This sample demonstrates how to authenticate the ServiceBusClient, which is the starting point for all interactions with the Service Bus client library.

The simplest way to authenticate with Service Bus is to use a connection string, which is created automatically when creating a Service Bus namespace. If you aren't familiar with connection strings in Service Bus, you may wish to follow the step-by-step guide to get a Service Bus connection string. For production scenarios, we recommend using Azure.Identity authentication as it provides role-based access control without the need to manage connection strings or shared access keys.

// Create a ServiceBusClient that will authenticate using a connection string
string connectionString = "<connection_string>";
await using var client = new ServiceBusClient(connectionString);

The Azure Identity library provides role-based access control support for authentication using Azure Active Directory.In order to leverage role-based access control for Service Bus, please refer to the role-based access control documentation. The simplest way to get started using the Azure.Identity `library is to use the DefaultAzureCredential.

// Create a ServiceBusClient that will authenticate through Active Directory
string fullyQualifiedNamespace = "yournamespace.servicebus.windows.net";
await using var client = new ServiceBusClient(fullyQualifiedNamespace, new DefaultAzureCredential());

Shared access keys for Service Bus authorization are generated when access policies are created for a Service Bus namespace. Since these keys are most often used in association with a connection string, the article providing instructions to get a Service Bus connection string is the best source of information on generating and accessing them. One of the key benefits to using a shared access key credential over a connection string is that the credential allows support for updating the key without creating a new client. In step 3 of the article, the policy that you select will be the name of your shared access key when used for credential authorization. You'll want to copy the "Primary key" rather than connection string.

var credential = new AzureNamedKeyCredential("<name>", "<key>");
await using var client = new ServiceBusClient("yournamespace.servicebus.windows.net", credential);

Shared access signatures (SAS) are recommended over shared access keys when RBAC cannot be used. A shared access signature allows for granular and time-limited access to Service Bus resources. The authoritative documentation on generating Service Bus SAS tokens can be found here.

string keyName = "<key_name>";
string key = "<key>";
string fullyQualifiedNamespace = "<yournamespace.servicebus.windows.net>";
string queueName = "<queue_name>";
using var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(key));
var builder = new UriBuilder(fullyQualifiedNamespace)
{
    Scheme = "amqps",
    // scope our SAS token to the queue that is being used to adhere to the principle of least privilege
    Path = queueName
};

var url = WebUtility.UrlEncode(builder.Uri.AbsoluteUri);
var exp = DateTimeOffset.Now.AddHours(1).ToUnixTimeSeconds();
var sig = WebUtility.UrlEncode(Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(url + "\n" + exp))));

var sasToken = $"SharedAccessSignature sr={url}&sig={sig}&se={exp}&skn={keyName}";

var credential = new AzureSasCredential(sasToken);
await using var client = new ServiceBusClient(fullyQualifiedNamespace, credential);