We are pleased to share that Azure Active Directory (AD) managed Role-based access control for Azure Event Hubs is now generally available.
Enterprises can now grant fine grained control over management and data endpoints for Azure Event Hubs to any security principal – specific users, applications or service identities from their Azure AD tenant using Azure Active Directory.
Event Hubs offers shared access signatures and Azure Active Directory integration (to provide role based access control) for fine-grained control over a client’s access to resources. By default, all Event Hubs resources are secured, and are available only to the account owner. You can use either shared access signatures or Azure Active Directory integration as your authorization strategy to grant clients access to Event Hubs resources. Microsoft recommends using Azure AD when possible for maximum security and ease of use.
When a security principal attempts to access an Event Hubs resource, the access must be authorized. With Azure Active Directory (Azure AD), access to a resource is a two-step process.
Thus with Azure AD to authenticate users and services, enterprises can leverage all capabilities that Azure AD provides along with the two-factor authentication, identity protection, conditional access and more. Enterprises can also use Azure AD Privileged Identity Management (PIM) to assign “just-in-time” roles to reduce the security risk of standing administrative access.
Managed Identities for Azure resources also help customers applications to securely access Event Hubs resources without having to manage application secrets.
Azure Event Hubs defines a set of built-in roles that encompass common set of permissions used to access event hub data and you can also define custom roles for accessing the data.
Our preview supported adding Event Hubs data access privileges to Owner or Contributor role. However, data access privileges for Owner and Contributor role are no longer honored. If you are using the Owner or Contributor role, switch to using the Azure Event Hubs Data Owner role.
Azure provides the following built-in RBAC roles for authorizing access to Event Hubs data using Azure AD and OAuth:
The following list describes the levels at which you can scope access to Event Hubs resources, starting with the narrowest scope:
These role assignments can be made through the Azure portal or through tools like Azure PowerShell, Azure CLI, or Azure Resource Manager templates.
Microsoft Azure provides integrated access control management for resources and applications based on Azure Active Directory (Azure AD). Azure Event Hubs now completely supports authorizing to Event Hubs resources using Azure Active Directory. Microsoft recommends using Azure AD with your Event Hubs applications when possible.
Note: Today Event Hubs integration with Azure Active Directory to provide role-based access control is scoped only to Event Hubs. In the near future we will extend this support to Event Hubs for Kafka.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.