How to create cross tenant Output with Private Endpoint from Stream Analytics Job (Cluster) to an Event Hub (namespace)?

Question

How to create cross tenant Output with Private Endpoint from Stream Analytics Job (Cluster) to an Event Hub (namespace)?

Sinipelto 0

Hello Community!

I'm currently trying to set up an Event Hub (on a namespace) output which exists in another Tenant, and Directory (and of course, Subscription) for a Stream Analytics Job within a Stream Analytics Cluster.

I have verified that the output works when using the public endpoint over internet using the Event Hub connection string and access key. This works perfectly.

However, I would need to set up a private connection instead for lower latency and increased security.

I have configured a managed private endpoint for the Event Hub namespace in the Stream Analytics Cluster, which seems to have completed configuration and configured the output for the ASA job using the Managed System Identity since the Connection String doesn't seem to work in this scenario.

I have then disabled the public access to the event hub. But the Output Connection Test gives me now a "grant access denied" error.

So, the Event Hub Data Writer/Owner permission needs to be granted to the System Identity of the Stream Analytics cluster and job for the different tenant where the Event Hub is, which is not possible directly using the ASA resource GUIDs with the Role Access Management in the portal.

How should I proceed with this?

J N S S Kasyap 1,715 Reputation points Microsoft External Staff

2025-03-19T17:45:40.4866667+00:00

Hi @Sinipelto

In cross-tenant scenarios where Managed Identity (MSI) cannot be directly assigned permissions, the best approach is to use a Service Principal (Azure AD Application) for authentication. This method allows Stream Analytics to authenticate securely across tenants while maintaining private connectivity.

You need to register an Azure AD Application (Service Principal) in the ASA Cluster’s tenant.
Once the application is created under New Registration. Note down the Application (Client) ID, Directory (Tenant) ID, and the generated Client Secret, as these will be required for authentication in ASA.
Please refer this Microsoft Doc:
https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=certificate%2Cexpose-a-web-api

Next, switch to the Event Hub’s tenant and grant access to the Service Principal. Please find the registered Service Principal, and assign it the "Azure Event Hubs Data Sender" role at the Event Hub namespace level. This ensures that the ASA job can publish messages to the Event Hub. If needed, admin consent must be granted to allow cross-tenant access.
https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal

In the ASA Job’s output configuration, choose Service Principal Authentication and enter the Tenant ID, Client ID, and Client Secret. This allows ASA to authenticate and send data securely. Ensure that the Private Endpoint is approved and DNS resolution works for connectivity. Once configured, run the Test Connection to verify successful setup.

I hope this information helps. Please do let us know if you have any further queries.

Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.

Thank you.
Sinipelto 0 Reputation points

2025-03-20T11:10:09.5433333+00:00

Thank you for the great explanation! What shall be the registered Application Redirect URI in this case? How would that be formed? EDIT: It seems that the redirect URI is not needed as there is no manual user-oriented authentication flows included in this scenario.
Sinipelto 0 Reputation points

2025-03-20T12:00:50.8533333+00:00

You mentioned this line "If needed, admin consent must be granted to allow cross-tenant access." can you elaborate a bit more, where should the admin consent be given and how? Thank you in advance!
J N S S Kasyap 1,715 Reputation points Microsoft External Staff

2025-03-20T13:51:00.7966667+00:00

@Sinipelto
You're absolutely right that, In the context of service principals and non-interactive authentication flows, such as the one you're implementing between Azure Stream Analytics and Event Hubs, redirect URIs are not necessary. The authentication is handled programmatically using client credentials (Client ID and Client Secret), and no user intervention is required.

When dealing with cross-tenant scenarios, especially where a service principal from one Azure AD tenant needs to access resources in another tenant, admin consent is crucial. This consent ensures that the application (service principal) has the necessary permissions to access the required resources in the target tenant.

Please refer the below Microsoft docs it will help you grant the admin consent for cross-tenant access
https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal
https://learn.microsoft.com/en-us/entra/identity-platform/howto-convert-app-to-be-multi-tenant

If you assign the Service Principal the "Azure Event Hubs Data Sender" role at the Event Hub namespace level, admin consent isn’t required. This is because it's a standard Azure RBAC role assignment, and no tenant-wide permissions are involved.

I hope this information helps. Please do let us know if you have any further queries.
Sinipelto 0 Reputation points

2025-03-20T16:37:58.15+00:00

Once again Thank You for the really helpful guidance!

Im almost there, but Im still struggling how to configure the ASA job to use the Registered Application for accessing the Event Hub.

When creating an output for the ASA job, you can choose between two options for authentication: Connection String or Managed Identity: System Assigned (or User-Assigned identity if you selected it for ASA job Identity mode).

There is no specific option for "Service Principal" authentication, at least in the Azure Portal.

For example, how can you link the System Assigned Identity to the Registered Application so that I can permit the System Assigned Identity in the other Tenant to access the Event Hub Namespace?

Thank you in advance!
Rakesh Govindula 965 Reputation points Microsoft External Staff

2025-03-26T07:22:06.7666667+00:00

@Sinipelto, Since Managed Identities (MSI) don't work across tenants, use an Azure AD App Registration in the Event Hub tenant. Register an app, assign it the Event Hubs Data Sender role, and generate a client secret. In the Stream Analytics Cluster (ASC) tenant, configure the ASA job output using Azure AD App authentication with the app's Client ID, Tenant ID, and Secret. Ensure the private endpoint is correctly set up with DNS resolution. This allows secure, private, cross-tenant Event Hub access for your Stream Analytics Job.

Hope this helps!

1 answer

Your answer

J N S S Kasyap 1,715 Reputation points Microsoft External Staff

2025-03-19T17:45:40.4866667+00:00

Hi @Sinipelto

In cross-tenant scenarios where Managed Identity (MSI) cannot be directly assigned permissions, the best approach is to use a Service Principal (Azure AD Application) for authentication. This method allows Stream Analytics to authenticate securely across tenants while maintaining private connectivity.

You need to register an Azure AD Application (Service Principal) in the ASA Cluster’s tenant.
Once the application is created under New Registration. Note down the Application (Client) ID, Directory (Tenant) ID, and the generated Client Secret, as these will be required for authentication in ASA.
Please refer this Microsoft Doc:
https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=certificate%2Cexpose-a-web-api

Next, switch to the Event Hub’s tenant and grant access to the Service Principal. Please find the registered Service Principal, and assign it the "Azure Event Hubs Data Sender" role at the Event Hub namespace level. This ensures that the ASA job can publish messages to the Event Hub. If needed, admin consent must be granted to allow cross-tenant access.
https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal

In the ASA Job’s output configuration, choose Service Principal Authentication and enter the Tenant ID, Client ID, and Client Secret. This allows ASA to authenticate and send data securely. Ensure that the Private Endpoint is approved and DNS resolution works for connectivity. Once configured, run the Test Connection to verify successful setup.

I hope this information helps. Please do let us know if you have any further queries.

Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.

Thank you.
Sinipelto 0 Reputation points

2025-03-20T11:10:09.5433333+00:00

Thank you for the great explanation! What shall be the registered Application Redirect URI in this case? How would that be formed? EDIT: It seems that the redirect URI is not needed as there is no manual user-oriented authentication flows included in this scenario.
Sinipelto 0 Reputation points

2025-03-20T12:00:50.8533333+00:00

You mentioned this line "If needed, admin consent must be granted to allow cross-tenant access." can you elaborate a bit more, where should the admin consent be given and how? Thank you in advance!
J N S S Kasyap 1,715 Reputation points Microsoft External Staff

2025-03-20T13:51:00.7966667+00:00

@Sinipelto
You're absolutely right that, In the context of service principals and non-interactive authentication flows, such as the one you're implementing between Azure Stream Analytics and Event Hubs, redirect URIs are not necessary. The authentication is handled programmatically using client credentials (Client ID and Client Secret), and no user intervention is required.

When dealing with cross-tenant scenarios, especially where a service principal from one Azure AD tenant needs to access resources in another tenant, admin consent is crucial. This consent ensures that the application (service principal) has the necessary permissions to access the required resources in the target tenant.

Please refer the below Microsoft docs it will help you grant the admin consent for cross-tenant access
https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal
https://learn.microsoft.com/en-us/entra/identity-platform/howto-convert-app-to-be-multi-tenant

If you assign the Service Principal the "Azure Event Hubs Data Sender" role at the Event Hub namespace level, admin consent isn’t required. This is because it's a standard Azure RBAC role assignment, and no tenant-wide permissions are involved.

I hope this information helps. Please do let us know if you have any further queries.
Sinipelto 0 Reputation points

2025-03-20T16:37:58.15+00:00

Once again Thank You for the really helpful guidance!

Im almost there, but Im still struggling how to configure the ASA job to use the Registered Application for accessing the Event Hub.

When creating an output for the ASA job, you can choose between two options for authentication: Connection String or Managed Identity: System Assigned (or User-Assigned identity if you selected it for ASA job Identity mode).

There is no specific option for "Service Principal" authentication, at least in the Azure Portal.

For example, how can you link the System Assigned Identity to the Registered Application so that I can permit the System Assigned Identity in the other Tenant to access the Event Hub Namespace?

Thank you in advance!
Rakesh Govindula 965 Reputation points Microsoft External Staff

2025-03-26T07:22:06.7666667+00:00

@Sinipelto, Since Managed Identities (MSI) don't work across tenants, use an Azure AD App Registration in the Event Hub tenant. Register an app, assign it the Event Hubs Data Sender role, and generate a client secret. In the Stream Analytics Cluster (ASC) tenant, configure the ASA job output using Azure AD App authentication with the app's Client ID, Tenant ID, and Secret. Ensure the private endpoint is correctly set up with DNS resolution. This allows secure, private, cross-tenant Event Hub access for your Stream Analytics Job.

Hope this helps!

Answer 1

J N S S Kasyap 1,715 Microsoft External Staff

@Sinipelto
A System Assigned Managed Identity (MSI) is restricted to its home Azure AD tenant and cannot be granted permissions in another tenant directly. Since Azure RBAC does not support cross-tenant role assignments for MSIs, they cannot be used to access resources in a different tenant.

Cross-tenant access requires authentication using a Service Principal, as MSI cannot be assigned cross-tenant permissions. Since Azure Stream Analytics (ASA) does not directly support Service Principal authentication in the portal, a User-Assigned Managed Identity (UAMI) can be used as a bridge to authenticate with the Event Hub in the other tenant.

The ASA job cannot directly use a Service Principal for authentication in the portal. Please follow the below steps:

Register a Service Principal (App Registration) in the ASA tenant and generate a Client Secret.
Assign the Service Principal the "Azure Event Hubs Data Sender" role in the Event Hub tenant.
Use a User-Assigned Managed Identity (UAMI) in ASA and link it to the Service Principal. The ASA job should be configured to authenticate using the UAMI, which in turn uses the Service Principal’s credentials
Configure the ASA job output to use the UAMI, ensuring Private Endpoint connectivity.

Please refer the Microsoft Docs for reference:
https://learn.microsoft.com/en-us/azure/stream-analytics/event-hubs-managed-identity
https://learn.microsoft.com/en-us/azure/event-grid/cross-tenant-delivery-using-managed-identity

Hope this helps. Do let us know if you any further queries. I'm happy to help further.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

J N S S Kasyap 1,715 Reputation points Microsoft External Staff

2025-03-22T01:36:58.8433333+00:00
@Sinipelto
The key point is that the UAI (User-Assigned Identity) will authenticate the ASA job, and you need to give this UAI the appropriate RBAC permissions on the Event Hub in the other tenant. You don't link the UAI to the App Registration directly; instead, you give the UAI access to the Event Hub's resources by assigning it a role at the Event Hub level.

Since the Event Hub is in a different tenant, you'll assign the Azure Event Hubs Data Sender role to the UAI in the Event Hub tenant. This allows the UAI to publish data to the Event Hub.

Azure CLI to Assign the Role for Example:
use Azure CLI to get the resource ID of your UAI

az identity show --name <your-uai-name> --resource-group <your-resource-group> --query id --output tsv

You will then assign the Azure Event Hubs Data Sender role to this UAI at the Event Hub namespace level.

az role assignment create --assignee <UAI-resource-id> --role "Azure Event Hubs Data Sender" --scope /subscriptions/<EventHub-subscription-id>/resourceGroups/<EventHub-resource-group>/providers/Microsoft.EventHub/namespaces/<EventHub-namespace-name>

The UAI doesn’t need to be explicitly linked to the App Registration (Service Principal). The UAI will authenticate and use the role permissions directly to send data to the Event Hub. The role assignment is what matters here, not direct linkage to the App Registration.

After assigning the correct role to the UAI, return to the ASA job output configuration and test the connection again. It should now authenticate correctly and send data to the Event Hub via the private endpoint.

I hope this information helps. Please do let us know if you have any further queries.
J N S S Kasyap 1,715 Reputation points Microsoft External Staff

2025-03-24T02:35:02.3466667+00:00

@Sinipelto
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Sinipelto 0 Reputation points

2025-03-24T11:04:48.5133333+00:00

I was not able to make this work using the UAMI.

Since the UAMI cannot be used cross-tenant, it simply does not work and you would need to utilize the registered application somehow because this is a cross-tenant resource-access scenario.

As stated here: https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-faq
"Can I use a managed identity to access a resource in a different directory/tenant?

No, managed identities don't currently support cross-directory scenarios."

Share via

How to create cross tenant Output with Private Endpoint from Stream Analytics Job (Cluster) to an Event Hub (namespace)?

1 answer

Your answer