MOSAIC - ms.topic to how-to and apply pattern

Author: spelluru

articles/service-bus-messaging/service-bus-managed-service-identity.md

@@ -1,52 +1,68 @@
 ---
-title: Managed identities for Azure resources with Service Bus
-description: This article describes how to use managed identities to access with Azure Service Bus entities (queues, topics, and subscriptions).
-ms.topic: article
+title: Use Managed Identities with Azure Service Bus
+description: Learn how to authenticate and access Azure Service Bus queues, topics, and subscriptions using managed identities for Azure resources.
+ms.topic: how-to
 ms.date: 02/11/2025
+
+#customer intent: As a developer, I want to use managed identities to authenticate my application to Azure Service Bus so that I can avoid storing credentials in my code.
+
 ---
 
-# Authenticate a managed identity with Microsoft Entra ID to access Azure Service Bus resources
-Managed identities for Azure resources provide Azure services with an automatically managed identity in Microsoft Entra ID. You can use this identity to authenticate to any service such as Azure Service Bus that supports Microsoft Entra authentication, without having credentials in your code. If you aren't familiar with managed identities, see [Managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md) before proceeding to read through this article.
+# How to use managed identities with Azure Service Bus
+
+Managed identities for Azure resources provide Azure services with an automatically managed identity in Microsoft Entra ID. You can use this identity to authenticate to Azure Service Bus without storing credentials in your code.
 
-Here are the high-level steps to use a managed identity to access a Service Bus entity: 
+This article shows you how to:
 
-1. Enable managed identity for your client app or environment. For example, enable managed identity for your Azure App Service app, Azure Functions app, or a virtual machine in which your app is running. Here are the articles that help you with this step:
-    - [Configure managed identities for App Service and Azure Functions](../app-service/overview-managed-identity.md)
-    - [Configure managed identities for Azure resources on a virtual machine (VM)](../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md)    
-1. Assign Azure Service Bus Data Owner, Azure Service Bus Data Sender, or Azure Service Bus Data Receiver role to the managed identity at the appropriate scope (Azure subscription, resource group, Service Bus namespace, or Service Bus queue or topic). For instructions to assign a role to a managed identity, see [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal).
-1. In your application, use the managed identity and the endpoint to Service Bus namespace to connect to the namespace. 
+> [!div class="checklist"]
+> - Enable a managed identity for your Azure compute resource
+> - Assign Service Bus roles to the managed identity
+> - Connect to Service Bus from your application using the managed identity
 
-    For example, in .NET, you use the [ServiceBusClient](/dotnet/api/azure.messaging.servicebus.servicebusclient.-ctor#azure-messaging-servicebus-servicebusclient-ctor(system-string-azure-core-tokencredential)) constructor that takes `TokenCredential` and `fullyQualifiedNamespace` (a string, for example: `cotosons.servicebus.windows.net`) parameters to connect to Service Bus using the managed identity. You pass in [DefaultAzureCredential](/dotnet/api/azure.identity.defaultazurecredential), which derives from `TokenCredential` and uses the managed identity. In `DefaultAzureCredentialOptions`, set the `ManagedIdentityClientId` to the ID of client's managed identity.
+If you're not familiar with managed identities, see [Managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md).
 
-    ```csharp
-    string fullyQualifiedNamespace = "<your namespace>.servicebus.windows.net>";
-    string userAssignedClientId = "<your managed identity client ID>";
+## Prerequisites
 
-    var credential = new DefaultAzureCredential(
-        new DefaultAzureCredentialOptions
-        {
-            ManagedIdentityClientId = userAssignedClientId
-        });
+To use managed identities with Azure Service Bus, you need:
 
-    var sbusClient = new ServiceBusClient(fullyQualifiedNamespace, credential);
-    ```    
+- An Azure subscription. If you don't have one, create a [free account](https://azure.microsoft.com/free/) before you begin.
+- An Azure Service Bus namespace. To create one, see [Create a Service Bus namespace](service-bus-create-namespace-portal.md).
+- A managed identity enabled on your Azure compute resource. See:
+  - [Configure managed identities for App Service and Azure Functions](../app-service/overview-managed-identity.md)
+  - [Configure managed identities for Azure resources on a virtual machine (VM)](../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md)
 
-    > [!IMPORTANT]
-    > You can disable local or SAS key authentication for a Service Bus namespace and allow only Microsoft Entra authentication. For step-by-step instructions, see [Disable local authentication](disable-local-authentication.md).
+> [!IMPORTANT]
+> You can disable local or SAS key authentication for a Service Bus namespace and allow only Microsoft Entra authentication. For step-by-step instructions, see [Disable local authentication](disable-local-authentication.md).
     
-## Azure built-in roles for Azure Service Bus
-Microsoft Entra authorizes access to secured resources through [Azure role-based access control (RBAC)](../role-based-access-control/overview.md). Azure Service Bus defines a set of Azure built-in roles that encompass common sets of permissions used to access Service Bus entities. You can also define custom roles for accessing the data. 
+## Assign a Service Bus role to the managed identity
+
+Microsoft Entra authorizes access to secured resources through [Azure role-based access control (RBAC)](../role-based-access-control/overview.md). Azure Service Bus provides Azure built-in roles that encompass common sets of permissions used to access Service Bus entities. You can also define custom roles.
+
+The following table lists the Azure built-in roles for authorizing access to a Service Bus namespace:
+
+| Role | Description |
+|------|-------------|
+| [Azure Service Bus Data Owner](../role-based-access-control/built-in-roles.md#azure-service-bus-data-owner) | Full access to Service Bus namespace and its entities (queues, topics, subscriptions, and filters) |
+| [Azure Service Bus Data Sender](../role-based-access-control/built-in-roles.md#azure-service-bus-data-sender) | Send messages to Service Bus queues and topics |
+| [Azure Service Bus Data Receiver](../role-based-access-control/built-in-roles.md#azure-service-bus-data-receiver) | Receive messages from Service Bus queues and subscriptions |
 
-Azure provides the following Azure built-in roles for authorizing access to a Service Bus namespace:
+### Assign a role in the Azure portal
 
-- [Azure Service Bus Data Owner](../role-based-access-control/built-in-roles.md#azure-service-bus-data-owner): Use this role to allow full access to Service Bus namespace and its entities (queues, topics, subscriptions, and filters)
-- [Azure Service Bus Data Sender](../role-based-access-control/built-in-roles.md#azure-service-bus-data-sender): Use this role to allow sending messages to Service Bus queues and topics.
-- [Azure Service Bus Data Receiver](../role-based-access-control/built-in-roles.md#azure-service-bus-data-receiver): Use this role to allow receiving messages from Service Bus queues and subscriptions. 
+To assign a role to a managed identity in the Azure portal:
 
-To assign a role to a managed identity in the Azure portal, use the **Access control (IAM)** page. Navigate to this page by selecting **Access control (IAM)** on the **Service Bus Namespace** page or **Service Bus queue** page, or **Service Bus topic** page. For step-by-step instructions for assigning a role, see [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal). 
+1. Go to your Service Bus namespace, queue, or topic.
+1. Select **Access control (IAM)** from the left menu.
+1. Select **Add** > **Add role assignment**.
+1. On the **Role** tab, select the appropriate Service Bus data role.
+1. On the **Members** tab, select **Managed identity**, then select **Select members**.
+1. Select the managed identity for your Azure resource.
+1. Select **Review + assign**.
 
-## Resource scope 
-Before you assign an Azure role to a managed identity, determine the scope of access that the managed identity should have. Best practices dictate that it's always best to grant only the narrowest possible scope.
+For more information, see [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal).
+
+### Choose the resource scope
+
+Before you assign an Azure role, determine the scope of access that the managed identity needs. Grant only the narrowest possible scope.
 
 The following list describes the levels at which you can scope access to Service Bus resources, starting with the narrowest scope:
 
@@ -56,9 +72,11 @@ The following list describes the levels at which you can scope access to Service
 - **Subscription**: Role assignment applies to all the Service Bus resources in all of the resource groups in the subscription.
 
     > [!NOTE]
-    > Keep in mind that Azure role assignments may take up to five minutes to propagate. 
+    > Azure role assignments might take up to five minutes to propagate.
+
+### Assign a role using Azure CLI
 
-Currently, the Azure portal doesn't support assigning users, groups, or managed identities to Service Bus Azure roles at the topic's subscription level. Here's an example of using the Azure CLI command: [az-role-assignment-create](/cli/azure/role/assignment?#az-role-assignment-create) to assign an identity to a Service Bus Azure role: 
+The Azure portal doesn't support assigning managed identities to Service Bus roles at the topic subscription level. Use the Azure CLI [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create) command to assign a role at any scope: 
 
 ```azurecli
 az role assignment create \
@@ -70,24 +88,26 @@ az role assignment create \
 For more information about how built-in roles are defined, see [Understand role definitions](../role-based-access-control/role-definitions.md#control-and-data-actions). For information about creating Azure custom roles, see [Azure custom roles](../role-based-access-control/custom-roles.md).
 
 > [!NOTE]
-> If the source service or app doesn't restart after the access to a Service Bus entity is disabled by removing the source's managed identity from the Service Bus RBAC role, the source app may continue to send/receive messages to/from the Service Bus entity until the token expires (default token validity is 24 hours). This behavior is by design. 
+> If the source service or app doesn't restart after the access to a Service Bus entity is disabled by removing the source's managed identity from the Service Bus RBAC role, the source app might continue to send/receive messages to/from the Service Bus entity until the token expires (default token validity is 24 hours). This behavior is by design. 
 >
 > Therefore, after you remove the source's managed identity from the RBAC role, restart the source app or service to immediately expire the token and prevent it from sending messages to or receiving messages from the Service Bus entity. 
 
-## Using SDKs
+## Connect to Service Bus using managed identity in Azure SDKs
+
+Azure SDKs for .NET, Java, JavaScript, and Python support managed identity authentication with Service Bus. The following example shows how to connect using the .NET SDK.
 
 In .NET, the [ServiceBusClient](/dotnet/api/azure.messaging.servicebus.servicebusclient) object is initialized by using a constructor that takes a fully qualified namespace and a `TokenCredential`. The `DefaultAzureCredential` derives from `TokenCredential`, which automatically uses the managed identity configured for the app. The flow of the managed identity context to Service Bus and the authorization handshake are automatically handled by the token credential. It's a simpler model than using SAS.
 
 ```csharp
-var client = new ServiceBusClient('cotosons.servicebus.windows.net', new DefaultAzureCredential());
+var client = new ServiceBusClient("contoso.servicebus.windows.net", new DefaultAzureCredential());
 ```
 
 You send and receive messages as usual using [ServiceBusSender](/dotnet/api/azure.messaging.servicebus.servicebussender) and [ServiceBusReceiver](/dotnet/api/azure.messaging.servicebus.servicebusreceiver) or [ServiceBusProcessor](/dotnet/api/azure.messaging.servicebus.servicebusprocessor). 
 
 For complete step-by-step instructions to send and receive messages using a managed identity, see the following quickstarts. These quickstarts have the code to use a service principal to send and receive messages, but the code is the same for using a managed identity.  
 
-- [.NET](service-bus-dotnet-get-started-with-queues.md).
-- [Java](service-bus-java-how-to-use-queues.md).
+- [.NET](service-bus-dotnet-get-started-with-queues.md)
+- [Java](service-bus-java-how-to-use-queues.md)
 - [JavaScript](service-bus-nodejs-how-to-use-queues.md)
 - [Python](service-bus-python-how-to-use-queues.md)
 
@@ -96,4 +116,7 @@ For complete step-by-step instructions to send and receive messages using a mana
 
 
 ## Next steps
-See [this .NET web application sample on GitHub](https://github.com/Azure-Samples/app-service-msi-servicebus-dotnet/tree/master), which uses a managed identity to connect to Service Bus to send and receive messages. Add the identity of the app service to the **Azure Service Bus Data Owner** role. 
+
+- [Sample: .NET web application using managed identity with Service Bus](https://github.com/Azure-Samples/app-service-msi-servicebus-dotnet/tree/master)
+- [What are managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md)
+- [Disable local authentication for Service Bus](disable-local-authentication.md)