Managed Entity Queue-Scoped Permissions for Endpoints

The following shows the minimum permissions needed for various endpoint features using queue-scoped permissions:

Azure Service Bus Data Receiver to the endpoint's queue is required to process messages.
Azure Service Bus Data Sender to the endpoint's queue is required for:
Azure Service Bus Data Sender is required for the error queue.
Azure Service Bus Data Sender is required for every queue the endpoint sends a command to.
Azure Service Bus Data Sender is required for every queue the endpoint replies to.
Azure Service Bus Data Sender is required for every topic the endpoint publishes an event to.
Microsoft.ServiceBus/namespaces/topics/subscriptions/write is required for every topic the endpoint handles events from when using automatic subscriptions (default).
Azure Service Bus Data Sender is required for the audit queue when auditing is enabled.
Azure Service Bus Data Sender is required for the transactional session remote processor queue, when configured.
Azure Service Bus Data Sender is required for the metrics queue when ServiceControl metrics are enabled.
Azure Service Bus Data Sender is required for the ServiceControl queue when heartbeats or custom checks are being used.
Azure Service Bus Data Sender is required for any queue the endpoint forwards to.
Azure Service Bus Data Receiver is required for every satellite queue created.

By default, the transport requires elevated privileges to manage namespace entities at runtime. If using a shared access policy, make sure to include Manage rights or the Azure Service Bus Data Owner role if authenticating using Managed Identities.

To avoid running with elevated privileges:

In this article