Hello and thanks in advance for taking a look!
I am taking advantage of managed service identity (MSI) with azure service bus and this generally working great.
Some contractors have been added to the team and have been added to our directory as guest accounts. I've had a little trouble getting MSI to work for them. Here's where I'm at so far:
Visual Studio's Azure Account selection (under Tools > Options > Azure Service Authentication) doesn't let you pick the directory. At first, this was using the guest account's "just in time" directory, not ours. The sdk was throwing
an exception because their token's issuer was invalid - makes sense. I got around this via the Azure CLI
az login --tenant "<tenant id>" az account set -s "<subscription id>"After doing this, we're no longer getting the error about an invalid issuer - success! However, we're getting a new exception that the guest account is unauthorized when trying to interact with service bus. I can confirm that this guest account has the Azure Service Bus Data Owner role, so they should have full access. In fact, both the guest account and my account are granted this role via a common security group. Everything works fine for me (with non-guest account) but the guest account is unauthorized. is there some limitation with MSI and guest accounts or is there some additional configuration I need to do?
Thanks!