the access token.
- Next, the token is passed as a part of the request to Service Bus to authorize access to the specified resource.
Thus with Azure AD to authenticate users and services, enterprises can leverage all capabilities that Azure AD provides along with the two-factor authentication, identity protection, conditional access and more. Enterprises can also use Azure AD Privileged Identity Management (PIM) to assign “just-in-time” roles to reduce the security risk of standing administrative access.
Managed Identities for Azure resources also help customers applications to securely access Service Bus resources without having to manage application secrets.
Built-in RBAC roles and resource scope
Azure Service Bus defines a set of built-in roles that encompass common set of permissions used to access service bus data and you can also define custom roles for accessing the data.
Important
Our preview supported adding Service Bus data access privileges to Owner or Contributor role. However, data access privileges for Owner and Contributor role are no longer honored. If you are using the Owner or Contributor role, switch to using the Azure Service Bus Data Owner role.
Azure provides the following built-in RBAC roles for authorizing access to Service Bus data using Azure AD and OAuth:
- Azure Service Bus Data owner: Use this role to give complete access to Service Bus resources.
- Azure Service Bus Data sender: Use this role to give the send access to Service Bus resources.
- Azure Service Bus Data receiver: Use this role to give the consuming/receiving access to Service Bus resources.
The following list describes the levels at which you can scope access to Service Bus resources, starting with the narrowest scope:
- Subscription: At this scope, role assignment applies only to this entity. Currently, the Azure portal doesn't support assigning an RBAC role to a security principal at this level, but you can use other tooling to do the same.
- Topic: Role assignment applies to a specific Topic and the Subscriptions under it.
- Queue: Role assignment applies to a specific Queue.
- Namespace: Role assignment spans the entire topology of Service Bus under the namespace and to the queues, topics and subscriptions associated with it.
- Resource group: Role assignment applies to all the Service Bus resources under the resource group.
- Azure Subscription: Role assignment applies to all the Service Bus resources in all of the resource groups in the subscription. Please note that this is the 'Azure Subscription' and is different from the 'Subscription' that exists within the context of a 'Topic'.
These role assignments can be made through the Azure portal or through tools like Azure PowerShell, Azure CLI, or Azure Resource Manager templates.
Next Steps
- Have questions? Email us at askservicebus@microsoft.com
- Learn more about Authorize access to Azure Service Bus resource using Azure Active Directory.
- Have comments? We would love to hear from you, please leave your comments below.