It is common practice to limit Azure Service Bus connection permissions at the queue scope when using Managed Entities.
The following shows the minimum permissions needed for various endpoint features using queue-scoped permissions:
Azure Service Bus Data Receiverto the endpoint's queue is required to process messages.Azure Service Bus Data Senderto the endpoint's queue is required for:Azure Service Bus Data Senderis required for the error queue.Azure Service Bus Data Senderis required for every queue the endpoint sends a command to.Azure Service Bus Data Senderis required for every queue the endpoint replies to.Azure Service Bus Data Senderis required for every topic the endpoint publishes an event to.Azure Service Bus Data Senderis required for the audit queue when auditing is enabled.Azure Service Bus Data Senderis required for the transactional session remote processor queue, when configured.Azure Service Bus Data Senderis required for the metrics queue when ServiceControl metrics are enabled.Azure Service Bus Data Senderis required for the ServiceControl queue when heartbeats or custom checks are being used.Azure Service Bus Data Senderis required for any queue the endpoint forwards to.Azure Service Bus Data Receiveris required for every satellite queue created.
Access rights
By default, the transport requires elevated privileges to manage namespace entities at runtime. If using a shared access policy, make sure to include Manage rights or the Azure Service Bus Data Owner role if authenticating using Managed Identities.
To avoid running with elevated privileges:
- Make sure that installers are not configured to run
- Use operational scripting to provision entities(queues, topics and subscriptions)