Azure · ellismg · Jul 14, 2021 · May 25, 2021
@@ -3,8 +3,13 @@
 ## 4.4.0 (Unreleased)
 
 ### Features Added
+
 - With the dropping of support for Node.js versions that are no longer in LTS, the dependency on `@types/node` has been updated to version 12. Read our [support policy](https://github.com/Azure/azure-sdk-for-js/blob/main/SUPPORT.md) for more details.
 
+- `EventGridPublisherClient` now supports Azure Active Directory (AAD) for authentication. When constructing an `EventGridPublisherClient` you may now pass an instance
+  of a `TokenCredential` as the credential. See the readme for [`@azure/identity`](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/identity/identity) to learn
+  more about using Azure Active Directory for authentication.
+
 ### Breaking Changes
 
 ### Key Bugs Fixed

@@ -110,6 +110,27 @@ const token = generateSharedAccessSignature(
 );
 ```
 
+#### Using Azure Active Directory (AAD)
+
+Azure EventGrid provides integration with Azure Active Directory (Azure AD) for identity-based authentication of requests. With Azure AD, you can use role-based access control (RBAC) to grant access to your Azure Event Grid resources to users, groups, or applications.
+
+To send events to a topic or domain with a `TokenCredential`, the authenticated identity should have the "EventGrid Data Sender" role assigned.
+
+With the `@azure/identity` package, you can seamlessly authorize requests in both development and production environments. To learn more about Azure Active Directory, see the [`@azure/identity` README](https://github.com/Azure/azure-sdk-for-js/blob/master/sdk/identity/identity/README.md).
+
+For example, use can use `DefaultAzureCredential` to construct a client which will authenticate using Azure Active Directory:
+
+```js
+const { EventGridPublisherClient } = require("@azure/eventgrid");
+const { DefaultAzureCredential } = require("@azure/identity");
+
+const client = new EventGridPublisherClient(
+  "<endpoint>",
+  "<endpoint schema>",
+  new DefaultAzureCredential()
+);
+```
+
 ## Key concepts
 
 ### EventGridPublisherClient

@@ -10,6 +10,7 @@ import { CommonClientOptions } from '@azure/core-client';
 import { KeyCredential } from '@azure/core-auth';
 import { OperationOptions } from '@azure/core-client';
 import { SASCredential } from '@azure/core-auth';
+import { TokenCredential } from '@azure/core-auth';
 
 // @public
 export interface AcsChatEventBase {
@@ -400,7 +401,7 @@ export interface EventGridEvent<T> {
 
 // @public
 export class EventGridPublisherClient<T extends InputSchema> {
-    constructor(endpointUrl: string, inputSchema: T, credential: KeyCredential | SASCredential, options?: EventGridPublisherClientOptions);
+    constructor(endpointUrl: string, inputSchema: T, credential: KeyCredential | SASCredential | TokenCredential, options?: EventGridPublisherClientOptions);
     readonly apiVersion: string;
     readonly endpointUrl: string;
     send(events: InputSchemaToInputTypeMap[T][], options?: SendOptions): Promise<void>;

@@ -3,3 +3,4 @@
 
 export const SDK_VERSION: string = "4.4.0";
 export const DEFAULT_API_VERSION = "2018-01-01";
+export const DEFAULT_EVENTGRID_SCOPE = "https://eventgrid.azure.net/.default";
@@ -1,11 +1,11 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 
-import { KeyCredential, SASCredential } from "@azure/core-auth";
+import { isTokenCredential, KeyCredential, SASCredential } from "@azure/core-auth";
 import { OperationOptions, CommonClientOptions } from "@azure/core-client";
 
 import { eventGridCredentialPolicy } from "./eventGridAuthenticationPolicy";
-import { SDK_VERSION } from "./constants";
+import { SDK_VERSION, DEFAULT_EVENTGRID_SCOPE } from "./constants";
 import {
   SendCloudEventInput,
   SendEventGridEventInput,
@@ -20,6 +20,8 @@ import { cloudEventDistributedTracingEnricherPolicy } from "./cloudEventDistrubt
 import { createSpan } from "./tracing";
 import { SpanStatusCode } from "@azure/core-tracing";
 import { v4 as uuidv4 } from "uuid";
+import { TokenCredential } from "@azure/core-auth";
+import { bearerTokenAuthenticationPolicy } from "@azure/core-rest-pipeline";
 
 /**
  * Options for the Event Grid Client.
@@ -101,7 +103,7 @@ export class EventGridPublisherClient<T extends InputSchema> {
   constructor(
     endpointUrl: string,
     inputSchema: T,
-    credential: KeyCredential | SASCredential,
+    credential: KeyCredential | SASCredential | TokenCredential,
     options: EventGridPublisherClientOptions = {}
   ) {
     this.endpointUrl = endpointUrl;
@@ -121,7 +123,11 @@ export class EventGridPublisherClient<T extends InputSchema> {
     }
 
     this.client = new GeneratedClient(pipelineOptions);
-    const authPolicy = eventGridCredentialPolicy(credential);
+
+    const authPolicy = isTokenCredential(credential)
+      ? bearerTokenAuthenticationPolicy({ credential, scopes: DEFAULT_EVENTGRID_SCOPE })
+      : eventGridCredentialPolicy(credential);
+
     this.client.pipeline.addPolicy(authPolicy);
     this.client.pipeline.addPolicy(cloudEventDistributedTracingEnricherPolicy());
     this.apiVersion = this.client.apiVersion;
Original file line number	Diff line number	Diff line change
Expand Up		@@ -3,3 +3,4 @@

		export const SDK_VERSION: string = "4.4.0";
		export const DEFAULT_API_VERSION = "2018-01-01";
		export const DEFAULT_EVENTGRID_SCOPE = "https://eventgrid.azure.net/.default";