Authenticate more than 12 Azure Event Hub publishers?

Question

We are currently developing a cloud solution that would require 2000+ clients to publish events (1-2 per second) into an Event Hub. We built a prototype that gives each client a Shared access policy (Authorization Rule), and creates a SAS token with a publisher policy as defined here

We thus are able to identify the publisher of each event by inspecting the x-opt-publisher system property, and to revoke access to the Event Hub for each client at any time, without having to resort to token expiry and renewal.

However, we recently learned that the maximum amount of SAPs / Authorization rules is 12, so this solution ultimately will not work.

Is there another solution to this problem? Our goals are:

• Avoid having to use token refresh, as this would require adding code to all clients.
• Being able to revoke access to the Event Hub instantly in case a client either gets compromised, misbehaves, malfunctions due to a bug, or the associated customer's contract is terminated
• Avoid having to use a frontend service authenticating the clients, as we are talking about a substantial additional system load (5000 requests per second)
• Avoid having to use IoT hub, as the costs are far higher than with our solution, and we do not need all that functionality

Thanks in advance

Answer 1

You don't need to create a dedicated SAS policy for each device or publisher. Please note that a publisher should only own a token signed for itself and should not be able to access the SAS policy key.

Feel free to check the publisher policy document here for more details.