Merge pull request #248643 from veyaddan/vy-mqtt-qs-0525

JWT and RBAC

Author: v-dirichards

articles/event-grid/.openpublishing.redirection.event-grid.json

@@ -285,6 +285,11 @@
       "redirect_url": "/azure/event-grid/partner-events-overview-for-partners",
       "redirect_document_id": false
     },
+    {
+      "source_path": "mqtt-client-authorization-use-rbac.md",
+      "redirect_url": "/azure/event-grid/mqtt-client-azure-ad-token-and-rbac",
+      "redirect_document_id": false
+    },
     {
       "source_path": "event-schema-farmbeats.md",
       "redirect_url": "/azure/event-grid/system-topics",

articles/event-grid/media/mqtt-rbac-authorization-aad-clients/event-grid-custom-role-permissions-data-actions.png renamed to articles/event-grid/media/mqtt-client-azure-ad-token-and-rbac/event-grid-custom-role-permissions-data-actions.png

@@ -0,0 +1,144 @@
+---
+title: JWT authentication and RBAC authorization for clients with Azure AD identity
+description: Describes JWT authentication and RBAC roles to authorize clients with Azure AD identity to publish or subscribe MQTT messages
+ms.topic: conceptual
+ms.date: 8/11/2023
+author: veyaddan
+ms.author: veyaddan
+---
+
+# Authenticating and Authorizing access to publish or subscribe to MQTT messages
+You can authenticate MQTT clients with Azure AD JWT to connect to Event Grid namespace.  You can use Azure role-based access control (Azure RBAC) to enable MQTT clients, with Azure Active Directory identity, to publish or subscribe access to specific topic spaces.
+
+> [!IMPORTANT]
+> This feature is supported only when using MQTT v5
+
+## Prerequisites
+- You need an Event Grid namespace with MQTT enabled.  Learn about [creating Event Grid namespace](/azure/event-grid/create-view-manage-namespaces#create-a-namespace)
+- Review the process to [create a custom role](/azure/role-based-access-control/custom-roles-portal)
+
+
+## Authentication using Azure AD JWT
+You can use the MQTT v5 CONNECT packet to provide the Azure AD JWT token to authenticate your client, and you can use the MQTT v5 AUTH packet to refresh the token.  
+
+In CONNECT packet, you can provide required values in the following fields:
+
+|Field  | Value  |
+|---------|---------|
+|Authentication Method | OAUTH2-JWT |
+|Authentication Data | JWT token |
+
+In AUTH packet, you can provide required values in the following fields:
+
+|Field | Value |
+|---------|---------|
+| Authentication Method | OAUTH2-JWT |
+| Authentication Data | JWT token |
+| Authentication Reason Code | 25 |
+ 
+Authenticate Reason Code with value 25 signifies reauthentication.
+
+> [!NOTE]
+> Audience: “aud” claim must be set to "https://eventgrid.azure.net/".
+
+## Authorization to grant access permissions
+A client using Azure AD based JWT authentication needs to be authorized to communicate with the Event Grid namespace.  You can create custom roles to enable the client to communicate with Event Grid instances in your resource group, and then assign the roles to the client.  You can use following two data actions to provide publish or subscribe permissions, to clients with Azure AD identities, on specific topic spaces.
+
+**Topic spaces publish** data action
+Microsoft.EventGrid/topicSpaces/publish/action
+
+**Topic spaces subscribe** data action
+Microsoft.EventGrid/topicSpaces/subscribe/action
+
+> [!NOTE]
+> Currently, we recommend using custom roles with the actions provided.
+
+### Custom roles
+
+You can create custom roles using the publish and subscribe actions.
+
+The following are sample role definitions that allow you to publish and subscribe to MQTT messages.  These custom roles give permissions at topic space scope.  You can also create roles to provide permissions at subscription, resource group scope.
+
+**EventGridMQTTPublisherRole.json**: MQTT messages publish operation.
+
+```json
+{
+  "roleName": "Event Grid namespace MQTT publisher",
+  "description": "Event Grid namespace MQTT message publisher role",
+  "assignableScopes": [
+    "/subscriptions/<subscription ID>/resourceGroups/<resource group name>/Microsoft.EventGrid/namespaces/<namespace name>/topicSpaces/<topicspace name>"
+  ],
+  "permissions": [
+      {
+          "actions": [],
+          "notActions": [],
+          "dataActions": [
+              "Microsoft.EventGrid/topicSpaces/publish/action"
+          ],
+          "notDataActions": []
+      }
+  ]
+}
+```
+
+**EventGridMQTTSubscriberRole.json**: MQTT messages subscribe operation.
+
+```json
+{
+  "roleName": "Event Grid namespace MQTT subscriber",
+  "description": "Event Grid namespace MQTT message subscriber role",
+  "assignableScopes": [
+    "/subscriptions/<subscription ID>/resourceGroups/<resource group name>/Microsoft.EventGrid/namespaces/<namespace name>/topicSpaces/<topicspace name>"
+  ]
+  "permissions": [
+      {
+          "actions": [],
+          "notActions": [],
+          "dataActions": [
+              "Microsoft.EventGrid/topicSpaces/subscribe/action"
+          ],
+          "notDataActions": []
+      }
+  ]
+}
+```
+
+## Create custom roles
+1. Navigate to topic spaces page in your Event Grid namespace
+1. Select the topic space for which the custom RBAC role needs to be created
+1. Navigate to the Access control (IAM) page within the topic space
+1. In the Roles tab, right select any of the roles to clone a new custom role.  Provide the custom role name.
+1. Switch the Baseline permissions to **Start from scratch**
+1. On the Permissions tab, select **Add permissions**
+1. In the selection page, find and select Microsoft Event Grid
+    :::image type="content" source="./media/mqtt-client-azure-ad-token-and-rbac/event-grid-custom-role-permissions.png" lightbox="./media/mqtt-client-azure-ad-token-and-rbac/event-grid-custom-role-permissions.png" alt-text="Screenshot showing the Microsoft Event Grid option to find the permissions.":::
+1. Navigate to Data Actions
+1. Select **Topic spaces publish** data action and select **Add**
+    :::image type="content" source="./media/mqtt-client-azure-ad-token-and-rbac/event-grid-custom-role-permissions-data-actions.png" lightbox="./media/mqtt-client-azure-ad-token-and-rbac/event-grid-custom-role-permissions-data-actions.png" alt-text="Screenshot showing the data action selection.":::
+1. Select Next to see the topic space in the Assignable scopes tab.  You can add other assignable scopes if needed.
+1. Select **Create** in Review + create tab to create the custom role.
+1. Once the custom role is created, you can assign the role to an identity to provide the publish permission on the topic space.  You can learn how to assign roles [here](/azure/role-based-access-control/role-assignments-portal).
+
+## Assign the custom role to your Azure AD identity
+1. In the Azure portal, navigate to your Event Grid namespace
+1. Navigate to the topic space to which you want to authorize access.
+1. Go to the Access control (IAM) page of the topic space
+1. Select the **Role assignments** tab to view the role assignments at this scope.
+1. Select **+ Add** and Add role assignment.
+1. On the Role tab, select the role that you created in the previous step.
+1. On the Members tab, select User, group, or service principal to assign the selected role to one or more service principals (applications).
+    - Users and groups work when user/group belong to fewer than 200 groups.
+1. Select **Select members**.
+1. Find and select the users, groups, or service principals.
+1. Select **Review + assign** on the Review + assign tab.
+
+> [!NOTE]
+> You can follow similar steps to create and assign a custom Event Grid MQTT subscriber permission to a topic space.
+
+## Next steps
+- See [Publish and subscribe to MQTT message using Event Grid](mqtt-publish-and-subscribe-portal.md)
+- To learn more about how Managed Identities work, you can refer to [How managed identities for Azure resources work with Azure virtual machines - Microsoft Entra](/azure/active-directory/managed-identities-azure-resources/how-managed-identities-work-vm)  
+- To learn more about how to obtain tokens from Azure AD, you can refer to [obtaining Azure AD tokens](/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#get-a-token)
+- To learn more about Azure Identity client library, you can refer to [using Azure Identity client library](/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-the-azure-identity-client-library)
+- To learn more about implementing an interface for credentials that can provide a token, you can refer to [TokenCredential Interface](/java/api/com.azure.core.credential.tokencredential)
+- To learn more about how to authenticate using Azure Identity, you can refer to [examples](https://github.com/Azure/azure-sdk-for-java/wiki/Azure-Identity-Examples)

articles/event-grid/media/mqtt-rbac-authorization-aad-clients/event-grid-custom-role-permissions.png renamed to articles/event-grid/media/mqtt-client-azure-ad-token-and-rbac/event-grid-custom-role-permissions.png

@@ -70,7 +70,8 @@ step certificate fingerprint client1-authnID.pem
 1. On the Review + create tab of the Create namespace page, select **Create**.
 
     > [!NOTE]
-    > To keep the QuickStart simple, you'll be using only the Basics page to create a namespace. For detailed steps about configuring network, security, and other settings on other pages of the wizard, see Create a Namespace.    
+    > To keep the QuickStart simple, you'll be using only the Basics page to create a namespace. For detailed steps about configuring network, security, and other settings on other pages of the wizard, see Create a Namespace.
+
 1. After the deployment succeeds, select **Go to resource** to navigate to the Event Grid Namespace Overview page for your namespace.  
 1. In the Overview page, you see that the MQTT is in Disabled state.  To enable MQTT, select the **Disabled** link, it will redirect you to Configuration page.
 1. On Configuration page, select the Enable MQTT option, and Apply the settings.
@@ -88,7 +89,7 @@ step certificate fingerprint client1-authnID.pem
 
     :::image type="content" source="./media/mqtt-publish-and-subscribe-portal/mqtt-client1-metadata.png" alt-text="Screenshot of client 1 configuration.":::
 6. Select **Create** to create the client.
-7. Repeat the above steps to create another client called “client2”.  
+7. Repeat the above steps to create another client called "client2".  
 
     :::image type="content" source="./media/mqtt-publish-and-subscribe-portal/mqtt-client2-metadata.png" alt-text="Screenshot of client 2 configuration.":::
 
@@ -119,7 +120,7 @@ step certificate fingerprint client1-authnID.pem
         :::image type="content" source="./media/mqtt-publish-and-subscribe-portal/create-permission-binding-1.png" alt-text="Screenshot showing creation of first permission binding.":::
 4. Select **Create** to create the permission binding.
 5. Create one more permission binding by selecting **+ Permission binding** on the toolbar.
-6. Provide a name and give $all client group Subscriber access to the Topicspace1 as shown.
+6. Provide a name and give $all client group Subscriber access to the "Topicspace1" as shown.
 
     :::image type="content" source="./media/mqtt-publish-and-subscribe-portal/create-permission-binding-2.png" alt-text="Screenshot showing creation of second permission binding.":::
 7. Select **Create** to create the permission binding.
@@ -152,7 +153,7 @@ step certificate fingerprint client1-authnID.pem
     :::image type="content" source="./media/mqtt-publish-and-subscribe-portal/mqttx-app-client1-configuration-2.png" alt-text="Screenshot showing client 1 configuration part 2 on MQTTX app.":::
 
 1. Select Connect to connect the client to the Event Grid MQTT service.
-1. Repeat the above steps to connect the second client “client2”, with corresponding authentication information as shown.
+1. Repeat the above steps to connect the second client "client2", with corresponding authentication information as shown.
 
     :::image type="content" source="./media/mqtt-publish-and-subscribe-portal/mqttx-app-client2-configuration-1.png" alt-text="Screenshot showing client 2 configuration part 1 on MQTTX app.":::
 

articles/event-grid/mqtt-client-authorization-use-rbac.md

@@ -52,8 +52,8 @@ items:
         href: mqtt-support.md
       - name: MQTT clients life cycle events
         href: mqtt-client-life-cycle-events.md
-      - name: RBAC roles to authorize clients with Azure AD identity
-        href: mqtt-client-authorization-use-rbac.md
+      - name: JWT authentication and RBAC authorization for clients with Azure AD identity
+        href: mqtt-client-azure-ad-token-and-rbac.md
       - name: Use cases
         items:
         - name: Automotive Messaging
@@ -135,7 +135,7 @@ items:
       - name: Create, view, and manage event subscriptions
         href: create-view-manage-event-subscriptions.md
       - name: Enable managed identity for namespace
-        href: event-grid-namespace-managed-identity.md        
+        href: event-grid-namespace-managed-identity.md         
     - name: Reference
       items:
       - name: SDKs