Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @kasun04.

Thank you for the feedback @dlindblom . We will investigate and get back to you asap.

Hi @dlindblom - Based on prior internal issues, the recommendation from the service team has been to assign the role at the namespace level, as assigning at the consumer group level does not work consistently.

We would suggest that you report this issue with the documentation by following the directions under the Feedback section at the bottom of the page.

Additional Note: It looks like you are using uamqp as the underlying AMQP stack, which is no longer supported. We highly recommend that the default pure Python AMQP stack is used, as it includes all latest bug fixes and support for new features. You can do this by removing uamqp_transport=True from arguments that are passed in during client creation.

Thanks!

Hi @dlindblom. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text "/unresolve" to remove the "issue-addressed" label and continue the conversation.

Hi, Thx for feedback on AMQP Stack. But the suggestion on documentation is not suitable approach. The assignment at consumer group level have been recommended general approach by Microsoft and is working fine except for the Python SDK.
/unresolve

Hi @dlindblom - Would you be able to provide a list of other SDKs you've tested with assignment at the consumer group level that have worked?

Hi @dlindblom. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

@swathipil I been informed that it works with .Net SDK

@dlindblom - Can you confirm that you are testing with the same Event Hub, consumer group, and credentials when receiving from both the Python and .NET SDKs, and .NET is consistently working while Python returns the above error?

Hi @dlindblom. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

@swathipil I been informed that it works with .Net SDK

@swathipil confirmed by Microsoft engineering

Hi @dlindblom - We've gotten confirmation from the service team that permission should be granted at either the namespace level or Event Hub level. They will be updating documentation to reflect this.

Can you let us know the steps that you took to grant permission at the consumer group level?

Hi @dlindblom. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

@swathipil https://learn.microsoft.com/en-us/azure/event-hubs/authorize-access-azure-active-directory#resource-scope

"Before you assign an Azure role to a security principal, determine the scope of access that the security principal should have. Best practices dictate that it's always best to grant only the narrowest possible scope.

The following list describes the levels at which you can scope access to Event Hubs resources, starting with the narrowest scope:

Consumer group: At this scope, role assignment applies only to this entity. Currently, the Azure portal doesn't support assigning an Azure role to a security principal at this level.
..."

It's mention Azure portal doesn't support assigning it at that level, and that is true from default navigation, but Microsoft dev team have advised that adding /consumergroup_name in the URL it's possible in Azure Portal as well and the navigation is pending to be fixed.
We usually deploy permissions using Graph API as Infrastructure As Code, but using the Portal for some manual assignment.

Hi @dlindblom - Thanks for the information and your patience! I was able to confirm from our side that the .NET SDK is able to receive when the role is assigned at the consumer group level. I was also able to reproduce the "Unauthorized access" error in the Python SDK. We are currently looking into this and will keep you updated.

In the meantime, would you be able to provide the steps you are taking to deploy permissions using the Graph API?

Hi @dlindblom. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

Hi @dlindblom, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!

@swathipil example using PowerShell:
New-AzRoleAssignment -ObjectId <objectId> -RoleDefinitionName <roleName> -Scope /subscriptions/<subscriptionId>/resourcegroups/<resourceGroupName>/providers/Microsoft.EventHub/namespaces/<eventHubNameSpace>/eventhubs/<eventhub>/consumergroups/<consumergroupName>
Using GraphAPI should be similar, using same Scope
Azure Portal can also be used if one refer to the Scope in the URI