Azure service bus role assignment time based

Question

I have created a service bus namespace with one queue in it. I have disabled "local authentication" from overview due to security reason. Now I want to use service bus explorer from azure portal to view messages in queue/dlq using azure active directory authentication. So I want to assigned particular AD user "service bus data owner access" for limited time only e.g for 2 hours only. Could you please share azure cli command to achieve that?

Answer 1

Hello, az cli does not support assigning an Azure RBAC role for a limited time. You can however:

1. Use a script. Follows a simple sample using PowerShell:

   az role assignment create # extra params
   sleep -Seconds (60*60*2) # secs * mins * hours
   az role assignment delete # extra params

2. Use Privileged Identity Management. For licensing requirements take a look to Prerequisites. For how to, take a look to the steps detailed in Prepare PIM for Azure roles.

Let us know if you need additional assistance. If the answer was helpful, please accept it so that others can find a solution.

Answer 2

You can use for example the PIM feature to assign a role for a limited time to a service principal or managed identity.

See: https://learn.microsoft.com/en-us/azure/role-based-access-control/pim-integration

(This requires expensive tiers for entra-id tough)

Also: https://learn.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-overview