Use RBAC to authorize MS Graph API to send change notifications to Azure Event Hub

0
votes

I have been successfully using Azure Event Hub to receive change notifications from MS Graph Api, as per instructions here https://docs.microsoft.com/en-us/graph/change-notifications-delivery

I have been tasked to to use RBAC instead of SAS to allow Graph to send events to the Event hub. To do so I have:

  1. assigned the "Azure Event Hubs Data Sender" role to the "Microsoft Graph Change Tracking" principal,
  2. updated the notification URL of my graph subscription requests to remove the access key. The URL is still stored in an azure keyvault (as per docs), in the form Endpoint=sb://<my namespace>.servicebus.windows.net/;EntityPath=<my ehub name>

Subscription creation requests are rejected by graph with:

Message: Unauthorized access. 'Send' claim(s) are required to perform this operation. Resource: 'sb://<my event hub namespace>.servicebus.windows.net/<my event hub name>'. TrackingId:2d3e314a1fa24297a895342e9267e7fb_G19, SystemTracker:gateway5, Timestamp:2021-02-18T17:02:08

Any help would be greatly appreciated.

1
azuremicrosoft-graph-apiazure-eventhub
I am not sure if "microsoft graph change tracking" SP used to fetch access token. In order to check EH permissions are actually working, you can try running a console app to fetch an access token for the same service principal and then try sending some dummy events to your eventhub with it. Let me know if you need code sample.Serkant Karaca
@SerkantKaraca Thank you, a sample would be appreciatedmimimi

1 Answers

0
votes

Someone from MSFT confirmed to my client that the mechanism is not currently supported, nor planned at the moment.