Authenticate modes for capturing events to destinations in Azure Event Hubs

Azure Event Hubs allows you to select different authentication modes when capturing events to a destination such as Azure Blob storage or Azure Data Lake Storage Gen 1 or Gen 2 account of your choice. The authentication mode determines how the capture agent running in Event Hubs authenticate with the capture destination.

Prerequisites

1. Enable system-assigned or user-assigned managed identity by following instructions from the article: Enable a managed identity for an Event Hubs namespace. After you enable an identity for a namespace, you can use the identity when configuring the Capture feature for an event hub in the namespace.
2. On the target Azure Storage or Data Lake Store account, use the Access control page, and add this managed identity to the Storage Blob Data Contributor role.

Use managed identity to capture events

Managed identity is the preferred way to seamlessly access the capture destination from your event hub, using Microsoft Entra ID based authentication and authorization.

You can use system-assigned or user-assigned managed identities with Event Hubs Capture destinations.

Use a system-assigned managed identity

System-assigned Managed Identity is automatically created and associated with an Azure resource, which is an Event Hubs namespace in this case.

To use system assigned identity, the capture destination must have the required role assignment enabled for the corresponding system assigned identity. Then you can select System Assigned managed identity option when enabling the capture feature in an event hub.

Then capture agent would use the identity of the namespace for authentication and authorization with the capture destination.

Use a user-assigned managed identity

You can create a user-assigned managed identity and use it for authenticate and authorize with the capture destination of Event hubs. Once the managed identity is created, you can assign it to the Event Hubs namespace and make sure that the capture destination has the required role assignment enabled for the corresponding user assigned identity.

Then you can select User Assigned managed identity option when enabling the capture feature in an event hub and assign the required user assigned identity when enabling the capture feature.

Then capture agent would use the configured user assigned identity for authentication and authorization with the capture destination.

Capturing events to a capture destination in a different subscription

The Event Hubs Capture feature also support capturing data to a capture destination in a different subscription with the use of managed identity.

Important

Azure portal doesn't support the selection of a capture destination from a different subscription. You need to use ARM templates for that purpose.

For that you can use the same ARM templates given in enabling capture with ARM template guide with corresponding managed identity.

Related content

Learn more about the feature and how to enable it using the Azure portal and Azure Resource Manager template:

• Capture events through Azure Event Hubs in Azure Blob Storage or Azure Data Lake Storage
• Use the Azure portal to enable Event Hubs Capture
• Use an Azure Resource Manager template to enable Event Hubs Capture