Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure Event Grid's MQTT broker supports the following authentication modes.
- Certificate-based authentication
- Microsoft Entra ID authentication
- OAuth 2.0 (JSON Web Token) authentication
- Customer Webhook authentication
Certificate-based authentication
You can use Certificate Authority (CA) signed certificates or self-signed certificates to authenticate clients. For more information, see MQTT Client authentication using certificates.
Microsoft Entra ID authentication
You can authenticate MQTT clients with Microsoft Entra JWT to connect to Event Grid namespace. You can use Azure role-based access control (Azure RBAC) to enable MQTT clients, with Microsoft Entra identity, to publish or subscribe access to specific topic spaces. For more information, see Microsoft Entra JWT authentication and Azure RBAC authorization to publish or subscribe MQTT messages.
OAuth 2.0 JWT authentication
You can authenticate MQTT clients using JSON Web Tokens (JWT) issued by any third-party OpenID Connect (OIDC) identity provider. This authentication method provides a lightweight, secure, and flexible option for MQTT clients that aren't provisioned in Azure. For more information, see Authenticate client using OAuth 2.0 JWT.
Custom Webhook Authentication
Webhook authentication allows external HTTP endpoints (webhooks or functions) to authenticate MQTT connections dynamically. This method uses Entra ID JWT (JSON Web Tokens) validation to ensure secure access. When a device or client attempts to connect, Event Grid transmits relevant connection details to the configured webhook. The webhook is responsible for evaluating the authentication request and returning a response that determines whether the connection is permitted. Additionally, the webhook can enrich the response with metadata that Event Grid will use to authorize subsequent MQTT packets, ensuring fine-grained control over actions such as topic access and message publishing. This approach enables seamless integration with custom authentication systems, identity providers, and enterprise security policies.
Related content
- Learn how to authenticate clients using certificate chain
- Learn how to authenticate client using Microsoft Entra ID token
- Learn how to authenticate client using OAuth 2.0 JWT
- See Transport layer security with MQTT broker