Built-in Endpoints and Managed Identity

[Falconwmua]

Two feedback items.

1. Does the Built-In Endpoint support access via Managed Identity/Service Principals like normal Event Hubs?
2. Shouldn't Managed Identity for IoTHub be its on document since it can be used outside a Vnet scenario? Understanding that's required for implementing IoTHub routing to Vnet protected resources.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 514b0c8a-a670-e0d0-17e2-ec977a572dd5
• Version Independent ID: 22df9ffd-cfc7-e9d1-bb0f-a3b48ce58c17
• Content: Azure IoT Hub support for virtual networks
• Content Source: articles/iot-hub/virtual-network-support.md
• Service: iot-fundamentals
• GitHub Login: @jlian
• Microsoft Alias: jlian

[jlian]

1. No, I believe the built in event hub endpoint currently cannot be accessed like a normal Event Hub with managed identity or service principals. Is this something you need?

2. My understanding is that @ash2017 is adding references to our routing docs about managed identities

[Falconwmua]

Yes. It would better align with the various other services we use and keep a consistent authentication model.

[jlian]

Can you describe your scenario a little more? Is IoT Hub's implementation of MSI not enough?

[Falconwmua]

IoT Hub's implementation of MSI is fine for all the scenarios where we send data to other resources. But we also make use of the Built-In Endpoint for pulling data off that doesn't match one of our other rules. Being able to access this endpoint in the same manner as our other Event Hubs would allow us to have a coherent access model throughout our services.

[jlian]

So you're looking to be able to grant the built-in Event Hub's system assigned managed identity some RBAC role to access one of your systems?

Or maybe you want to do the reverse where you want to have, say, one your VMs be granted a "Receiver" role to the built-in event hub, to follow principles of least privilege?

[Falconwmua]

The second one. We want a VM or other service that can use its Managed Identity or Service Principal (if MI isn't supported) and be assigned a Receiver role against the Built-In Endpoint.

[jlian]

Got it. Support for this scenario is on the roadmap. However, I think it's likely that we end up having "IoT Hub Receiver" for consuming from the built-in endpoint and not "Event Hub Receiver"

Will that work in your system?

[Falconwmua]

The role name doesn't matter as long as we can use a version of the EventHostProcessor library that supports MI/SP.

[jlian]

please-close

[aseminjakiw]

Is there a ETA for this feature? We have essentially the same problem. We have a VM or Web App which wants to read from the built-in endpoint. We would like to use Managed Identity to reduce secret maintenance and improve security.

Currently we have two non-ideal options:

1. We use a connection string with shared access key
2. We create an additional Event Hub and pipe the data from IoT Hub to Event Hub. Then we can access the Event Hub with a Managed Identity. But this means unnecessary costs.

[jlian]

Sorry, there is no ETA. Currently the workaround with an additional Event Hub as you mentioned would be best for your security.

[aseminjakiw]

Thank you for the clarification.

[akakaule]

I'm about to use the IoT Hub and the built-in endpoint with Azure Functions consuming data and would like to be able to use Managed Identity for auth. Any updates whether the IoT Hub supports this?

[emmanuel-bv]

Sorry, this scenario is still not supported. Recommended workaround is to use an additional Event Hub (option #2 from above comment).

[arjendenhartog]

I also would like to use Managed Identity for auth.

This issue is closed. Can I somehow see if an issue is closed because it is rejected or because it is implemented?

[mwalser]

Same here, we would really like to use a managed identity for authentication to the build in event hub. Are there any updates since that feature is supposedly on the roadmap since 2020?