| title | include file |
|---|---|
| description | include file |
| services | storage |
| author | alexwolfmsft |
| ms.service | azure-storage |
| ms.topic | include |
| ms.date | 06/16/2025 |
| ms.author | alexwolf |
| ms.custom | include file |
When you develop locally, make sure that the user account that connects to Azure Event Hubs has the correct permissions. You need the Azure Event Hubs Data Owner role to send and receive messages. To assign yourself this role, you need the User Access Administrator role, or another role that includes the Microsoft.Authorization/roleAssignments/write action. You can assign Azure RBAC roles to a user using the Azure portal, Azure CLI, or Azure PowerShell. For more information, see Understand scope for Azure RBAC page.
The following example assigns the Azure Event Hubs Data Owner role to your user account, which provides full access to Azure Event Hubs resources. In a real scenario, follow the Principle of Least Privilege to give users only the minimum permissions needed for a more secure production environment.
For Azure Event Hubs, the management of namespaces and all related resources through the Azure portal and the Azure resource management API is already protected using the Azure RBAC model. Azure provides the following built-in roles for authorizing access to an Event Hubs namespace:
- Azure Event Hubs Data Owner: Enables data access to Event Hubs namespace and its entities (queues, topics, subscriptions, and filters).
- Azure Event Hubs Data Sender: Use this role to give the sender access to Event Hubs namespace and its entities.
- Azure Event Hubs Data Receiver: Use this role to give the receiver access to Event Hubs namespace and its entities.
If you want to create a custom role, see Rights required for Event Hubs operations.
Important
In most cases, it takes a minute or two for the role assignment to propagate in Azure. In rare cases, it might take up to eight minutes. If you receive authentication errors when you first run your code, wait a few moments and try again.
-
In the Azure portal, locate your Event Hubs namespace using the main search bar or left navigation.
-
On the overview page, select Access control (IAM) from the left-hand menu.
-
On the Access control (IAM) page, select the Role assignments tab.
-
Select + Add from the top menu. Then select Add role assignment.
:::image type="content" source="media/event-hub-assign-roles/add-role.png" alt-text="Screenshot showing how to assign a role." lightbox="media/event-hub-assign-roles/add-role.png":::
-
Use the search box to filter the results to the desired role. For this example, search for
Azure Event Hubs Data Ownerand select the matching result. Then choose Next. -
Under Assign access to, select User, group, or service principal. Then choose + Select members.
-
In the dialog, search for your Microsoft Entra username (usually your user@domain email address). Choose Select at the bottom of the dialog.
-
Select Review + assign to go to the final page. Select Review + assign again to complete the process.
To assign a role at the resource level using the Azure CLI, first get the resource ID using the az eventhubs namespace show command. You can filter the output properties using the --query parameter.
az eventhubs namespace show -g '<your-event-hub-resource-group>' -n '<your-event-hub-name>' --query id
Copy the output Id from the preceding command. You can then assign roles using the az role command.
az role assignment create --assignee "<user@domain>" \
--role "Azure Event Hubs Data Owner" \
--scope "<your-resource-id>"
To assign a role at the resource level using Azure PowerShell, first get the resource ID using the Get-AzResource command.
Get-AzResource -ResourceGroupName "<your-event-hub-resource-group>" -Name "<your-event-hub-name>"
Copy the Id value from the preceding command output. You can then assign roles using the New-AzRoleAssignment command.
New-AzRoleAssignment -SignInName <user@domain> `
-RoleDefinitionName "Azure Event Hubs Data Owner" `
-Scope <yourResourceId>