MicrosoftDocs
diff --git a/‎articles/event-hubs/event-hubs-managed-service-identity.md
Lines changed: 22 additions & 2 deletions b/‎articles/event-hubs/event-hubs-managed-service-identity.md
Lines changed: 22 additions & 2 deletions
diff --git a/‎articles/event-hubs/event-hubs-role-based-access-control.md
Lines changed: 7 additions & 2 deletions b/‎articles/event-hubs/event-hubs-role-based-access-control.md
Lines changed: 7 additions & 2 deletions
diff --git a/‎articles/event-hubs/media/event-hubs-managed-service-identity/add-role-assignment-button.png
97.4 KB b/‎articles/event-hubs/media/event-hubs-managed-service-identity/add-role-assignment-button.png
97.4 KB
diff --git a/‎articles/event-hubs/media/event-hubs-managed-service-identity/add-role-assignment-dialog.png
21.2 KB b/‎articles/event-hubs/media/event-hubs-managed-service-identity/add-role-assignment-dialog.png
21.2 KB
diff --git a/‎articles/event-hubs/media/event-hubs-managed-service-identity/role-assignments.png
50 KB b/‎articles/event-hubs/media/event-hubs-managed-service-identity/role-assignments.png
50 KB
diff --git a/‎articles/role-based-access-control/built-in-roles.md
Lines changed: 17 additions & 0 deletions b/‎articles/role-based-access-control/built-in-roles.md
Lines changed: 17 additions & 0 deletions
@@ -10,7 +10,7 @@ ms.service: event-hubs
 ms.devlang: na
 ms.topic: article
 ms.custom: seodec18
-ms.date: 12/06/2018
+ms.date: 05/20/2019
 ms.author: shvija
 
 ---
@@ -24,8 +24,28 @@ With managed identities, the Azure platform manages this runtime identity. You d
 Once it is associated with a managed identity, an Event Hubs client can do all authorized operations. Authorization is granted by associating a managed identity with Event Hubs roles. 
 
 ## Event Hubs roles and permissions
+You can add a managed identity to the **Event Hubs Data Owner** role of an Event Hubs namespace. This role grants the identity, full control (for management and data operations) on all entities in the namespace.
 
-You can only add a managed identity to the "Owner" or "Contributor" roles of an Event Hubs namespace, which grants the identity full control on all entities in the namespace. However, management operations that change the namespace topology are initially supported only though Azure Resource Manager. It's not through the native Event Hubs REST management interface. This support also means that you cannot use the .NET Framework client [NamespaceManager](/dotnet/api/microsoft.servicebus.namespacemanager) object within a managed identity. 
+>[!IMPORTANT]
+> We earlier supported adding managed identity to the **Owner** or **Contributor** role. However, data access privileges for **Owner** and **Contributor** role are no longer honored. If you are using the **Owner** or **Contributor** role, switch to using the **Event Hubs Data Owner** role.
+
+To use the new built-in role, follow these steps: 
+
+1. Navigate to the [Azure portal](https://portal.azure.com)
+2. Navigate to the Event Hubs namespace.
+3. On the **Event Hubs Namespace** page, select **Access Control(IAM)** from the left menu.
+4. On the **Access Control (IAM)** page, select **Add** in the **Add a role assignment** section. 
+
+    ![Add a role assignment button](./media/event-hubs-managed-service-identity/add-role-assignment-button.png)
+5. On the **Add role assignment** page, do the following steps: 
+    1. For **Role**, select **Azure Event Hubs Data Owner**. 
+    2. Select the **identity** to be added to the role.
+    3. Select **Save**. 
+
+        ![Event Hubs Data Owner role](./media/event-hubs-managed-service-identity/add-role-assignment-dialog.png)
+6. Switch to the **Role assignments** page and confirm that the user is added to the **Azure Event Hubs Data Owner** role. 
+
+    ![Confirm user is added to the role](./media/event-hubs-managed-service-identity/role-assignments.png)
 
 ## Use Event Hubs with managed identities for Azure Resources
 
 
@@ -10,7 +10,7 @@ ms.service: event-hubs
 ms.devlang: na
 ms.topic: article
 ms.custom: seodec18
-ms.date: 12/06/2018
+ms.date: 05/21/2019
 ms.author: shvija
 
 ---
@@ -24,8 +24,13 @@ For Azure Event Hubs, the management of namespaces and all related resources thr
 An application that uses Azure AD RBAC does not need to handle SAS rules and keys or any other access tokens specific to Event Hubs. The client app interacts with Azure AD to establish an authentication context, and acquires an access token for Event Hubs. With domain user accounts that require interactive login, the application never handles any credentials directly.
 
 ## Event Hubs roles and permissions
+Azure provides the following built-in RBAC roles for authorizing access to an Event Hubs namespace:
+
+The [Event Hubs Data Owner (Preview)](../role-based-access-control/built-in-roles.md#service-bus-data-owner) role enables data access to an Event Hubs namespace and its entities (queues, topics, subscriptions, and filters)
+
+>[!IMPORTANT]
+> We earlier supported adding managed identity to the **Owner** or **Contributor** role. However, data access privileges for **Owner** and **Contributor** role are no longer honored. If you are using the **Owner** or **Contributor** role, switch to using the **Event Hubs Data Owner** role.
 
-For the initial public preview, you can only add Azure AD accounts and service principals to the "Owner" or "Contributor" roles of an Event Hubs namespace. This operation grants the identity full control over all entities in the namespace. Management operations that change the namespace topology are initially only supported though Azure resource management and not through the native Event Hubs REST management interface. This support also means that the .NET Framework client [NamespaceManager](/dotnet/api/microsoft.servicebus.namespacemanager) object cannot be used with an Azure AD account.  
 
 ## Use Event Hubs with an Azure AD domain user account
 
 
@@ -84,6 +84,7 @@ The following table provides a brief description of each built-in role. Click th
 | [DevTest Labs User](#devtest-labs-user) | Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs. |
 | [DNS Zone Contributor](#dns-zone-contributor) | Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them. |
 | [DocumentDB Account Contributor](#documentdb-account-contributor) | Can manage Azure Cosmos DB accounts. Azure Cosmos DB is formerly known as DocumentDB. |
+| [Event Hubs Data Owner](#event-hubs-data-owner) | Allows full access to Azure Event Hubs resources | 
 | [EventGrid EventSubscription Contributor](#eventgrid-eventsubscription-contributor) | Lets you manage EventGrid event subscription operations. |
 | [EventGrid EventSubscription Reader](#eventgrid-eventsubscription-reader) | Lets you read EventGrid event subscriptions. |
 | [HDInsight Cluster Operator](#hdinsight-cluster-operator) | Lets you read and modify HDInsight cluster configurations. |
@@ -1404,6 +1405,22 @@ The following table provides a brief description of each built-in role. Click th
 > | **NotDataActions** |  |
 > | *none* |  |
 
+## Event Hubs Data Owner
+
+> [!div class="mx-tableFixed"]
+> | | |
+> | --- | --- |
+> | **Description** | Allows for full access to Azure Event Hubs resources. |
+> | **Id** | f526a384-b230-433a-b45c-95f59c4a2dec |
+> | **Actions** |  |
+> | Microsoft.EventHubs/* | Allows full management access to Event Hubs namespace |
+> | **NotActions** |  |
+> | *none* |  |
+> | **DataActions** |  |
+> | Microsoft.EventHubs/* | Allows full data access to Event Hubs namespace |
+> | **NotDataActions** |  |
+> | *none* |  |
+
 ## EventGrid EventSubscription Contributor
 > [!div class="mx-tableFixed"]
 > | | |