Skip to main content
Docs
Feature Requests Onboarding Trust Center Status Page

Community

Azure Event Hubs connector permission requirement

Planned
Jess Merdell User

Which connector?:

Azure Event Hubs

Additional details: Currently the Azure Event Hubs connector requires the manage permission at the namespace level. This is appropriate for Event Hubs managed internally but not for Event Hubs managed by a Vendor which is the situation we have.

Our Vendor has provided us with Event Hub connection information but will not allow us the manage permission at namespace level as there are Event Hubs for other clients in the same namespace.

Yevindra De Silva <yevindra.desilva@fivetran.com> recommending submitting a feature request. 
Recent request discussing this with Fivertran:
Ticket 372573
https://support.fivetran.com/hc/en-us/requests/372573

Please sign in to leave a comment.

Comments

3 comments

Date Votes
  • Official comment
    Parmeet Kohli Fivetranner
    Hi Jess,
     
    Microsoft Entra ID authentication to allow scoped access to Azure Event Hubs is on our roadmap. Would this option work for the vendor? We'll keep this thread updated as it gets built out.
     
    Best,
    Parmeet
  • Jess Merdell User

    Hi Parmeet,

    How would this work? Would it require setup on the vendor side?

    Thanks,

    Jess

  • Parmeet Kohli Fivetranner

    Hi Jess,

    Similar to how our Azure Blob Storage connector supports Entra ID today, the Event Hubs connector would use an Azure AD app registration (service principal) to authenticate Fivetran rather than a connection string with namespace-level manage permissions.

    Azure RBAC roles for Event Hubs can be scoped at the individual Event Hub entity level, not just the namespace. Your vendor could grant the app registration the "Azure Event Hubs Data Receiver" role scoped only to your specific Event Hub(s).

    There are two models, and which applies depends on how your vendor wants to handle it:

    1. You create the app registration, vendor grants access: You'd create an Azure AD app registration in your own tenant and share the service principal's Object ID with your vendor. They'd then assign the Data Receiver role scoped to your Event Hub. You'd provide Fivetran the tenant ID, client ID, and client secret.
    2. Vendor creates and manages the app registration: If the vendor prefers to control the service principal lifecycle, they can create the app registration in their tenant and shares the credentials with you. 

    We will share exact setup steps in our documentation when this ships.

    Best,
    Parmeet