Can IAM permission be given to Service Bus with Local authentication

Question

Can IAM permission be given to Service Bus with Local authentication

curious7 271

If I have a Service Bus with queues in it and it has local authentication enabled. Can I give some users (using their on-premises synced account) the "Azure Service Bus Data Receiver" and "Azure Service Bus Data Sender" permission to allow them to see messages in the queue by using "Service Bus Explorer" in the Azure portal??

They have Reader role on the parent Resource group so they can already see the Service Bus but can't access queues.

Or IAM permissions won't work if the Service bus has local authentication enabled. Also, how can I use Application insights or other tools to troubleshoot a webapp that is supposed to be pulling messages from this queue but is not and thus the messages are ending in dead letter queue after X number of tries.

1 answer

Your answer

Answer 1

Anurag Rohikar 2,785 Microsoft External Staff Moderator

Hello curious7,

Yes, you can grant Azure RBAC roles such as "Azure Service Bus Data Receiver" and "Azure Service Bus Data Sender" to your synced users, even if local authentication is still enabled.

How it works

Assign Data Roles: Grant the required Data Receiver/Sender roles at the Service Bus namespace or specific queue/topic scope.
Authentication Path: When users access Service Bus Explorer in the Azure Portal, it always authenticates them via their Microsoft Entra ID (Azure AD) identity. In this case, the portal checks the user’s RBAC permissions and allows sending/receiving messages if the correct data roles are assigned. This flow is independent of Shared Access Signatures (SAS).
Reader Role Limitation: The Reader role on the Resource Group only provides management plane access (viewing resources, properties, etc.), not data plane access (sending, receiving, or peeking messages). For data operations, the Service Bus–specific Data roles are required.

Best practice:

While RBAC works even if local authentication is enabled, the recommended approach is to disable local authentication. This removes connection string/SAS key access and ensures that only Entra ID + RBAC are used for secure access.

Action: Navigate to the Service Bus Namespace → Local Authentication → set to Disabled.
Result: Enforces a single, secure path for data access using Entra ID identities and RBAC roles.

References:

Hope this helps. Please do let us know if you have any further doubts. Thank you!

curious7 271 Reputation points

2025-09-25T12:46:10.25+00:00

Thanks Anurag. I have given some users the "Azure Service Bus Data Receiver" and "Azure Service Bus Data Sender", but when they click on the queue and then "peek from start" button, they only get a spinning wheel and nothing shows up although there are messages in the queue.

I tested the same setup in my test tenant and get the same issue of spinning wheel and no queue contents show up.

What will be causing it and how can I resolve that.
Anurag Rohikar 2,785 Reputation points Microsoft External Staff Moderator

2025-09-26T15:46:27.14+00:00
Hello curious7,

The issue where the “Peek from start” button in Service Bus Explorer just shows a spinning wheel is most commonly caused by network access restrictions, not by RBAC roles. Here’s how to approach this:

Check Networking First (Most Common Root Cause)
Even if users have the Azure Service Bus Data Receiver role, their Azure Portal session still needs network-level access to the Service Bus data endpoint. Common blockers are:

Public network access disabled at the namespace.

IP firewall rules that don’t allow the client’s outbound IP.

Private endpoint misconfiguration (DNS/routing not resolving to the private endpoint).

To test this quickly, go to the Service Bus Networking blade and temporarily set public network access → All networks. If “Peek from start” works, the issue is network/firewall related.

Validate RBAC Role Assignments

Make sure the Azure Service Bus Data Receiver role is assigned at the namespace level (not only at the queue).

RBAC changes can take 30–60 minutes to propagate, so wait before retesting.

Consider Portal Explorer Limitations
The in-portal Service Bus Explorer can sometimes fail to display messages even with correct permissions and networking. To rule this out:

Test with the standalone Service Bus Explorer tool.

Or try an SDK/CLI (PowerShell, .NET, Python) to perform a Peek. If those tools succeed but the portal fails, it’s a portal UI limitation.

Optional: Check Logs for Confirmation
Enable Diagnostic Settings → send logs to Log Analytics. Look for:

AuthorizationErrors (permissions issues)

UserError/Network entries (network/firewall issues)

Best Practice:

RBAC works even if local authentication is enabled. However, the recommended security posture is to disable local authentication, so all access flows through Entra ID + RBAC instead of connection strings.

References:

Configure Azure Service Bus network security

Azure Service Bus authentication and authorization

Service Bus Explorer in Azure portal (limitations)

Service Bus Explorer (standalone tool)

I hope this helps. Please do let us know if you have further questions. Thank you!
Anurag Rohikar 2,785 Reputation points Microsoft External Staff Moderator

2025-09-29T09:01:37.76+00:00

Hello curious7, just checking to see if you have a chance to check my previous response and helped, do let me know if you have any further questions on this. Thank you!
Anurag Rohikar 2,785 Reputation points Microsoft External Staff Moderator

2025-09-30T07:56:54.58+00:00

Hello curious7, following up to see if you have a chance to check my previous response and helped, do let me know if you have any further questions on this. Thank you!

Share via

Can IAM permission be given to Service Bus with Local authentication

1 answer

Your answer