![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 53%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMD%3C/text%3E%3C/svg%3E)
Azure Event Grid
An Azure event routing service designed for high availability, consistent performance, and dynamic scale.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 85%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
Hello Malik, Deepankar,
Thank you for posting your question in Microsoft Q&A Forum.
Here is the Clarification on Using Microsoft Entra ID for MQTT Authentication with Azure Event Grid.
1.Can Microsoft Entra ID be used as a valid authentication mechanism for publishing MQTT messages to Azure Event Grid via JWT (access token)?
Yes, Microsoft Entra ID can be used as a valid authentication mechanism for publishing MQTT messages to Azure Event Grid via JWT (access token). This authentication method requires the use of the MQTT v5 protocol version. When connecting, the client uses the MQTT v5 CONNECT packet to provide the Microsoft Entra JWT as authentication data. Additionally, the AUTH packet can be utilized to refresh the token as needed.
To ensure proper authentication, the audience claim (aud) in the JWT must be set to https://eventgrid.azure.net/. This is essential for the authentication process to be successful. Moreover, clients must be authorized to communicate with the Event Grid namespace, which can be accomplished by assigning the appropriate roles, such as the EventGrid TopicSpaces Publisher role, to allow clients to publish messages.
For your reference:
Microsoft Entra JWT authentication and RBAC authorization for clients with Microsoft Entra identi…
2.If yes, could you clarify the token acquisition flow and required scopes?
Yes. To acquire the token, use the OAuth 2.0 client credentials flow with Microsoft Entra ID. Send a POST request to:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Include grant_type=client_credentials, your client_id and client_secret, and set the scope to:
https://eventgrid.azure.net/.default
This scope ensures the token is valid for Event Grid. The token must have aud=https://eventgrid.azure.net/. Use this token in the MQTT v5 CONNECT packet with Authentication Method = OAUTH2-JWT. For refresh, use the MQTT v5 AUTH packet
3.Are there specific constraints or supported client SDKs for Entra ID JWT-based MQTT authentication?
Yes, there are specific constraints and supported client SDKs for Entra ID JWT-based MQTT authentication. The authentication method requires the use of the MQTT v5 protocol version. Additionally, you can authenticate MQTT clients with Microsoft Entra JWT to connect to the Event Grid namespace and use Azure role-based access control (Azure RBAC) to manage permissions for these clients.
The supported client SDKs for publishing events to Event Grid using Entra ID JWT authentication include:
- Java SDK
- .NET SDK
- Python SDK
- JavaScript SDK
These SDKs support all authentication methods, including Microsoft Entra authentication, and provide the necessary tools to implement the authentication process effectively.
References:
Please let me know if you need any additional information or further assistance.