Skip to content

Latest commit

 

History

History
81 lines (62 loc) · 4.7 KB

mqtt-client-microsoft-entra-token-and-rbac.md

File metadata and controls

81 lines (62 loc) · 4.7 KB
title description ms.topic ms.custom ms.date author ms.author ms.subservice
Microsoft Entra JWT authentication and RBAC authorization for clients with Microsoft Entra identity
Describes JWT authentication and RBAC roles to authorize clients with Microsoft Entra identity to publish or subscribe MQTT messages
conceptual
ignite-2023
11/15/2023
george-guirguis
geguirgu
mqtt

Microsoft Entra JWT authentication and Azure RBAC authorization to publish or subscribe MQTT messages

You can authenticate MQTT clients with Microsoft Entra JWT to connect to Event Grid namespace. You can use Azure role-based access control (Azure RBAC) to enable MQTT clients, with Microsoft Entra identity, to publish or subscribe access to specific topic spaces.

Important

  • This feature is supported only when using MQTT v5 protocol version
  • JWT authentication is supported for Managed Identities and Service principals only

Prerequisites

Authentication using Microsoft Entra JWT

You can use the MQTT v5 CONNECT packet to provide the Microsoft Entra JWT token to authenticate your client, and you can use the MQTT v5 AUTH packet to refresh the token.

In CONNECT packet, you can provide required values in the following fields:

Field Value
Authentication Method OAUTH2-JWT
Authentication Data JWT token

In AUTH packet, you can provide required values in the following fields:

Field Value
Authentication Method OAUTH2-JWT
Authentication Data JWT token
Authentication Reason Code 25

Authenticate Reason Code with value 25 signifies reauthentication.

Note

Authorization to grant access permissions

A client using Microsoft Entra ID based JWT authentication needs to be authorized to communicate with the Event Grid namespace. You can assign the following two built-in roles to provide either publish or subscribe permissions, to clients with Microsoft Entra identities.

  • Use EventGrid TopicSpaces Publisher role to provide MQTT message publisher access
  • Use EventGrid TopicSpaces Subscriber role to provide MQTT message subscriber access

You can use these roles to provide permissions at subscription, resource group, Event Grid namespace or Event Grid topicspace scope.

Assigning the publisher role to your Microsoft Entra identity at topicspace scope

  1. In the Azure portal, navigate to your Event Grid namespace
  2. Navigate to the topicspace to which you want to authorize access.
  3. Go to the Access control (IAM) page of the topicspace
  4. Select the Role assignments tab to view the role assignments at this scope.
  5. Select + Add and Add role assignment.
  6. On the Role tab, select the "Event Grid TopicSpaces Publisher" role.
  7. On the Members tab, for Assign access to, select User, group, or service principal option to assign the selected role to one or more service principals (applications).
  8. Select + Select members.
  9. Find and select the service principals.
  10. Select Next
  11. Select Review + assign on the Review + assign tab.

Note

You can follow similar steps to assign the built-in EventGrid TopicSpaces Subscriber role at topicspace scope.

Next steps