Change to Azure Service Bus Portal: Default Authentication Mechanism for Service Bus Namespaces now SAS

  • Article

What are we changing

A change has been made to the user experience in the Azure portal for Service Bus namespace creation.  When creating a Service Bus namespace in the Azure portal only SAS authentication will be enabled by default.  The accompanying ACS namespace will no longer be created and paired to the Service Bus namespace. 

 

Why did we change it

The vast majority of our customers only use ACS for the access key functionality, not for identity federation. SAS provides better capabilities and higher scale for these use cases so we have decided to make it our default in the portal experience. This simplifies our customer experience for the majority of use cases.

 

How does this impact customers and how can you use ACS

Current namespaces will not be affected in any way. Customers who were dependent on ACS features such as claims and federation will also not be affected if they use automation to create their namespaces; namely PowerShell, the Azure CLI and the REST API. 

 

In order to create a new namespace in PowerShell use the cmdlet New-AzureSBNamespace

 

New-AzureSBNamespace -Name 'MyNamespace' -Location 'Central US'

 

This will create the Service Bus namespace and a paired ACS namespace.  The ACS connection string will appear in the Azure portal. 

 

In the future there will be a new optional parameter to this cmdlet which will allow you to control ACS namespace creation.  At first this cmdlet will default to creating ACS namespaces, but further in the future this default will be reversed and ACS namespaces will not be created by default. 

 

In Azure CLI, you will run:

sb namespace create ‘MyNamespace’ ‘Central US’

 

For the REST API: 

By default the ACS companion namespace will be created, unless you specified a x-ms-version header bigger than '2014-05'

 

As we continue to expand and improve our Azure messaging platform the Service Bus team will continually examine customer usage, dependencies, and impact.  Creating namespaces without a paired ACS namespace is faster and creates one less dependency for our customers.  This change streamlines the user experience for the majority of our customers today. 

 

Are we moving away from ACS?

No! ACS is still fully supported in Service Bus and will be for the foreseeable future.  As Azure Active Directory (AAD) expands to support more service federation identity scenarios we will increasingly align with the AAD service offering.