Clients access Service Bus resources by presenting an access token. The token specifies the URI to be accessed and an expiry time of the token.
There are two options available for clients to be authenticated to allow access to the Service Bus:
While creating a Service Bus Queue using the Azure portal, the only available authentication option is SAS. To use ACS, you will need to use the following Azure PowerShell command to create the namespace and associated ACS artifacts:
New-AzureSBNamespace <namespaceName> "<Region>" -CreateACSNamespace $true
More information on this can be found at: https://msdn.microsoft.com/en-us/library/azure/dn170478.aspx.
Service Bus provides the following three types of access rights that can be assigned to shared access policies:
When setting up subscriptions (which will be explained in the upcoming sections), you cannot implement authorization policies on the subscription queue, only on the topic itself. To work around this scenario, you can provision a service bus queue for each subscription and then set authorization policies on these queues.
Using the auto-forwarding feature on a queue or subscription, you set the ForwardTo
property to the other queue that has the authorization polices applied. When a message arrives in the subscription queue, it will be automatically forwarded to the queue defined in the ForwardTo
property. Only consumers with the Listen policy will then be allowed to read the messages.