disable local auth - Service Bus

Author: spelluru

articles/service-bus-messaging/TOC.yml

@@ -269,6 +269,8 @@
       href: private-link-service.md
     - name: Encrypt data using customer-managed keys
       href: configure-customer-managed-key.md
+    - name: Disable location or SAS authentication
+      href: disable-local-authentication.md
   - name: Troubleshoot
     items:
     - name: Troubleshooting guide

articles/service-bus-messaging/authenticate-application.md

@@ -2,13 +2,16 @@
 title: Authenticate an application to access Azure Service Bus entities
 description: This article provides information about authenticating an application with Azure Active Directory to access Azure Service Bus  entities (queues, topics, etc.)
 ms.topic: conceptual
-ms.date: 06/14/2021
+ms.date: 01/06/2022
 ms.custom: subject-rbac-steps
 ---
 
 # Authenticate and authorize an application with Azure Active Directory to access Azure Service Bus entities
 Azure Service Bus supports using Azure Active Directory (Azure AD) to authorize requests to Service Bus entities (queues, topics, subscriptions, or filters). With Azure AD, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal. To learn more about roles and role assignments, see [Understanding the different roles](../role-based-access-control/overview.md).
 
+> [!IMPORTANT]
+> You can disable local or SAS key authentication for a Service Bus namespace and allow only Azure Active Directory authentication. For step-by-step instructions, see [Disable local authentication](disable-local-authentication.md).
+
 ## Overview
 When a security principal (a user, group, or application) attempts to access a Service Bus entity, the request must be authorized. With Azure AD, access to a resource is a two-step process. 
 

articles/service-bus-messaging/disable-local-authentication.md

@@ -0,0 +1,82 @@
+---
+title: Disable local authentication with Azure Service Bus
+description: This article explains how to disable local or Shared Access Signature key authentication for a Service Bus namespace. 
+ms.topic: how-to
+ms.date: 02/01/2022 
+---
+
+# Disable local or shared access key authentication with Azure Service Bus
+There are two ways to authenticate to Azure Service Bus resources: Azure Active Directory (Azure AD) and Shared Access Signatures (SAS). Azure AD provides superior security and ease of use over shared access signatures (SAS). With Azure AD, there’s no need to store the tokens in your code and risk potential security vulnerabilities. We recommend that you use Azure AD with your Azure Service Bus applications when possible.
+
+This article explains how to disable SAS key authentication and use only Azure AD for authentication. 
+
+## Use portal to disable local auth
+In this section, you learn how to use the Azure portal to disable local authentication. 
+
+1. Navigate to your Service Bus namespace in the [Azure portal](https://portal.azure.com).
+1. In the **Essentials** section of the **Overview** page, select **Enabled**, for **Local Authentication**. 
+
+    :::image type="content" source="./media/disable-local-authentication/portal-overview-enabled.png" alt-text="Image showing the Overview page of a Service Bus namespace with Local Authentication set to Enabled.":::
+1. On the **Local Authentication** page, select **Disabled**, and select **OK**. 
+
+      :::image type="content" source="./media/disable-local-authentication/select-disabled.png" alt-text="Disable location.":::
+
+## Use Resource Manager template to disable local auth
+You can disable local authentication for a Service Bus namespace by setting `disableLocalAuth` property to `true` as shown in the following Azure Resource Manager template.
+
+```json
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "namespace_name": {
+            "defaultValue": "spcontososbusns",
+            "type": "String"
+        }
+    },
+    "variables": {},
+    "resources": [
+        {
+            "type": "Microsoft.ServiceBus/namespaces",
+            "apiVersion": "2021-06-01-preview",
+            "name": "[parameters('namespace_name')]",
+            "location": "East US",
+            "sku": {
+                "name": "Standard",
+                "tier": "Standard"
+            },
+            "properties": {
+                "disableLocalAuth": true,
+                "zoneRedundant": false
+            }
+        }
+    ]
+}
+``` 
+
+### Parameters.json
+
+```json
+{
+    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "namespace_name": {
+            "value": null
+        }
+    }
+}
+```
+
+## Azure policy
+You can assign the [disable local auth](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcfb11c26-f069-4c14-8e36-56c394dae5af)  Azure policy to an Azure subscription or a resource group to enforce disabling of local authentication for all Service Bus namespaces in the subscription or the resource group.
+
+:::image type="content" source="./media/disable-local-authentication/azure-policy.png" alt-text="Azure policy to disable location authentication.":::
+
+## Next steps
+See the following to learn about Azure AD and SAS authentication. 
+
+- [Authentication with SAS](service-bus-sas.md) 
+- Authentication with Azure AD
+    - [Authenticate with managed identities](service-bus-managed-service-identity.md)
+    - [Authenticate from an application](authenticate-application.md)

articles/service-bus-messaging/media/disable-local-authentication/azure-policy.png

@@ -2,7 +2,7 @@
 title: Azure Service Bus authentication and authorization | Microsoft Docs
 description: Authenticate apps to Service Bus with Shared Access Signature (SAS) authentication.
 ms.topic: article
-ms.date: 09/15/2021
+ms.date: 02/01/2022
 ---
 
 # Service Bus authentication and authorization
@@ -21,6 +21,8 @@ For more information about authenticating with Azure AD, see the following artic
 
 > [!IMPORTANT]
 > Authorizing users or applications using OAuth 2.0 token returned by Azure AD provides superior security and ease of use over shared access signatures (SAS). With Azure AD, there is no need to store the tokens in your code and risk potential security vulnerabilities. We recommend that you use Azure AD with your Azure Service Bus applications when possible. 
+> 
+> You can disable local or SAS key authentication for a Service Bus namespace and allow only Azure AD authentication. For step-by-step instructions, see [Disable local authentication](disable-local-authentication.md).
 
 ## Shared access signature
 [SAS authentication](service-bus-sas.md) enables you to grant a user access to Service Bus resources, with specific rights. SAS authentication in Service Bus involves the configuration of a cryptographic key with associated rights on a Service Bus resource. Clients can then gain access to that resource by presenting a SAS token, which consists of the resource URI being accessed and an expiry signed with the configured key.

articles/service-bus-messaging/media/disable-local-authentication/portal-overview-enabled.png

@@ -2,7 +2,7 @@
 title: Managed identities for Azure resources with Service Bus
 description: This article describes how to use managed identities to access with Azure Service Bus entities (queues, topics, and subscriptions).
 ms.topic: article
-ms.date: 06/14/2021
+ms.date: 01/06/2022
 ms.custom: subject-rbac-steps
 ---
 
@@ -11,6 +11,9 @@ ms.custom: subject-rbac-steps
 
 With managed identities, the Azure platform manages this runtime identity. You do not need to store and protect access keys in your application code or configuration, either for the identity itself, or for the resources you need to access. A Service Bus client app running inside an Azure App Service application or in a virtual machine with enabled managed entities for Azure resources support does not need to handle SAS rules and keys, or any other access tokens. The client app only needs the endpoint address of the Service Bus Messaging namespace. When the app connects, Service Bus binds the managed entity's context to the client in an operation that is shown in an example later in this article. Once it is associated with a managed identity, your Service Bus client can do all authorized operations. Authorization is granted by associating a managed entity with Service Bus roles. 
 
+> [!IMPORTANT]
+> You can disable local or SAS key authentication for a Service Bus namespace and allow only Azure Active Directory authentication. For step-by-step instructions, see [Disable local authentication](disable-local-authentication.md).
+
 ## Overview
 When a security principal (a user, group, or application) attempts to access a Service Bus entity, the request must be authorized. With Azure AD, access to a resource is a two-step process. 
 

articles/service-bus-messaging/media/disable-local-authentication/select-disabled.png

@@ -2,7 +2,7 @@
 title: Azure Service Bus access control with Shared Access Signatures
 description: Overview of Service Bus access control using Shared Access Signatures overview, details about SAS authorization with Azure Service Bus.
 ms.topic: article
-ms.date: 10/18/2021
+ms.date: 01/06/2022
 ms.devlang: csharp
 ms.custom: devx-track-csharp
 ---
@@ -19,6 +19,8 @@ SAS guards access to Service Bus based on authorization rules. Those are configu
 > Microsoft recommends using Azure AD with your Azure Service Bus applications when possible. For more information, see the following articles:
 > - [Authenticate and authorize an application with Azure Active Directory to access Azure Service Bus entities](authenticate-application.md).
 > - [Authenticate a managed identity with Azure Active Directory to access Azure Service Bus resources](service-bus-managed-service-identity.md)
+> 
+> You can disable local or SAS key authentication for a Service Bus namespace and allow only Azure AD authentication. For step-by-step instructions, see [Disable local authentication](disable-local-authentication.md).
 
 ## Overview of SAS