Azure Service Bus managed identity in Visual Studio returning 401 - Token issuer is invalid

Question

I'm attempting to access Azure Service Bus using a managed identity from my code. At the moment I'm just trying this locally.

When I debug my code I get the following error

System.UnauthorizedAccessException: Put token failed. status-code: 401, status-description: InvalidIssuer: Token issuer is invalid

Here is my service bus instance

Here is my user with Azure Service Bus Data Owner permissions

And here is my code

_client = new ServiceBusClient("oconnorevents.servicebus.windows.net", new DefaultAzureCredential());

I am logged into Visual Studio as the same user added to the service bus. I also tried logging in via the CLI but it didn't help.

Where am I going wrong here?

I've looked at this similar recent question here but the solutions proposed didn't work for me.

Answer 1

If you use DefaultAzureCredential to auth, it will try several credential types to auth as mentioned here, one of them is VisualStudioCredential, but it will auth to the home AAD tenant of the user logged in VS, in your case, I suppose the service bus is in a subscription which is not under the home tenant of the user.

I can also reproduce your issue on my side.

To solve the issue, just use VisualStudioCredential directly, then simply specify the TenantId via VisualStudioCredentialOptions, then it will work fine.

Sample:

To find the TenantId, just navigate to the Azure Active Directory which the subscription of your service bus located.

TokenCredential tokenCredential = new VisualStudioCredential(new VisualStudioCredentialOptions {TenantId = "xxxxxxx" });
ServiceBusClient client = new ServiceBusClient("xxx.servicebus.windows.net", tokenCredential);