Event Grid - Pre Build updates

spelluru · spelluru · commit e101db21b5af · 2025-04-30T11:38:56.000-04:00
diff --git a/articles/event-grid/authenticate-with-namespaces-using-json-web-tokens.md b/articles/event-grid/authenticate-with-namespaces-using-json-web-tokens.md
@@ -3,34 +3,33 @@ title: Authenticate with namespaces using JSON Web Tokens
 description: This article shows you how to authenticate with Azure Event Grid namespace using JSON Web Tokens.
 ms.topic: how-to
 ms.custom: build-2024, devx-track-azurecli
-ms.date: 01/27/2025
+ms.date: 04/30/2025
 author: Connected-Seth
 ms.author: seshanmugam
 ---
 
-# Authenticate with namespaces using JSON Web Tokens
-This article shows how to authenticate with Azure Event Grid namespace using JSON Web Tokens.
+# Use OAuth 2.0 JSON Web Tokens (JWT) to authenticate with namespaces
+This article shows how to authenticate with Azure Event Grid namespace using OAuth 2.0 JSON Web Tokens. 
 
-Azure Event Grid's MQTT broker supports custom JWT authentication, which enables clients to connect and authenticate with an Event Grid namespace using JSON Web Tokens that are issued by any identity provider, aside from Microsoft Entra ID. 
+Azure Event Grid's MQTT broker supports OAuth 2.0 JWT authentication, which enables clients to connect and authenticate with an Event Grid namespace using JSON Web Tokens that are issued by any identity provider, aside from Microsoft Entra ID. 
 
 ## Prerequisites 
 
-To use custom JWT authentication for namespaces, you need to have the following prerequisites: 
+To use OAuth 2.0 JWT authentication for namespaces, you need to have the following prerequisites: 
 
 - Identity provider that can issue JSON Web Tokens. 
-- CA certificate that includes your public keys used to validate the client tokens. 
-- Azure Key Vault account to host the CA certificate that includes your public keys. 
+- CA certificate that includes your public keys used to validate the client tokens(Key Vault) or PEM file of your public key certificates(direct upload). 
 
 ## High-level steps 
 
-To use custom JWT authentication for namespaces, follow these steps: 
+To use OAuth 2.0 JWT authentication for namespaces, follow these steps: 
 
-1. Create a namespace and configure its subresources.
+1. Create a namespace and configure its subresources. 
 1. Enable managed identity on your Event Grid namespace. 
-1. Create an Azure Key Vault account that hosts the CA certificate that includes your public keys. 
-1. Add role assignment in Azure Key Vault for the namespace’s managed identity. 
-1. Configure custom authentication settings on your Event Grid namespace 
-1. Your clients can connect to the Event Grid namespace using the tokens provided by your identity provider. 
+1. Configure OAuth 2.0 authentication settings on your Event Grid namespace by following these steps: 
+    1. Create an Azure Key Vault account that hosts the CA certificate that includes your public keys and  add role assignment in Key Vault for the namespace’s managed identity. 
+    1. Upload the PEM file of your public key certificates to namespace. 
+  1. Your clients can connect to the Event Grid namespace using the tokens provided by your identity provider. 
 
 ## Create a namespace and configure its subresources 
 Follow instructions from [Quickstart: Publish and subscribe to MQTT messages on Event Grid Namespace with Azure portal](mqtt-publish-and-subscribe-portal.md) to create a namespace and configure its subresources. Skip the certificate and client creation steps as the client identities come from the provided token. Client attributes are based on the custom claims in the client token. The client attributes are used in the client group query, topic template variables, and routing enrichment configuration.
@@ -81,7 +80,7 @@ You need to provide access to the namespace to access your Azure Key Vault accou
 
     For more information about Key Vault access and the portal experience, see [Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control](/azure/key-vault/general/rbac-guide). 
 
-## Configure custom authentication settings on your Event Grid namespace 
+## Configure OAuth 2.0 JWT authentication settings on your Event Grid namespace -Key Vault 
 In this step, you configure custom authentication settings on your Event Grid namespace using Azure portal and Azure CLI. You need to create the namespace first then update it using the following steps.
 
 ### Use Azure portal
@@ -130,7 +129,7 @@ az resource update \
   }'
  
 ```
-## JSON Web Token format
+### JSON Web Token format
 JSON Web Tokens are divided into the JWT Header and JWT payload sections.
  
 ### JWT Header 
@@ -184,6 +183,88 @@ Event Grid maps all claims to client attributes if they have one of the followin
 }
 ```
 
+## Configure OAuth 2.0 JWT authentication settings on your Event Grid namespace - Direct upload 
+
+In this step, you configure custom JWT authentication settings on your Event Grid namespace using Azure portal and Azure CLI. You need to create the namespace first then update it using the following steps. 
+
+## Use Azure portal
+1. Navigate to your Event Grid namespace in the Azure portal. 
+1. On the Event Grid Namespace page, select Configuration on the left menu. 
+1. In the Custom JWT authentication section, specify values for the following properties: 
+    1. Select **Enable custom JWT authentication**. 
+    1. **Token Issuer**: Enter the value of the issuer claims of the JWTs, presented by the MQTT clients. 
+    1. Select  issuer certificate option – **Direct Upload**.  
+1. In the new page, specify values for the following properties. 
+    1. **Certificate**: upload your server certificate in PEM Format. 
+    1. **Kid**: A unique key identifier for the certificate. 
+    1. Select **Add**. 
+1. Back on the **Configuration** page, select **Apply**. 
+
+
+### Use Azure CLI 
+Use the following command to update your namespace with the OAuth 2.0 JWT authentication configuration. 
+
+```azurecli
+az eventgrid namespace update \ 
+    --resource-group <resource-group-name> \ 
+    --name <namespace-name> \ 
+    --api-version 2024-12-15-preview \ 
+    --set customJwtAuthenticationSettings='{ 
+        "tokenIssuer": "issuer-name", 
+        "encodedIssuerCertificates": [
+            { 
+                "kid": "key1", 
+                "encodedCertificate": "-----BEGIN CERTIFICATE-----\n<certificate-in-PEM-format>\n-----END CERTIFICATE-----" 
+            } 
+        ] 
+    } 
+```
+
+- Replace `<resource-group-name>`, `<namespace-name>`, `<location>`, `<key-vault-name>`, `<certificate-name>`, and `<certificate-in-PEM-format>` with your actual values. 
+- The encodedCertificate value must include the full certificate in PEM format, including headers ( `"-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE----`). 
+- Ensure the public key certificate provided is valid and trusted by your identity provider. 
+- Regularly update the encodedIssuerCertificates if certificates are rotated or expired. 
+
+### JSON Web Token format
+
+JWT payload 
+
+Event Grid requires the following claims: `iss`, `sub`, `aud`, `exp`, `nbf`. 
+
+* `kid` is optional. If it is present, then certificate with matching `kid` is used for validation. 
+* List of standard claims that aren't used as attributes - `iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`. 
+* All claims which have correct data type (number that fits int32, string, array of strings) are used as attributes. In the example `num_attr_pos`, `num_attr_neg`, `str_attr`, `str_list_attr` claims have correct data types and are used as attributes. 
+* In the example `bool_attr`, `num_attr_to_big`, `num_attr_float`, `obj_attr` claims have incorrect data types and aren't be used as attributes. 
+
+ 
+```json
+{ 
+  "typ": "JWT", 
+  "alg": "RS256", 
+  "kid": "keyId1" 
+}.{ 
+  "iss": "some-issuer", 
+  "sub": "device1", 
+  "aud": "event-grid-namespace.ts.eventgrid.azure.net", 
+  "exp": 1770426501, 
+  "nbf": 1738886901, 
+  "bool_attr": true, 
+  "num_attr_pos": 1, 
+  "num_attr_neg": -1, 
+  "num_attr_to_big": 9223372036854775807, 
+  "num_attr_float": 1.23, 
+  "str_attr": "str_value", 
+  "str_list_attr": [ 
+    "str_value_1", 
+    "str_value_2" 
+  ], 
+  "obj_attr": { 
+      "key": "value" 
+  } 
+} 
+```
+
+
 ## Related content
 - [MQTT client authentication](mqtt-client-authentication.md)
 - [Authenticate client using custom JWT](mqtt-client-custom-jwt.md)
diff --git a/articles/event-grid/mqtt-client-authentication.md b/articles/event-grid/mqtt-client-authentication.md
@@ -15,19 +15,21 @@ Azure Event Grid's MQTT broker supports the following authentication modes.
 
 - Certificate-based authentication
 - Microsoft Entra ID authentication
-- Custom JWT authentication
+- OAuth 2.0 (JSON Web Token) authentication 
 
 ## Certificate-based authentication
 You can use Certificate Authority (CA) signed certificates or self-signed certificates to authenticate clients. For more information, see [MQTT Client authentication using certificates](mqtt-client-certificate-authentication.md).
 
 ## Microsoft Entra ID authentication
 You can authenticate MQTT clients with Microsoft Entra JWT to connect to Event Grid namespace. You can use Azure role-based access control (Azure RBAC) to enable MQTT clients, with Microsoft Entra identity, to publish or subscribe access to specific topic spaces. For more information, see [Microsoft Entra JWT authentication and Azure RBAC authorization to publish or subscribe MQTT messages](mqtt-client-microsoft-entra-token-and-rbac.md). 
 
-## Custom JWT authentication
-You can authenticate MQTT clients  using JSON Web Tokens (JWT) issued by any third-party OpenID Connect (OIDC) identity provider. This authentication method provides a lightweight, secure, and flexible option for MQTT clients that aren't provisioned in Azure. For more information, see [authenticate client using custom JWT](mqtt-client-custom-jwt.md)
+## OAuth 2.0 JWT authentication 
+You can authenticate MQTT clients using JSON Web Tokens (JWT) issued by any third-party OpenID Connect (OIDC) identity provider. This authentication method provides a lightweight, secure, and flexible option for MQTT clients that aren't provisioned in Azure. For more information, see [Authenticate client using OAuth 2.0 JWT](mqtt-client-custom-jwt.md). 
+
+
 
 ## Related content
 - Learn how to [authenticate clients using certificate chain](mqtt-certificate-chain-client-authentication.md)
 - Learn how to [authenticate client using Microsoft Entra ID token](mqtt-client-azure-ad-token-and-rbac.md)
-- Learn how to [authenticate client using custom JWT](mqtt-client-custom-jwt.md)
+- Learn how to [authenticate client using OAuth 2.0 JWT](mqtt-client-custom-jwt.md) 
 - See [Transport layer security with MQTT broker](mqtt-transport-layer-security-flow.md)
diff --git a/articles/event-grid/mqtt-client-custom-jwt.md b/articles/event-grid/mqtt-client-custom-jwt.md
@@ -1,54 +1,34 @@
 ---
-title: Custom JWT authentication
-description: Describes custom JWT authentication and authorization to publish or subscribe to MQTT messages
+title: OAuth 2.0 JWT authentication
+description: Describes OAuth 2.0 JWT authentication and authorization to publish or subscribe to MQTT messages
 ms.topic: conceptual
 ms.custom: build-2024
-ms.date: 01/27/2025
+ms.date: 04/30/2025
 author: Connected-Seth
 ms.author: seshanmugam
 ms.subservice: mqtt
 ---
 
-# Custom JWT authentication and authorization to publish or subscribe to MQTT messages
+# OAuth 2.0 JSON Web Token (JWT) authentication and authorization to publish or subscribe to MQTT messages 
 
-You can authenticate MQTT clients with Custom JWT to connect to the Event Grid namespace. You can embed and validate custom claims in the JWT to authorize publish or subscribe permissions to your Event Grid topic spaces.
+You can authenticate MQTT clients with OAuth 2.0 JWT to connect to the Event Grid namespace. You can embed and validate custom claims in the JWT to authorize publish or subscribe permissions to your Event Grid topic spaces.
 
 > [!IMPORTANT]
 > - This feature is supported only when using the MQTT v5 protocol version.
 
 ## Prerequisites
-- You need an Event Grid namespace with MQTT enabled.  Learn about [creating Event Grid namespace](/azure/event-grid/create-view-manage-namespaces#create-a-namespace)
+- You need an Event Grid namespace with MQTT enabled. Learn about [creating Event Grid namespace](/azure/event-grid/create-view-manage-namespaces#create-a-namespace)
 
 <a name='authentication-using-azure-ad-jwt'></a>
 
-## Authentication using Custom JWT
-You can use the MQTT v5 CONNECT packet to provide the Custom JWT to authenticate your client and the MQTT v5 AUTH packet to refresh the token.  
-
-> [!IMPORTANT]
-> - If you don't set the CONNECT packet's authentication method to CUSTOM-JWT, you receive an 'invalid issuer' error—even if all other configurations are correct.
-
-In the CONNECT packet, you can provide the required values in the following fields:
-
-|Field  | Value  |
-|---------|---------|
-|Authentication Method | CUSTOM-JWT |
-|Authentication Data | JWT |
-
-In the AUTH packet, you can provide the required values in the following fields:
-
-|Field | Value |
-|---------|---------|
-| Authentication Method | CUSTOM-JWT |
-| Authentication Data | JWT |
-| Authentication Reason Code | 25 |
- 
-Authenticate Reason Code with value 25 signifies reauthentication.
+## Authentication using OAuth 2.0 JWT
+You can use the MQTT v5 CONNECT packet to provide the OAuth 2.0 JWT to authenticate your client and the MQTT v5 AUTH packet to refresh the token.  
 
 > [!NOTE]
-> - Audience: 'aud' claim must be set to "https://eventgrid.azure.net/".
+> - Audience: `aud` claim must be set to `https://[namespace].ts.eventgrid.azure.net/`. 
 
 ## Access permissions
-A client using Custom JWT authentication can use client attributes and permissions to limit access to specific topics.
+A client using OAuth 2.0 JWT authentication can use client attributes and permissions to limit access to specific topics. 
 
 ## Next steps
 - See [Publish and subscribe to MQTT message using Event Grid](mqtt-publish-and-subscribe-portal.md)
diff --git a/articles/event-grid/mqtt-events-fabric.md b/articles/event-grid/mqtt-events-fabric.md
@@ -2,51 +2,41 @@
 title: Send MQTT events to Microsoft Fabric via Event Hubs
 description: Shows you how to use Event Grid to  send events from MQTT clients to Microsoft Fabric via Azure Event Hubs. 
 ms.topic: how-to
-ms.date: 02/13/2024
-author: spelluru
-ms.author: spelluru
+ms.date: 04/30/2025
+author: Connected-Seth
+ms.author: seshanmugam
 ms.subservice: mqtt
 ---
 
-# How to send MQTT events to Microsoft Fabric via Event Hubs using Azure Event Grid
-This article shows you how to use Azure Event Grid to send events from MQTT clients to Microsoft Fabric data stores via Azure Event Hubs. 
+# How to send MQTT events to Microsoft Fabric using Azure Event Grid (Preview) 
+This article shows you how to use Azure Event Grid to send events from MQTT clients to Microsoft Fabric eventstream. 
 
 ## High-level steps
 
-1. Create a namespace topic that receives events from MQTT clients.
-2. Create a subscription to the topic using Event Hubs as the destination.
-3. Create an event stream in Microsoft Fabric with the event hub as a source and a Fabric KQL database or Lakehouse as a destination. 
-
-## Event flow
-
-1. MQTT client sends events to your Event Grid namespace topic.
-2. Event subscription to the namespace topic forwards those events to your event hub. 
-3. Fabric event stream receives events from the event hub and stores them in a Fabric destination such as a KQL database or a lakehouse. 
+1. Create an Azure Event Grid  namespace.
+1. Create a namespace topic in the namespace that receives events from MQTT clients.
+1. Enable managed identity on the Event Grid namespace.  
+1. Enable MQTT and routing on the Event Grid namespace, if you want to receive Message Queuing Telemetry Transport (MQTT) data.
+1. Create an event stream in Microsoft Fabric.  
 
 ## Detailed steps
 
-1. Follow steps from the article: [Tutorial: Use namespace topics to route MQTT messages to Azure Event Hubs (Azure portal)](mqtt-routing-to-event-hubs-portal-namespace-topics.md) to:
-    1. Create an Event Grid namespace in the Azure portal.
-    1. Create a namespace topic.
-    1. Enable managed identity for the namespace.
-    1. Enable MQTT broker for the Event Grid namespace.
-    1. Create an Event Hubs namespace.
-    1. Create an event hub.
-    1. Grant Event Grid namespace the permission to send events to the event hub.
-    1. Create an event subscription to namespace topic with the event hub as the endpoint.
-    1. Configure routing for the Event Grid namespace.
+1. Follow steps from the article: [QuickStart: Publish and subscribe to MQTT messages on Event Grid Namespace with Azure portal](mqtt-publish-and-subscribe-portal.md) to:
+    1. Create Event Grid namespace in the Azure portal.
+    1. Create a namespace topic. 
+    1. Enable managed identity for the namespace. 
+    1. Enable MQTT broker for the Event Grid namespace. 
+    1. Configure routing for the Event Grid namespace. 
     1. Create clients, topic space, and permission bindings. 
-    1. Use MQTTX tool to send a few test events or messages. 
-1. In Microsoft Fabric, do these steps:
-    1. [Create a lakehouse](/fabric/onelake/create-lakehouse-onelake#create-a-lakehouse). 
-    2. [Create an event stream](/fabric/real-time-analytics/event-streams/create-manage-an-eventstream#create-an-eventstream).
-    3. [Add your event hub as an input source](/fabric/real-time-analytics/event-streams/add-manage-eventstream-sources#add-an-azure-event-hub-as-a-source).
-    4. [Add your lakehouse as a destination](/fabric/real-time-analytics/event-streams/add-manage-eventstream-destinations#add-a-lakehouse-as-a-destination). 
-1. [Publish events to the namespace topic](publish-deliver-events-with-namespace-topics.md#send-events-to-your-topic). 
+    1. Use MQTTX tool to send a few test events or messages.  
+1. In Microsoft Fabric, follow the steps from the article: [Add Azure Event Grid Namespace source to an eventstream (Preview)](add-source-azure-event-grid.md)
+    1. Create workspace in Fabric. 
+    1. Create an eventstream.
+    1. Create an Azure Event Grid namespace datasource. 
+    1. Preview Data in the eventstream.
 
 ## Next steps
-Build a Power BI report as shown in the sample: [Build a near-real-time Power BI report with the event data ingested in a lakehouse](/fabric/real-time-analytics/event-streams/transform-and-stream-real-time-events-to-lakehouse).
-
+To learn how to add other sources to an eventstream, see the following article: [Add and manage an event source in an eventstream](add-manage-eventstream-sources.md). 
 
     
 
diff --git a/articles/event-grid/oauth-json-web-token-authentication.md b/articles/event-grid/oauth-json-web-token-authentication.md
@@ -2,11 +2,9 @@
 title: Namespace authentication using JSON Web Tokens
 description: This article describes authentication of Azure Event Grid namespaces using JSON Web Tokens.
 ms.topic: how-to
-ms.custom:
-  - build-2024
-ms.date: 05/21/2024
-author: george-guirguis
-ms.author: geguirgu
+ms.date: 04/30/2025
+author: Connected-Seth
+ms.author: seshanmugam
 ---
 
 # OAuth 2.0 (JSON Web Token) authentication with Azure Event Grid namespaces
@@ -19,13 +17,13 @@ OAuth 2.0 (JSON Web Token) authentication allows clients to authenticate and con
 
 ## High-level steps 
 
-To use custom JWT authentication for namespaces, follow these steps: 
+To use OAuth 2.0 JWT authentication for namespaces, follow these steps: 
 
 1. Create a namespace and configure its subresources.
 1. Enable managed identity on your Event Grid namespace. 
-1. Create an Azure Key Vault account that hosts the CA certificate that includes your public keys. 
-1. Add role assignment in Azure Key Vault for the namespace’s managed identity. 
-1. Configure custom authentication settings on your Event Grid namespace 
+1. Configure OAuth 2.0 authentication settings on your Event Grid namespace by following these steps: 
+    1. Create an Azure **Key Vault** account that hosts the CA certificate that includes your public keys and  add role assignment in Key Vault for the namespace’s managed identity. 
+    1. Upload the Privacy-Enhanced Mail (PEM) file of your public key certificates to namespace. 
 1. Your clients can connect to the Event Grid namespace using the tokens provided by your identity provider. 
 
 
