Upcoming Changes To ACS Enabled Namespaces

  • Article

UPDATE: Access Control Service will be deprecated on November 7, 2018. Creation of new Access Control Service namespaces will be stopped on May 1, 2018. This includes previously whitelisted user Subscription IDs. For additional information please take a look at this blog post.

To Azure Service Bus, Event Hubs and Relay customers,

We want to make sure you are aware of upcoming changes announced in this blog post for Access Control Service (ACS) namespaces.  On June 30, 2017 creating new ACS namespaces will be restricted.

How will this affect my Service Bus, Event Hubs or Relay ACS namespaces?

ACS Namespaces you create before June 30, 2017 will not be affected and will be fully supported, however, attempts to create new ACS enabled Service Bus, Event Hubs, or Relay namespaces using PowerShell, ARM templates, and our APIs after June 30 will fail.

Examples of the error message you will get:

 

RDFE PowerShell

New-AzureSBNamespace : <entryxmlns="https://www.w3.org/2005/Atom"><id>uuid:68cd2f44-a78d-474c-bfc6-3c704f27d13b;id=707</id><titletype="text"></title><updated>2017-07-17T18:55:28Z</updated><content type="application/xml"><Errorxmlns=""><Code>400</Code><Detail>Creating an ACS enabled Service Bus namespace failed for the subscription 023a1151b64c42f6a2f4c1c458c7e168. For additional details refer to https://go.microsoft.com/fwlink/?linkid=852159&amp;clcid=0x409.</Detail></Error></content></entry>At line:1 char:1

 

RDFE .Net Client

Inner exception will have the below trace

{"<entry xmlns=\"https://www.w3.org/2005/Atom\"><id>uuid:70bbec84-3a94-47b6-99dd-983df837f1ba;id=3702459</id><title type=\"text\"></title><updated>2017-07-17T20:25:49Z</updated><content type=\"application/xml\"><Error xmlns=\"\"><Code>400</Code><Detail> Creating an ACS enabled Service Bus namespace failed for the subscription 023a1151b64c42f6a2f4c1c458c7e168. For additional details refer to https://go.microsoft.com/fwlink/?linkid=852159&amp;clcid=0x409.</ Detail></Error></content></entry>"}

 

Here are some samples to help you if you would like to create Service Bus namespaces without enabling ACS using RDFE or ARM clients.

RDFE client namespace creation (Using Microsoft.WindowsAzure.Management.ServiceBus.dll)

RDFE namespace creation code

 

ARM client namespace creation (Using  Microsoft.Azure.Management.ServiceBus.dll version < 1.0.0)

ARM namespace creation code

 

Recommended version for creating Service Bus namespaces

ARM client namespace creation (Using  Microsoft.Azure.Management.ServiceBus.dll version >= 1.0.0)

This version doesn’t support ACS namespace creation and it defaults to false. ARM v >=1Create namespace

 

If ACS support is vital for your business and you need to create ACS namespaces after this date please contact Azure Customer Support by opening a technical support ticket for options.  You will need to provide the subscription ID or IDs that you use for creating ACS namespaces to the support engineer that assists you.  Going forward please think about using Shared Access Signature (SAS) keys instead.

The Future of Access and Identity Management for Azure Service Bus, Event Hubs, and Relay

If you are using ACS please switch to SAS or if you are using SAS today continue to use it.  We are also actively working on Azure Active Directory (Azure AD) support.  If you would like to stay updated on Azure AD support on Service Bus, Event Hubs or Relay and be a part of a private preview in the future to test it out, please join Azure Advisors on Yammer and become a member of our group Service Bus Advisors.  Once there you can interact with other members of the community and the product team.

Happy Messaging and Data Streaming,

The Azure Service Bus, Event Hubs, and Relay team

--Relay out--