MicrosoftDocs
diff --git a/‎articles/event-hubs/TOC.yml
Lines changed: 8 additions & 0 deletions b/‎articles/event-hubs/TOC.yml
Lines changed: 8 additions & 0 deletions
diff --git a/‎articles/event-hubs/index.yml
Lines changed: 3 additions & 1 deletion b/‎articles/event-hubs/index.yml
Lines changed: 3 additions & 1 deletion
diff --git a/‎articles/event-hubs/transport-layer-security-audit-minimum-version.md
Lines changed: 127 additions & 0 deletions b/‎articles/event-hubs/transport-layer-security-audit-minimum-version.md
Lines changed: 127 additions & 0 deletions
diff --git a/‎articles/event-hubs/transport-layer-security-configure-client-version.md
Lines changed: 67 additions & 0 deletions b/‎articles/event-hubs/transport-layer-security-configure-client-version.md
Lines changed: 67 additions & 0 deletions
diff --git a/‎articles/event-hubs/transport-layer-security-configure-minimum-version.md
Lines changed: 93 additions & 0 deletions b/‎articles/event-hubs/transport-layer-security-configure-minimum-version.md
Lines changed: 93 additions & 0 deletions
@@ -145,6 +145,8 @@
           href: ./security-controls-policy.md
         - name: Security baseline
           href: /security/benchmark/azure/baselines/event-hubs-security-baseline?toc=/azure/event-hubs/TOC.json
+        - name: Enforce minimum required TLS version
+          href: transport-layer-security-enforce-minimum-version.md
     - name: Availability and consistency
       href: event-hubs-availability-and-consistency.md
     - name: Scalability
@@ -240,6 +242,12 @@
           href: private-link-service.md
         - name: Encrypt data using customer-managed keys
           href: configure-customer-managed-key.md
+        - name: Configure minimum required TLS version
+          href: transport-layer-security-configure-minimum-version.md
+        - name: Audit minimum required TLS version
+          href: transport-layer-security-audit-minimum-version.md
+        - name: Configure TLS version for client
+          href: transport-layer-security-configure-client-version.md
     - name: Troubleshoot
       items:
         - name: Troubleshoot connectivity issues
 
@@ -199,4 +199,6 @@ landingContent:
           - text: Use private endpoints
             url: private-link-service.md            
           - text: Configure customer-managed keys for encrypting data at rest
-            url: configure-customer-managed-key.md            
+            url: configure-customer-managed-key.md     
+          - text: Enforce minimum required TLS version
+            url: transport-layer-security-enforce-minimum-version.md    
@@ -0,0 +1,127 @@
+---
+title: Use Azure Policy to audit for compliance of minimum TLS version for an Azure Event Hubs namespace
+titleSuffix: Event Hubs
+description: Configure Azure Policy to audit compliance of Azure Event Hubs for using a minimum version of Transport Layer Security (TLS).
+services: event-hubs
+author: EldertGrootenboer
+
+ms.service: event-hubs
+ms.topic: article
+ms.date: 04/25/2022
+ms.author: egrootenboer
+---
+
+# Use Azure Policy to audit for compliance of minimum TLS version for an Azure Event Hubs namespace (Preview)
+
+If you have a large number of Microsoft Azure Event Hubs namespaces, you may want to perform an audit to make sure that all namespaces are configured for the minimum version of TLS that your organization requires. To audit a set of Event Hubs namespaces for their compliance, use Azure Policy. Azure Policy is a service that you can use to create, assign, and manage policies that apply rules to Azure resources. Azure Policy helps you to keep those resources compliant with your corporate standards and service level agreements. For more information, see [Overview of Azure Policy](../governance/policy/overview.md).
+
+## Create a policy with an audit effect
+
+Azure Policy supports effects that determine what happens when a policy rule is evaluated against a resource. The audit effect creates a warning when a resource is not in compliance, but does not stop the request. For more information about effects, see [Understand Azure Policy effects](../governance/policy/concepts/effects.md).
+
+To create a policy with an audit effect for the minimum TLS version with the Azure portal, follow these steps:
+
+1. In the Azure portal, navigate to the Azure Policy service.
+2. Under the  **Authoring**  section, select  **Definitions**.
+3. Select  **Add policy definition**  to create a new policy definition.
+4. For the  **Definition location**  field, select the  **More**  button to specify where the audit policy resource is located.
+5. Specify a name for the policy. You can optionally specify a description and category.
+6. Under  **Policy rule** , add the following policy definition to the  **policyRule**  section.
+
+    ```json
+    {
+      "policyRule": {
+        "if": {
+          "allOf": [
+            {
+              "field": "type",
+              "equals": "Microsoft.EventHub/namespaces"
+            },
+            {
+              "not": {
+                "field": " Microsoft.EventHub/namespaces/minimumTlsVersion",
+                "equals": "1.2"
+              }
+            }
+          ]
+        },
+        "then": {
+          "effect": "audit"
+        }
+      }
+    }
+    ```
+
+7. Save the policy.
+
+### Assign the policy
+
+Next, assign the policy to a resource. The scope of the policy corresponds to that resource and any resources beneath it. For more information on policy assignment, see [Azure Policy assignment structure](../governance/policy/concepts/assignment-structure.md).
+
+To assign the policy with the Azure portal, follow these steps:
+
+1. In the Azure portal, navigate to the Azure Policy service.
+2. Under the  **Authoring**  section, select  **Assignments**.
+3. Select  **Assign policy**  to create a new policy assignment.
+4. For the  **Scope**  field, select the scope of the policy assignment.
+5. For the  **Policy definition**  field, select the  **More**  button, then select the policy you defined in the previous section from the list.
+6. Provide a name for the policy assignment. The description is optional.
+7. Leave  **Policy enforcement**  set to _Enabled_. This setting has no effect on the audit policy.
+8. Select  **Review + create**  to create the assignment.
+
+### View compliance report
+
+After you have assigned the policy, you can view the compliance report. The compliance report for an audit policy provides information on which Event Hubs namespaces are not in compliance with the policy. For more information, see [Get policy compliance data](../governance/policy/how-to/get-compliance-data.md).
+
+It may take several minutes for the compliance report to become available after the policy assignment is created.
+
+To view the compliance report in the Azure portal, follow these steps:
+
+1. In the Azure portal, navigate to the Azure Policy service.
+2. Select  **Compliance**.
+3. Filter the results for the name of the policy assignment that you created in the previous step. The report shows how many resources are not in compliance with the policy.
+4. You can drill down into the report for additional details, including a list of Event Hubs namespaces that are not in compliance.
+
+## Use Azure Policy to enforce the minimum TLS version
+
+Azure Policy supports cloud governance by ensuring that Azure resources adhere to requirements and standards. To enforce a minimum TLS version requirement for the Event Hubs namespaces in your organization, you can create a policy that prevents the creation of a new Event Hubs namespace that sets the minimum TLS requirement to an older version of TLS than that which is dictated by the policy. This policy will also prevent all configuration changes to an existing namespace if the minimum TLS version setting for that namespace is not compliant with the policy.
+
+The enforcement policy uses the deny effect to prevent a request that would create or modify an Event Hubs namespace so that the minimum TLS version no longer adheres to your organization's standards. For more information about effects, see [Understand Azure Policy effects](../governance/policy/concepts/effects.md).
+
+To create a policy with a deny effect for a minimum TLS version that is less than TLS 1.2, provide the following JSON in the  **policyRule**  section of the policy definition:
+
+```json
+{
+  "policyRule": {
+    "if": {
+      "allOf": [
+        {
+          "field": "type",
+          "equals": " Microsoft.EventHub/namespaces"
+        },
+        {
+          "not": {
+            "field": " Microsoft.EventHub/namespaces/minimumTlsVersion",
+            "equals": "1.2"
+          }
+        }
+      ]
+    },
+    "then": {
+      "effect": "deny"
+    }
+  }
+}
+```
+
+After you create the policy with the deny effect and assign it to a scope, a user cannot create an Event Hubs namespace with a minimum TLS version that is older than 1.2. Nor can a user make any configuration changes to an existing Event Hubs namespace that currently requires a minimum TLS version that is older than 1.2. Attempting to do so results in an error. The required minimum TLS version for the Event Hubs namespace must be set to 1.2 to proceed with namespace creation or configuration.
+
+An error will be shown if you try to create an Event Hubs namespace with the minimum TLS version set to TLS 1.0 when a policy with a deny effect requires that the minimum TLS version be set to TLS 1.2.
+
+## Next steps
+
+See the following documentation for more information.
+
+- [Enforce a minimum required version of Transport Layer Security (TLS) for requests to an Event Hubs namespace](transport-layer-security-enforce-minimum-version.md)
+- [Configure the minimum TLS version for an Event Hubs namespace](transport-layer-security-configure-minimum-version.md)
+- [Configure Transport Layer Security (TLS) for an Event Hubs client application](transport-layer-security-configure-client-version.md)
@@ -0,0 +1,67 @@
+---
+title: Configure Transport Layer Security (TLS) for an Event Hubs client application
+titleSuffix: Event Hubs
+description: Configure a client application to communicate with Azure Event Hubs using a minimum version of Transport Layer Security (TLS).
+services: event-hubs
+author: EldertGrootenboer
+
+ms.service: event-hubs
+ms.topic: article
+ms.date: 04/25/2022
+ms.author: egrootenboer
+---
+
+# Configure Transport Layer Security (TLS) for an Event Hubs client application (Preview)
+
+For security purposes, an Azure Event Hubs namespace may require that clients use a minimum version of Transport Layer Security (TLS) to send requests. Calls to Azure Event Hubs will fail if the client is using a version of TLS that is lower than the minimum required version. For example, if a namespace requires TLS 1.2, then a request sent by a client who is using TLS 1.1 will fail.
+
+This article describes how to configure a client application to use a particular version of TLS. For information about how to configure a minimum required version of TLS for an Azure Event Hubs namespace, see [Enforce a minimum required version of Transport Layer Security (TLS) for requests to an Event Hubs namespace](transport-layer-security-configure-minimum-version.md).
+
+## Configure the client TLS version
+
+In order for a client to send a request with a particular version of TLS, the operating system must support that version.
+
+The following example shows how to set the client's TLS version to 1.2 from .NET. The .NET Framework used by the client must support TLS 1.2. For more information, see [Support for TLS 1.2](/dotnet/framework/network-programming/tls#support-for-tls-12).
+
+# [.NET](#tab/dotnet)
+
+The following sample shows how to enable TLS 1.2 in a .NET client using the Azure.Messaging.ServiceBus client library of Event Hubs:
+
+```csharp
+{
+    // Enable TLS 1.2 before connecting to Event Hubs
+    System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12;
+
+    // Connection string to your Event Hubs namespace
+    string connectionString = "<NAMESPACE CONNECTION STRING>";
+    
+    // Name of your Event Hub
+    string eventHubName = "<EVENT HUB NAME>";
+    
+    // The sender used to publish messages to the queue
+    var producer = new EventHubProducerClient(connectionString, eventHubName);
+    
+    // Use the producer client to send a message to the Event Hubs queue
+    using EventDataBatch eventBatch = await producer.CreateBatchAsync();
+    var eventData = new EventData("This is an event body");
+
+    if (!eventBatch.TryAdd(eventData))
+    {
+        throw new Exception($"The event could not be added.");
+    }
+}
+```
+
+---
+
+## Verify the TLS version used by a client
+
+To verify that the specified version of TLS was used by the client to send a request, you can use [Fiddler](https://www.telerik.com/fiddler) or a similar tool. Open Fiddler to start capturing client network traffic, then execute one of the examples in the previous section. Look at the Fiddler trace to confirm that the correct version of TLS was used to send the request.
+
+## Next steps
+
+See the following documentation for more information.
+
+- [Enforce a minimum required version of Transport Layer Security (TLS) for requests to an Event Hubs namespace](transport-layer-security-enforce-minimum-version.md)
+- [Configure the minimum TLS version for an Event Hubs namespace](transport-layer-security-configure-minimum-version.md)
+- [Use Azure Policy to audit for compliance of minimum TLS version for an Event Hubs namespace](transport-layer-security-audit-minimum-version.md)
@@ -0,0 +1,93 @@
+---
+title: Configure the minimum TLS version for an Event Hubs namespace using ARM
+titleSuffix: Event Hubs
+description: Configure an Azure Event Hubs namespace to use a minimum version of Transport Layer Security (TLS).
+services: event-hubs
+author: EldertGrootenboer
+
+ms.service: event-hubs
+ms.topic: article
+ms.date: 04/25/2022
+ms.author: egrootenboer
+---
+
+# Configure the minimum TLS version for an Event Hubs namespace using ARM (Preview)
+
+To configure the minimum TLS version for an Event Hubs namespace, set the  `MinimumTlsVersion`  version property. When you create an Event Hubs namespace with an Azure Resource Manager template, the `MinimumTlsVersion` property is set to 1.2 by default, unless explicitly set to another version.
+
+> [!NOTE]
+> Namespaces created using an api-version prior to 2022-01-01-preview will have 1.0 as the value for `MinimumTlsVersion`. This behavior was the prior default, and is still there for backwards compatibility.
+
+## Create a template to configure the minimum TLS version
+
+To configure the minimum TLS version for an Event Hubs namespace with a template, create a template with the  `MinimumTlsVersion`  property set to 1.0, 1.1, or 1.2. The following steps describe how to create a template in the Azure portal.
+
+1. In the Azure portal, choose  **Create a resource**.
+2. In  **Search the Marketplace** , type  **custom deployment** , and then press  **ENTER**.
+3. Choose **Custom deployment (deploy using custom templates) (preview)**, choose  **Create** , and then choose  **Build your own template in the editor**.
+4. In the template editor, paste in the following JSON to create a new namespace and set the minimum TLS version to TLS 1.2. Remember to replace the placeholders in angle brackets with your own values.
+
+    ```json
+    {
+        "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+        "contentVersion": "1.0.0.0",
+        "parameters": {},
+        "variables": {
+            "serviceBusNamespaceName": "[concat(uniqueString(subscription().subscriptionId), 'tls')]"
+        },
+        "resources": [
+            {
+            "name": "[variables('serviceBusNamespaceName')]",
+            "type": "Microsoft.EventHub/namespaces",
+            "apiVersion": "2022-01-01-preview",
+            "location": "westeurope",
+            "properties": {
+                "minimumTlsVersion": "1.2"
+            },
+            "dependsOn": [],
+            "tags": {}
+            }
+        ]
+    }
+    ```
+
+5. Save the template.
+6. Specify resource group parameter, then choose the  **Review + create**  button to deploy the template and create a namespace with the  `MinimumTlsVersion`  property configured.
+
+> [!NOTE]
+> After you update the minimum TLS version for the Event Hubs namespace, it may take up to 30 seconds before the change is fully propagated.
+
+Configuring the minimum TLS version requires api-version 2022-01-01-preview or later of the Azure Event Hubs resource provider.
+
+## Check the minimum required TLS version for multiple namespaces
+
+To check the minimum required TLS version across a set of Event Hubs namespaces with optimal performance, you can use the Azure Resource Graph Explorer in the Azure portal. To learn more about using the Resource Graph Explorer, see [Quickstart: Run your first Resource Graph query using Azure Resource Graph Explorer](../governance/resource-graph/first-query-portal.md).
+
+Running the following query in the Resource Graph Explorer returns a list of Event Hubs namespaces and displays the minimum TLS version for each namespace:
+
+```kusto
+resources 
+| where type =~ 'Microsoft.EventHub/namespaces'
+| extend minimumTlsVersion = parse\_json(properties).minimumTlsVersion
+| project subscriptionId, resourceGroup, name, minimumTlsVersion
+```
+
+## Test the minimum TLS version from a client
+
+To test that the minimum required TLS version for an Event Hubs namespace forbids calls made with an older version, you can configure a client to use an older version of TLS. For more information about configuring a client to use a specific version of TLS, see [Configure Transport Layer Security (TLS) for a client application](transport-layer-security-configure-client-version.md).
+
+When a client accesses an Event Hubs namespace using a TLS version that does not meet the minimum TLS version configured for the namespace, Azure Event Hubs returns error code 400 error (Bad Request) and a message indicating that the TLS version that was used is not permitted for making requests against this Event Hubs namespace.
+
+> [!NOTE]
+> Due to limitations in the confluent library, errors coming from an invalid TLS version will not surface when connecting through the Kafka protocol. Instead a general exception will be shown.
+
+> [!NOTE]
+> When you configure a minimum TLS version for an Event Hubs namespace, that minimum version is enforced at the application layer. Tools that attempt to determine TLS support at the protocol layer may return TLS versions in addition to the minimum required version when run directly against the Event Hubs namespace endpoint.
+
+## Next steps
+
+See the following documentation for more information.
+
+- [Enforce a minimum required version of Transport Layer Security (TLS) for requests to an Event Hubs namespace](transport-layer-security-enforce-minimum-version.md)
+- [Configure Transport Layer Security (TLS) for an Event Hubs client application](transport-layer-security-configure-client-version.md)
+- [Use Azure Policy to audit for compliance of minimum TLS version for an Event Hubs namespace](transport-layer-security-audit-minimum-version.md)