diff --git a/iothub/service/src/AmqpServiceClient.cs b/iothub/service/src/AmqpServiceClient.cs
index 26ca335659..89f7ddcba6 100644
--- a/iothub/service/src/AmqpServiceClient.cs
+++ b/iothub/service/src/AmqpServiceClient.cs
@@ -43,7 +43,7 @@ public AmqpServiceClient(
             ServiceClientTransportSettings transportSettings,
             ServiceClientOptions options)
         {
-            var iotHubConnection = new IotHubConnection(connectionProperties, AccessRights.ServiceConnect, useWebSocketOnly, transportSettings);
+            var iotHubConnection = new IotHubConnection(connectionProperties, useWebSocketOnly, transportSettings);
             Connection = iotHubConnection;
             OpenTimeout = IotHubConnection.DefaultOpenTimeout;
             OperationTimeout = IotHubConnection.DefaultOperationTimeout;
diff --git a/iothub/service/src/Common/Data/AccessRights.cs b/iothub/service/src/Common/Data/AccessRights.cs
index 2750d99bd3..9887752de9 100644
--- a/iothub/service/src/Common/Data/AccessRights.cs
+++ b/iothub/service/src/Common/Data/AccessRights.cs
@@ -45,21 +45,4 @@ public enum AccessRights
         /// </summary>
         DeviceConnect = 8
     }
-
-    internal static class AccessRightsHelper
-    {
-        public static string[] AccessRightsToStringArray(AccessRights accessRights)
-        {
-            var values = new List<string>(2);
-            foreach (AccessRights right in Enum.GetValues(typeof(AccessRights)))
-            {
-                if (accessRights.HasFlag(right))
-                {
-                    values.Add(right.ToString());
-                }
-            }
-
-            return values.ToArray();
-        }
-    }
 }
diff --git a/iothub/service/src/IotHubConnection.cs b/iothub/service/src/IotHubConnection.cs
index 645f634345..3b3a22d2b8 100644
--- a/iothub/service/src/IotHubConnection.cs
+++ b/iothub/service/src/IotHubConnection.cs
@@ -36,8 +36,6 @@ internal sealed class IotHubConnection : IDisposable
         internal static readonly TimeSpan DefaultOperationTimeout = TimeSpan.FromMinutes(1);
         internal static readonly TimeSpan DefaultOpenTimeout = TimeSpan.FromMinutes(1);
 
-        private readonly AccessRights _accessRights;
-
         private readonly bool _useWebSocketOnly;
         private readonly ServiceClientTransportSettings _transportSettings;
 
@@ -51,7 +49,7 @@ internal sealed class IotHubConnection : IDisposable
         private IOThreadTimer _refreshTokenTimer;
 #endif
 
-        public IotHubConnection(IotHubConnectionProperties credential, AccessRights accessRights, bool useWebSocketOnly, ServiceClientTransportSettings transportSettings)
+        public IotHubConnection(IotHubConnectionProperties credential, bool useWebSocketOnly, ServiceClientTransportSettings transportSettings)
         {
 #if !NET451
             _refreshTokenTimer = new IOThreadTimerSlim(s => ((IotHubConnection)s).OnRefreshTokenAsync(), this);
@@ -60,7 +58,6 @@ public IotHubConnection(IotHubConnectionProperties credential, AccessRights acce
 #endif
 
             Credential = credential;
-            _accessRights = accessRights;
             _faultTolerantSession = new FaultTolerantAmqpObject<AmqpSession>(CreateSessionAsync, CloseConnection);
             _useWebSocketOnly = useWebSocketOnly;
             _transportSettings = transportSettings;
@@ -553,7 +550,7 @@ private async Task SendCbsTokenAsync(AmqpCbsLink cbsLink, TimeSpan timeout)
                     Credential.AmqpEndpoint,
                     audience,
                     resource,
-                    AccessRightsHelper.AccessRightsToStringArray(_accessRights),
+                    Credential.AmqpAudience.ToArray(),
                     timeout)
                 .ConfigureAwait(false);
             ScheduleTokenRefresh(expiresAtUtc);
diff --git a/iothub/service/src/IotHubConnectionProperties.cs b/iothub/service/src/IotHubConnectionProperties.cs
index 572b326ee4..89162d50c4 100644
--- a/iothub/service/src/IotHubConnectionProperties.cs
+++ b/iothub/service/src/IotHubConnectionProperties.cs
@@ -45,6 +45,8 @@ protected IotHubConnectionProperties(string hostName)
 
         public Uri AmqpEndpoint { get; protected set; }
 
+        public List<string> AmqpAudience { get; protected set; } = new List<string>();
+
         public abstract string GetAuthorizationHeader();
 
         public abstract Task<CbsToken> GetTokenAsync(Uri namespaceAddress, string appliesTo, string[] requiredClaims);
diff --git a/iothub/service/src/IotHubSasCredentialProperties.cs b/iothub/service/src/IotHubSasCredentialProperties.cs
index 426f4348a3..ac7fe649aa 100644
--- a/iothub/service/src/IotHubSasCredentialProperties.cs
+++ b/iothub/service/src/IotHubSasCredentialProperties.cs
@@ -7,6 +7,7 @@
 using Microsoft.Azure.Amqp;
 using System.Globalization;
 using System.Linq;
+using Microsoft.Azure.Devices.Common.Data;
 
 #if !NET451
 
@@ -30,6 +31,7 @@ public IotHubSasCredentialProperties()
         public IotHubSasCredentialProperties(string hostName, AzureSasCredential credential) : base(hostName)
         {
             _credential = credential;
+            AmqpAudience = new List<string> { AccessRights.ServiceConnect.ToString() };
         }
 
 #endif