MicrosoftDocs
diff --git a/‎articles/event-hubs/authenticate-shared-access-signature.md
Lines changed: 21 additions & 21 deletions b/‎articles/event-hubs/authenticate-shared-access-signature.md
Lines changed: 21 additions & 21 deletions
diff --git a/‎articles/event-hubs/authorize-access-azure-active-directory.md
Lines changed: 14 additions & 9 deletions b/‎articles/event-hubs/authorize-access-azure-active-directory.md
Lines changed: 14 additions & 9 deletions
@@ -1,18 +1,23 @@
 ---
-title: Authenticate access to Azure Event Hubs with shared access signatures
-description: This article shows you how to authenticate access to Event Hubs resources using shared access signatures.
+title: "SAS Authentication for Azure Event Hubs Resources"
+description: Learn how to authenticate access to Azure Event Hubs resources using shared access signatures (SAS). Get granular control over permissions and security. Includes code examples in C#, Java, and Node.js to implement SAS authentication.
+#customer intent: Based on the content you've provided about SAS authentication for Azure Event Hubs, here are 10 customer intent statements following the agile user story format:
 ms.topic: conceptual
-ms.date: 06/25/2024
+ms.date: 07/25/2025
 ms.devlang: csharp
-# ms.devlang: csharp, java, javascript, php
-ms.custom: devx-track-csharp
+ms.custom:
+  - devx-track-csharp
+  - ai-gen-docs-bap
+  - ai-gen-title
+  - ai-seo-date:07/25/2025
+  - ai-gen-description
 ---
 
 # Authenticate access to Event Hubs resources using shared access signatures (SAS)
 Shared access signature (SAS) gives you granular control over the type of access you grant to the clients. Here are some of the controls you can set in a SAS: 
 
 - The interval over which the SAS is valid, which includes the start time and expiry time.
-- The permissions granted by the SAS. For example, a SAS for an Event Hubs namespace might grant the listen permission, but not the send permission.
+- The permissions granted by the SAS. For example, a SAS for an Event Hubs namespace might grant the permission to listen for event, but not the permission to send events. 
 - Only clients that present valid credentials can send data to an event hub.
 - A client can't impersonate another client.
 - A rogue client can be blocked from sending data to an event hub.
@@ -50,7 +55,7 @@ The signature-string is the SHA-256 hash computed over the resource URI (scope a
 SHA-256('https://<yournamespace>.servicebus.windows.net/'+'\n'+ 1438205742)
 ```
 
-The token contains the non-hashed values so that the recipient can recompute the hash with the same parameters, verifying that the issuer is in possession of a valid signing key.
+The token contains the nonhashed values so that the recipient can recompute the hash with the same parameters, verifying that the issuer is in possession of a valid signing key.
 
 The resource URI is the full URI of the Service Bus resource to which access is claimed. For example, `http://<namespace>.servicebus.windows.net/<entityPath>` or `sb://<namespace>.servicebus.windows.net/<entityPath>` that is, `http://contoso.servicebus.windows.net/eh1`.
 
@@ -237,7 +242,7 @@ An event publisher defines a virtual endpoint for an event hub. The publisher ca
 
 Typically, an event hub employs one publisher per client. All messages that are sent to any of the publishers of an event hub are enqueued within that event hub. Publishers enable fine-grained access control.
 
-Each Event Hubs client is assigned a unique token, which is uploaded to the client. The tokens are produced such that each unique token grants access to different unique publisher. A client that holds a token can only send to one publisher, and no other publisher. If multiple clients share the same token, then each of them shares the publisher.
+A unique token is assigned to each Event Hubs client, which is uploaded to the client. The tokens are produced such that each unique token grants access to different unique publisher. A client that holds a token can only send to one publisher, and no other publisher. If multiple clients share the same token, then each of them shares the publisher.
 
 All tokens are assigned with SAS keys. Typically, all tokens are signed with the same key. Clients aren't aware of the key, which prevents clients from manufacturing tokens. Clients operate on the same tokens until they expire.
 
@@ -251,20 +256,20 @@ For example, to define authorization rules scoped down to only sending/publishin
 
 
 > [!NOTE]
-> Although we don't recommend it, it's possible to equip devices with tokens that grant access to an event hub or a namespace. Any device that holds this token can send messages directly to that event hub. Furthermore, the device cannot be blocklisted from sending to that event hub.
+> Although we don't recommend it, it's possible to equip devices with tokens that grant access to an event hub or a namespace. Any device that holds this token can send messages directly to that event hub. Furthermore, the device can't be blocklisted from sending to that event hub.
 > 
 > We recommend that you give specific and granular scopes.
 
 > [!IMPORTANT]
-> Once the tokens have been created, each client is provisioned with its own unique token.
+> Once the tokens are created, each client is provisioned with its own unique token.
 >
 > When the client sends data into an event hub, it tags its request with the token. To prevent an attacker from eavesdropping and stealing the token, the communication between the client and the event hub must occur over an encrypted channel.
 > 
-> If a token is stolen by an attacker, the attacker can impersonate the client whose token has been stolen. Blocklisting a publisher, renders that client unusable until it receives a new token that uses a different publisher.
+> If an attacker steals a token, the attacker can impersonate the client whose token has been stolen. Disallowing a publisher, renders that client unusable until it receives a new token that uses a different publisher.
 
 
 ## Authenticating Event Hubs consumers with SAS 
-To authenticate back-end applications that consume from the data generated by Event Hubs producers, Event Hubs token authentication requires its clients to either have the **manage** rights or the **listen** privileges assigned to its Event Hubs namespace or event hub instance or topic. Data is consumed from Event Hubs using consumer groups. While SAS policy gives you granular scope, this scope is defined only at the entity level and not at the consumer level. It means that the privileges defined at the namespace level or the event hub or topic level are applied to the consumer groups of that entity.
+To authenticate back-end applications that consume data generated by Event Hubs producers, Event Hubs token authentication requires its clients to have either the **manage** rights or the **listen** privileges assigned to its Event Hubs namespace or event hub instance or topic. Data is consumed from Event Hubs using consumer groups. While SAS policy gives you granular scope, this scope is defined only at the entity level and not at the consumer level. It means that the privileges defined at the namespace level or the event hub or topic level are applied to the consumer groups of that entity.
 
 ## Disable local/SAS Key authentication  
 For certain organizational security requirements, you want to disable local/SAS key authentication completely and rely on the Microsoft Entra ID based authentication, which is the recommended way to connect with Azure Event Hubs. You can disable local/SAS key authentication at the Event Hubs namespace level using Azure portal or Azure Resource Manager template. 
@@ -333,15 +338,10 @@ You can disable local authentication for a given Event Hubs namespace by setting
 - See the .NET sample #5 in [this GitHub location](https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/eventhub/Azure.Messaging.EventHubs.Processor/samples) to learn how to consume or process events using shared access credentials or the default Azure credential identity.
 
 ## Next steps
-See the following articles:
 
-- [Authorize using SAS](authenticate-shared-access-signature.md)
-- [Authorize using Azure role-based access control (RBAC)](authorize-access-azure-active-directory.md)
-- [Learn more about Event Hubs](event-hubs-about.md)
+Now that you understand SAS authentication, explore these related topics:
 
-See the following related articles:
+**Secure your Event Hubs further:**
+- [Authorize access using Shared Access Signatures](authenticate-shared-access-signature.md) - Learn authorization concepts
+- [Use Azure role-based access control (RBAC)](authorize-access-azure-active-directory.md) - Implement enterprise-grade security
 
-- [Authenticate requests to Azure Event Hubs from an application using Microsoft Entra ID](authenticate-application.md)
-- [Authenticate a managed identity with Microsoft Entra ID for accessing Event Hubs Resources](authenticate-managed-identity.md)
-- [Authorize access to Event Hubs resources using Microsoft Entra ID](authorize-access-azure-active-directory.md)
-- [Authorize access to Event Hubs resources using Shared Access Signatures](authorize-access-shared-access-signature.md)
@@ -1,13 +1,18 @@
 ---
-title: Authorize access with Microsoft Entra ID
-description: This article provides information on authorizing access to Event Hubs resources using Microsoft Entra ID. 
+title: Authorize Azure Event Hubs Access With Microsoft Entra ID
+description: Learn how to authorize access to Azure Event Hubs resources using Microsoft Entra ID with Azure role-based access control (RBAC) for secure authentication and permissions.
+#customer intent: As a cloud security administrator, I want to configure Microsoft Entra ID authentication for Event Hubs resources so that I can implement secure role-based access control instead of using shared access keys.
 ms.topic: concept-article
-ms.date: 06/26/2024
-#customer intent: As an Azure Event Hubs user, I want to know how to authorize requests to event hubs using Microsoft Entra ID. 
+ms.date: 07/25/2025
+ms.custom:
+  - ai-gen-docs-bap
+  - ai-gen-title
+  - ai-seo-date:07/25/2025
+  - ai-gen-description
 ---
 
-# Authorize access to Event Hubs resources using Microsoft Entra ID
-Azure Event Hubs supports using Microsoft Entra ID to authorize requests to Event Hubs resources. With Microsoft Entra ID, you can use Azure role-based access control (RBAC) to grant permissions to a security principal, which can be a user, or an application service principal. To learn more about roles and role assignments, see [Understanding the different roles](../role-based-access-control/overview.md).
+# Authorize access to Azure Event Hubs resources using Microsoft Entra ID
+Azure Event Hubs supports using Microsoft Entra ID to authorize requests to Event Hubs resources, providing secure authentication and granular access control. With Microsoft Entra ID, you can use Azure role-based access control (RBAC) to grant permissions to security principals, including users and application service principals. This approach eliminates the need for shared access keys and provides better security for your Event Hubs implementations. To learn more about roles and role assignments, see [Understanding the different roles](../role-based-access-control/overview.md).
 
 ## Overview
 When a security principal (a user, or an application) attempts to access an Event Hubs resource, the request must be authorized. With Microsoft Entra ID, access to a resource is a two-step process. 
@@ -17,7 +22,7 @@ When a security principal (a user, or an application) attempts to access an Even
 
 The authentication step requires that an application request contains an OAuth 2.0 access token at runtime. If an application is running within an Azure entity such as an Azure VM,  a virtual machine scale set, or an Azure Function app, it can use a managed identity to access the resources. To learn how to authenticate requests made by a managed identity to Event Hubs service, see [Authenticate access to Azure Event Hubs resources with Microsoft Entra ID and managed identities for Azure Resources](authenticate-managed-identity.md). 
 
-The authorization step requires that one or more Azure roles be assigned to the security principal. Azure Event Hubs provides Azure roles that encompass sets of permissions for Event Hubs resources. The roles that are assigned to a security principal determine the permissions that the principal will have. For more information about Azure roles, see [Azure built-in roles for Azure Event Hubs](#azure-built-in-roles-for-azure-event-hubs). 
+The authorization step requires that one or more Azure roles be assigned to the security principal. Azure Event Hubs provides Azure roles that encompass sets of permissions for Event Hubs resources. The roles that are assigned to a security principal determine the permissions that the principal has. For more information about Azure roles, see [Azure built-in roles for Azure Event Hubs](#azure-built-in-roles-for-azure-event-hubs). 
 
 Native applications and web applications that make requests to Event Hubs can also authorize with Microsoft Entra ID. To learn how to request an access token and use it to authorize requests for Event Hubs resources, see [Authenticate access to Azure Event Hubs with Microsoft Entra ID from an application](authenticate-application.md). 
 
@@ -32,8 +37,8 @@ Azure provides the following Azure built-in roles for authorizing access to Even
 | Role | Description | 
 | ---- | ----------- | 
 | [Azure Event Hubs Data owner](../role-based-access-control/built-in-roles.md#azure-event-hubs-data-owner) | Use this role to give complete access to Event Hubs resources. |
-| [Azure Event Hubs Data sender](../role-based-access-control/built-in-roles.md#azure-event-hubs-data-sender) | Use this role to give the send access to Event Hubs resources. |
-| [Azure Event Hubs Data receiver](../role-based-access-control/built-in-roles.md#azure-event-hubs-data-receiver) | Use this role to give the consuming/receiving access to Event Hubs resources. |
+| [Azure Event Hubs Data sender](../role-based-access-control/built-in-roles.md#azure-event-hubs-data-sender) | Use this role to allow the security principal to send events to Event Hubs resources. |
+| [Azure Event Hubs Data receiver](../role-based-access-control/built-in-roles.md#azure-event-hubs-data-receiver) | Use this role to allow the security principal to receive events from Event Hubs resources. |
 
 For Schema Registry built-in roles, see [Schema Registry roles](schema-registry-concepts.md#azure-role-based-access-control).