Merge pull request #217977 from alexwolfmsft/event-hub-passwordless-quickstart

Event Hubs Passwordless Flow

Author: 19BMG00

articles/event-hubs/event-hubs-dotnet-standard-getstarted-send.md

@@ -40,7 +40,8 @@ You can authorize access to the service bus namespace using the following steps:
 1. Launch Visual Studio. If you see the **Get started** window, select the **Continue without code** link in the right pane.
 1. Select the **Sign in** button in the top right of Visual Studio.
 
-    :::image type="content" source="./media/service-bus-dotnet-get-started-with-queues/azure-sign-button-visual-studio.png" alt-text="Screenshot showing the button to sign in to Azure using Visual Studio.":::
+    :::image type="content" source="./media/service-bus-dotnet-get-started-with-queues/azure-sign-button-visual-studio.png" alt-text="Screenshot showing a button to sign in to Azure using Visual Studio.":::
+
 1. Sign-in using the Azure AD account you assigned a role to previously.
 
     :::image type="content" source="..//storage/blobs/media/storage-quickstart-blobs-dotnet/sign-in-visual-studio-account-small.png" alt-text="Screenshot showing the account selection.":::

articles/service-bus-messaging/service-bus-dotnet-get-started-with-queues.md

@@ -0,0 +1,81 @@
+---
+title: "include file"
+description: "include file"
+services: storage
+author: alexwolfmsft
+ms.service: storage
+ms.topic: include
+ms.date: 09/09/2022
+ms.author: alexwolf
+ms.custom: include file
+---
+
+When developing locally, make sure that the user account that connects to Azure Event Hubs has the correct permissions. You'll need the [Azure Event Hubs Data Owner](../../../articles/role-based-access-control/built-in-roles.md#azure-event-hubs-data-owner) role in order to send and receive messages. To assign yourself this role, you'll need the User Access Administrator role, or another role that includes the `Microsoft.Authorization/roleAssignments/write` action. You can assign Azure RBAC roles to a user using the Azure portal, Azure CLI, or Azure PowerShell. Learn more about the available scopes for role assignments on the [scope overview](/azure/role-based-access-control/scope-overview) page.
+
+The following example assigns the `Azure Event Hubs Data Owner` role to your user account, which provides full access to Azure Event Hubs resources. In a real scenario, follow the [Principle of Least Privilege](/azure/active-directory/develop/secure-least-privileged-access) to give users only the minimum permissions needed for a more secure production environment.
+
+### Azure built-in roles for Azure Event Hubs
+For Azure Event Hubs, the management of namespaces and all related resources through the Azure portal and the Azure resource management API is already protected using the Azure RBAC model. Azure provides the below Azure built-in roles for authorizing access to an Event Hubs namespace:
+
+- [Azure Event Hubs Data Owner](../../../articles/role-based-access-control/built-in-roles.md#azure-event-hubs-data-owner): Enables data access to Event Hubs namespace and its entities (queues, topics, subscriptions, and filters)
+- [Azure Event Hubs Data Sender](../../../articles/role-based-access-control/built-in-roles.md#azure-event-hubs-data-sender): Use this role to give the sender access to Event Hubs namespace and its entities.
+- [Azure Event Hubs Data Receiver](../../../articles/role-based-access-control/built-in-roles.md#azure-event-hubs-data-receiver): Use this role to give the receiver access to Event Hubs namespace and its entities.
+
+If you want to create a custom role, see [Rights required for Event Hubs operations](../../../articles/service-bus-messaging/service-bus-sas.md#rights-required-for-service-bus-operations).
+
+> [!IMPORTANT]
+> In most cases, it will take a minute or two for the role assignment to propagate in Azure. In rare cases, it may take up to eight minutes. If you receive authentication errors when you first run your code, wait a few moments and try again.
+
+### [Azure portal](#tab/roles-azure-portal)
+
+1. In the Azure portal, locate your Event Hubs namespace using the main search bar or left navigation.
+
+2. On the overview page, select **Access control (IAM)** from the left-hand menu.	
+
+3. On the **Access control (IAM)** page, select the **Role assignments** tab.
+
+4. Select **+ Add** from the top menu and then **Add role assignment** from the resulting drop-down menu.
+
+    :::image type="content" source="media/event-hub-assign-roles/add-role.png" alt-text="A screenshot showing how to assign a role.":::    
+
+5. Use the search box to filter the results to the desired role. For this example, search for `Azure Event Hubs Data Owner` and select the matching result. Then choose **Next**.
+
+6. Under **Assign access to**, select **User, group, or service principal**, and then choose **+ Select members**.
+
+7. In the dialog, search for your Azure AD username (usually your *user@domain* email address) and then choose **Select** at the bottom of the dialog. 
+
+8. Select **Review + assign** to go to the final page, and then **Review + assign** again to complete the process.
+
+### [Azure CLI](#tab/roles-azure-cli)
+
+To assign a role at the resource level using the Azure CLI, you first must retrieve the resource ID using the `az servicebus namespace show` command. You can filter the output properties using the `--query` parameter. 
+
+```azurecli
+az servicebus namespace show -g '<your-event-hub-resource-group>' -n '<your-event-hub-name> --query id
+```
+
+Copy the output `Id` from the preceding command. You can then assign roles using the [az role](/cli/azure/role) command of the Azure CLI.
+
+```azurecli
+az role assignment create --assignee "<user@domain>" \
+--role "Azure Event Hubs Data Owner" \
+--scope "<your-resource-id>"
+```
+
+### [PowerShell](#tab/roles-powershell)
+
+To assign a role at the resource level using Azure PowerShell, you first must retrieve the resource ID using the `Get-AzResource` command.
+
+```azurepowershell
+Get-AzResource -ResourceGroupName "<your-event-hub-resource-group>" -Name "<your-event-hub-name>"
+```
+
+Copy the `Id` value from the preceding command output. You can then assign roles using the [New-AzRoleAssignment](/powershell/module/az.resources/new-azroleassignment) command in PowerShell.
+
+```azurepowershell
+New-AzRoleAssignment -SignInName <user@domain> `
+-RoleDefinitionName "Azure Event Hubs Data Owner" `
+-Scope <yourStorageAccountId>
+```
+
+--- 

includes/passwordless/event-hub/event-hub-assign-roles.md

@@ -0,0 +1,45 @@
+---
+ title: include file
+ description: include file
+ services: service-bus-messaging
+ author: spelluru
+ ms.service: service-bus-messaging
+ ms.topic: include
+ ms.date: 04/26/2022
+ ms.author: spelluru
+ ms.custom: include file
+---
+
+## Create a namespace in the Azure portal
+To begin using Event Hubs messaging entities in Azure, you must first create a namespace with a name that is unique across Azure. A namespace provides a scoping container for Event Hubs resources within your application.
+
+To create a namespace:
+
+1. Sign in to the [Azure portal](https://portal.azure.com)
+2. In the left navigation pane of the portal, select **+ Create a resource**, select **Integration**, and then select **Event Hubs**.
+
+    :::image type="content" source="./media/service-bus-create-namespace-portal/create-resource-service-bus-menu.png" alt-text="Screenshot of the selection of Create a resource, Integration, and then Event Hubs in the menu.":::
+3. In the **Basics** tag of the **Create namespace** page, follow these steps: 
+    1. For **Subscription**, choose an Azure subscription in which to create the namespace.
+    1. For **Resource group**, choose an existing resource group in which the namespace will live, or create a new one.      
+    1. Enter a **name for the namespace**. The namespace name should adhere to the following naming conventions:
+        - The name must be unique across Azure. The system immediately checks to see if the name is available. 
+        - The name length is at least 6 and at most 50 characters.
+        - The name can contain only letters, numbers, and hyphens ("-").
+        - The name must start with a letter and end with a letter or number.
+        - The name doesn't end with "-sb" or "-mgmt".
+    1. For **Location**, choose the region in which your namespace should be hosted.
+    1. For **Pricing tier**, select the pricing tier (Basic, Standard, or Premium) for the namespace. For this quickstart, select **Standard**. 
+
+        If you selected the **Premium** pricing tier, specify the number of **messaging units**. The premium tier provides resource isolation at the CPU and memory level so that each workload runs in isolation. This resource container is called a messaging unit. A premium namespace has at least one messaging unit. You can select 1, 2, 4, 8 or 16 messaging units for each Event Hubs Premium namespace. For more information, see [Event Hubs Premium Messaging](../../../articles/service-bus-messaging/service-bus-premium-messaging.md).
+
+    1. Select **Review + create**. The system now creates your namespace and enables it. You might have to wait several minutes for the system to provision resources for your account.
+   
+        :::image type="content" source="./media/service-bus-create-namespace-portal/create-namespace.png" alt-text="Screenshot of the Create a namespace page.":::
+    1. On the **Create** page, review settings, and select **Create**. 
+4. Select **Go to resource** on the deployment page. 
+
+    :::image type="content" source="./media/service-bus-create-namespace-portal/deployment-alert.png" alt-text="Screenshot of the deployment succeeded page with the Go to resource link.":::
+5. You see the home page for your Event Hubs namespace. 
+
+    :::image type="content" source="./media/service-bus-create-namespace-portal/service-bus-namespace-home-page.png" alt-text="Screenshot of the home page of the Event Hubs namespace created." :::

includes/passwordless/event-hub/event-hub-create-namespace-portal-passwordless.md

@@ -0,0 +1,49 @@
+---
+title: "include file"
+description: "include file"
+services: storage
+author: alexwolfmsft
+ms.service: storage
+ms.topic: include
+ms.date: 09/09/2022
+ms.author: alexwolf
+ms.custom: include file
+---
+
+This quick start shows you two ways of connecting to Azure Event Hubs: passwordless and connection string. The first option shows you how to use your security principal in Azure Active Directory and role-based access control (RBAC) to connect to an Event Hubs namespace. You don't need to worry about having hard-coded connection strings in your code or in a configuration file or in a secure storage like Azure Key Vault. The second option shows you how to use a connection string to connect to an Event Hubs namespace. If you're new to Azure, you may find the connection string option easier to follow. We recommend using the passwordless option in real-world applications and production environments. For more information, see [Authentication and authorization](../../../articles/service-bus-messaging/service-bus-authentication-and-authorization.md). You can also read more about passwordless authentication on the [overview page](/azure/sdk/authentication?tabs=command-line).
+
+## [Passwordless](#tab/passwordless)
+
+### Assign roles to your Azure AD user
+
+[!INCLUDE [event-hub-assign-roles](event-hub-assign-roles.md)]
+
+## Launch Visual Studio and sign-in to Azure
+
+You can authorize access to the service bus namespace using the following steps:
+
+1. Launch Visual Studio. If you see the **Get started** window, select the **Continue without code** link in the right pane.
+1. Select the **Sign in** button in the top right of Visual Studio.
+
+    :::image type="content" source="../../../articles/service-bus-messaging/media/service-bus-dotnet-get-started-with-queues/azure-sign-button-visual-studio.png" alt-text="Screenshot showing a button to sign in to Azure using Visual Studio.":::
+
+1. Sign-in using the Azure AD account you assigned a role to previously.
+
+    :::image type="content" source="../../../articles/storage/blobs/media/storage-quickstart-blobs-dotnet/sign-in-visual-studio-account-small.png" alt-text="Screenshot showing the account selection.":::
+
+## [Connection String](#tab/connection-string)
+
+## Get the connection string 
+Creating a new namespace automatically generates an initial Shared Access Signature (SAS) policy with primary and secondary keys and connection strings that each grant full control over all aspects of the namespace. See [Event Hubs authentication and authorization](../../../articles/service-bus-messaging/service-bus-authentication-and-authorization.md) for information about how to create rules with more constrained rights for regular senders and receivers. 
+
+A client can use the connection string to connect to the Event Hubs namespace. To copy the primary connection string for your namespace, follow these steps: 
+
+1. On the **Event Hub Namespace** page, select **Shared access policies** on the left menu.
+3. On the **Shared access policies** page, select **RootManageSharedAccessKey**.
+4. In the **Policy: RootManageSharedAccessKey** window, select the copy button next to **Primary Connection String**, to copy the connection string to your clipboard for later use. Paste this value into Notepad or some other temporary location.
+   
+    :::image type="content" source="./media/event-hub-passwordless-template-tabbed/connection-string.png"alt-text="Screenshot shows an SAS policy called RootManageSharedAccessKey, which includes keys and connection strings.":::
+
+    You can use this page to copy primary key, secondary key, primary connection string, and secondary connection string. 
+
+---

includes/passwordless/event-hub/event-hub-passwordless-template-tabbed.md

@@ -0,0 +1,23 @@
+---
+title: "include file"
+description: "include file"
+services: storage
+author: alexwolfmsft
+ms.service: storage
+ms.topic: include
+ms.date: 10/21/2022
+ms.author: alexwolf
+ms.custom: include file
+---
+
+Creating a new namespace automatically generates an initial Shared Access Signature (SAS) policy with primary and secondary keys, and primary and secondary connection strings that each grant full control over all aspects of the namespace. See [Service Bus authentication and authorization](../../../articles/event-hub-messaging/event-hub-authentication-and-authorization.md) for information about how to create rules with more constrained rights for regular senders and receivers. 
+
+To copy the primary connection string for your namespace, follow these steps: 
+
+1. On the **Event Hubs Namespace** page, select **Shared access policies** on the left menu.
+2. On the **Shared access policies** page, select **RootManageSharedAccessKey**.
+3. In the **Policy: RootManageSharedAccessKey** window, select the copy button next to **Primary Connection String**, to copy the connection string to your clipboard for later use. Paste this value into Notepad or some other temporary location.
+   
+    :::image type="content" source="../../../articles/event-hub-messaging/includes/media/event-hub-create-namespace-portal/connection-string.png" alt-text="Screenshot shows an SAS policy called RootManageSharedAccessKey, which includes keys and connection strings.":::
+
+    You can use this page to copy primary key, secondary key, primary connection string, and secondary connection string. 

includes/passwordless/event-hub/event-hub-retrieve-connection-string.md

@@ -0,0 +1,74 @@
+---
+title: "include file"
+description: "include file"
+services: storage
+author: alexwolfmsft
+ms.service: storage
+ms.topic: include
+ms.date: 10/11/2022
+ms.author: alexwolf
+ms.custom: include file
+---
+
+When developing locally, make sure that the user account that is accessing blob data has the correct permissions. You'll need **Storage Blob Data Contributor** to read and write blob data. To assign yourself this role, you'll need to be assigned the **User Access Administrator** role, or another role that includes the **Microsoft.Authorization/roleAssignments/write** action. You can assign Azure RBAC roles to a user using the Azure portal, Azure CLI, or Azure PowerShell. You can learn more about the available scopes for role assignments on the [scope overview](../../../articles/role-based-access-control/scope-overview.md) page.
+
+In this scenario, you'll assign permissions to your user account, scoped to the storage account, to follow the [Principle of Least Privilege](../../../articles/active-directory/develop/secure-least-privileged-access.md). This practice gives users only the minimum permissions needed and creates more secure production environments.
+
+The following example will assign the **Storage Blob Data Contributor** role to your user account, which provides both read and write access to blob data in your storage account.
+
+> [!IMPORTANT]
+> In most cases it will take a minute or two for the role assignment to propagate in Azure, but in rare cases it may take up to eight minutes. If you receive authentication errors when you first run your code, wait a few moments and try again.
+
+### [Azure portal](#tab/roles-azure-portal)
+
+1. In the Azure portal, locate your storage account using the main search bar or left navigation.
+
+2. On the storage account overview page, select **Access control (IAM)** from the left-hand menu.
+
+3. On the **Access control (IAM)** page, select the **Role assignments** tab.
+
+4. Select **+ Add** from the top menu and then **Add role assignment** from the resulting drop-down menu.
+
+    :::image type="content" source="../../../articles/storage/common/media/assign-role-system-identity.png" alt-text="A screenshot showing how to assign a storage account role.":::
+
+5. Use the search box to filter the results to the desired role. For this example, search for *Storage Blob Data Contributor* and select the matching result and then choose **Next**.
+
+6. Under **Assign access to**, select **User, group, or service principal**, and then choose **+ Select members**.
+
+7. In the dialog, search for your Azure AD username (usually your *user@domain* email address) and then choose **Select** at the bottom of the dialog.
+
+8. Select **Review + assign** to go to the final page, and then **Review + assign** again to complete the process.
+
+### [Azure CLI](#tab/roles-azure-cli)
+
+To assign a role at the resource level using the Azure CLI, you first must retrieve the resource ID using the `az storage account show` command. You can filter the output properties using the `--query` parameter.
+
+```azurecli
+az storage account show --resource-group '<your-resource-group-name>' --name '<your-storage-account-name>' --query id
+```
+
+Copy the output `Id` from the preceding command. You can then assign roles using the [az role](/cli/azure/role) command of the Azure CLI.
+
+```azurecli
+az role assignment create --assignee "<user@domain>" \
+    --role "Storage Blob Data Contributor" \
+    --scope "<your-resource-id>"
+```
+
+### [PowerShell](#tab/roles-powershell)
+
+To assign a role at the resource level using Azure PowerShell, you first must retrieve the resource ID using the `Get-AzResource` command.
+
+```azurepowershell
+Get-AzResource -ResourceGroupName "<yourResourceGroupname>" -Name "<yourStorageAccountName>"
+```
+
+Copy the `Id` value from the preceding command output. You can then assign roles using the [New-AzRoleAssignment](/powershell/module/az.resources/new-azroleassignment) command in PowerShell.
+
+```azurepowershell
+New-AzRoleAssignment -SignInName <user@domain> `
+    -RoleDefinitionName "Storage Blob Data Contributor" `
+    -Scope <yourStorageAccountId>
+```
+
+---

includes/passwordless/event-hub/event-hub-storage-assign-roles.md

@@ -35,5 +35,4 @@ A client can use the connection string to connect to the Service Bus namespace.
 
     You can use this page to copy primary key, secondary key, primary connection string, and secondary connection string. 
 
-
 ---