Merge pull request #294433 from spelluru/msidisable0211

MSI - RBAC - behavior

Author: prmerger-automator[bot]

articles/event-hubs/authenticate-managed-identity.md

@@ -2,7 +2,7 @@
 title: Authenticate using managed identity
 description: This article provides information about authenticating a managed identity with Microsoft Entra ID to access Azure Event Hubs resources
 ms.topic: concept-article
-ms.date: 06/26/2024
+ms.date: 02/11/2025
 ms.custom: subject-rbac-steps
 #customer intent: As a developer, I want to know how to authenticate to an Azure event hub using a managed identity.
 ---
@@ -98,6 +98,10 @@ protected async void btnReceive_Click(object sender, EventArgs e)
 }
 ```
 
+> [!NOTE]
+> If the source service or app doesn't restart after the access to the event hub is disabled by removing the source's managed identity from the Event Hubs RBAC role, the source app may continue to publish events to or receiev events from the event hub until the token expires (default token validity is 24 hours). This behavior is by design. 
+>
+> Therefore, after you remove the source's managed identity from the RBAC role, restart the source app or service to immediately expire the token and prevent it from sending events to or receiving events from the event hub. 
 
 ## Event Hubs for Kafka
 You can use Apache Kafka applications to send messages to and receive messages from Azure Event Hubs using managed identity OAuth. See the following sample on GitHub: [Event Hubs for Kafka - send and receive messages using managed identity OAuth](https://github.com/Azure/azure-event-hubs-for-kafka/tree/master/tutorials/oauth/java/managedidentity).

articles/service-bus-messaging/service-bus-managed-service-identity.md

@@ -2,7 +2,7 @@
 title: Managed identities for Azure resources with Service Bus
 description: This article describes how to use managed identities to access with Azure Service Bus entities (queues, topics, and subscriptions).
 ms.topic: article
-ms.date: 07/22/2024
+ms.date: 02/11/2025
 ---
 
 # Authenticate a managed identity with Microsoft Entra ID to access Azure Service Bus resources
@@ -69,6 +69,11 @@ az role assignment create \
 
 For more information about how built-in roles are defined, see [Understand role definitions](../role-based-access-control/role-definitions.md#control-and-data-actions). For information about creating Azure custom roles, see [Azure custom roles](../role-based-access-control/custom-roles.md).
 
+> [!NOTE]
+> If the source service or app doesn't restart after the access to a Service Bus entity is disabled by removing the source's managed identity from the Service Bus RBAC role, the source app may continue to send/receive messages to/from the Service Bus entity until the token expires (default token validity is 24 hours). This behavior is by design. 
+>
+> Therefore, after you remove the source's managed identity from the RBAC role, restart the source app or service to immediately expire the token and prevent it from sending messages to or receiving messages from the Service Bus entity. 
+
 ## Using SDKs
 
 In .NET, the [ServiceBusClient](/dotnet/api/azure.messaging.servicebus.servicebusclient) object is initialized by using a constructor that takes a fully qualified namespace and a `TokenCredential`. The `DefaultAzureCredential` derives from `TokenCredential`, which automatically uses the managed identity configured for the app. The flow of the managed identity context to Service Bus and the authorization handshake are automatically handled by the token credential. It's a simpler model than using SAS.
@@ -87,7 +92,7 @@ For complete step-by-step instructions to send and receive messages using a mana
 - [Python](service-bus-python-how-to-use-queues.md)
 
 > [!NOTE]
-> The managed identity works only inside the Azure environment, on App services, Azure VMs, and scale sets. For .NET applications, the Microsoft.Azure.Services.AppAuthentication library, which is used by the Service Bus NuGet package, provides an abstraction over this protocol and supports a local development experience. This library also allows you to test your code locally on your development machine, using your user account from Visual Studio, Azure CLI 2.0 or Active Directory Integrated Authentication. For more on local development options with this library, see [Service-to-service authentication to Azure Key Vault using .NET](/dotnet/api/overview/azure/service-to-service-authentication).  
+> The managed identity works only inside the Azure environment, on App services, Azure VMs, and scale sets. For .NET applications, the Microsoft.Azure.Services.AppAuthentication library, which is used by the Service Bus NuGet package, provides an abstraction over this protocol and supports a local development experience. This library also allows you to test your code locally on your development machine, using your user account from Visual Studio, Azure CLI 2.0, or Active Directory Integrated Authentication. For more on local development options with this library, see [Service-to-service authentication to Azure Key Vault using .NET](/dotnet/api/overview/azure/service-to-service-authentication).  
 
 
 ## Next steps