Azure EventHub - Create 1 Service Principal per writer [OR] multiple certificates (1 per writer) over 1 Service Principal

I was wondering for my scenario what would be best. I understand that usually you want only 1 Service Principal (SP) per application. Since I didn't find any clear answer about my scenario, here's the details.

However, let's assume the following:

  • I have a small app. installed at every customer I have (let's assume 100)
  • Each customer will be sending events to EventHub (send only)
  • The small app uses credentials to connect to my service in order to retrieve a key for event hub
  • My service connect to azure and when the small app request EventHub credentials I send back either a Secret/Certificate

So basically, should I:

  1. manage 1 SP per customer ?
  2. Create/manage many secret/certificate for an SP (1 per customer let's say)
  3. From my service use 1 SP + 1 certificate and use it to create a new token that would then be served for my small app
    • Draw back, from my understanding, we can't invalidate the token once it's being in use until it tries to reconnect

Note: Of course it's not about doing the 3 of them, only 1.

I saw the following on https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature:

If your application needs to grant access to Event Hubs resources based on user or service identities, it should implement a security token service that issues SAS tokens after an authentication and access check.

so my guess would be that option 3 is the way to go


The most secure option is option 3, have your app generate a SAS token when the app needs it, and make it's lifetime as short as possible. That way if you do need to revoke access, the maximum delay is the lifetime of the SAS token.