Add information for queue scoped permissions for ASB (#7873)

* Add information for queue scoped permissions

* Fix bad link

* Fix bad link

* Update queue-permissions.md

* Update based on feedback

* Apply suggestion from @helenktsai

Co-authored-by: Helen T <[email protected]>

* Update managed-access-rights.include.md

* Updates based on feedback

* Updates based on feedback

* Apply suggestion from @helenktsai

Co-authored-by: Helen T <[email protected]>

* Apply suggestion from @helenktsai

Co-authored-by: Helen T <[email protected]>

* Apply suggestion from @helenktsai

Co-authored-by: Helen T <[email protected]>

---------

Co-authored-by: Helen T <[email protected]>

Author: boblangley

menu/menu.yaml

@@ -949,6 +949,8 @@
       Articles:
         - Url: nservicebus/azure/ways-to-live-without-transactions
           Title: Avoiding Transactions
+    - Url: transports/azure-service-bus/queue-scoped-permissions
+      Title: Queue-scoped permissions
     - Url: transports/azure-service-bus/operational-scripting
       Title: Operational scripting
   - Title: Azure Storage Queues

transports/azure-service-bus/configuration.md

@@ -30,7 +30,7 @@ These settings control how the transport creates entities in the Azure Service B
 > [!WARNING]
 > Entity creation settings are applied only at the time the corresponding entities are created; they are not updated on subsequent startups.
 
-partial: access-rights
+include: managed-access-rights
 
 partial: entity-topology
 

transports/azure-service-bus/configuration_access-rights_asbs_[,3).partial.md

@@ -0,0 +1,12 @@
+
+### Access rights
+
+By default, the transport requires elevated privileges to manage namespace entities at runtime. If using a [shared access policy](https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-sas), make sure to include `Manage` rights or the [Azure Service Bus Data Owner](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#azure-service-bus-data-owner) role if authenticating using [Managed Identities](https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-managed-service-identity).
+
+To avoid running with elevated privileges:
+
+- Make sure that [installers are not configured to run](/nservicebus/operations/installers.md)
+- Use [operational scripting](/transports/azure-service-bus/operational-scripting.md) to provision entities(queues, topics and subscriptions)
+#if-version [,3)
+- [Turn off automatic subscriptions](/nservicebus/messaging/publish-subscribe/controlling-what-is-subscribed.md#disabling-auto-subscription)
+#end-if

transports/azure-service-bus/configuration_access-rights_asbs_[3,).partial.md

@@ -0,0 +1,32 @@
+---
+title: Managed Entity Queue-Scoped Permissions for Endpoints
+summary: Explains queue-scoped permissions needed by an endpoint running in Azure Service Bus
+component: ASBS
+reviewed: 2025-10-17
+---
+
+It is common practice to limit [Azure Service Bus connection permissions at the queue scope when using Managed Entities](https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-managed-service-identity#resource-scope). 
+
+The following shows the minimum permissions needed for various endpoint features using queue-scoped permissions:
+
+- `Azure Service Bus Data Receiver` to the endpoint's queue is required to process messages.
+- `Azure Service Bus Data Sender` to the endpoint's queue is required for:
+  - [Delayed retries](/nservicebus/recoverability/#delayed-retries)
+  - [Saga Timeouts](/nservicebus/sagas/timeouts.md)
+  - [Transactional Session](/nservicebus/transactional-session/)
+  - [`.SendLocal()`](/nservicebus/messaging/send-a-message.md#sending-to-self)
+- `Azure Service Bus Data Sender` is required for the [error queue](/nservicebus/recoverability/configure-error-handling.md#configure-the-error-queue-address-using-code).
+- `Azure Service Bus Data Sender` is required for every [queue the endpoint sends a command to](/nservicebus/messaging/routing.md#command-routing).
+- `Azure Service Bus Data Sender` is required for every [queue the endpoint replies to](/nservicebus/messaging/reply-to-a-message.md).
+- `Azure Service Bus Data Sender` is required for every [topic the endpoint publishes an event to](/transports/azure-service-bus/topology.md).
+#if-version [,3)
+- `Microsoft.ServiceBus/namespaces/topics/subscriptions/write` is required for [every topic](/transports/azure-service-bus/topology.md) the endpoint [handles events](/nservicebus/messaging/publish-subscribe/publish-handle-event.md#handling-an-event) from when using [automatic subscriptions (default)](/nservicebus/messaging/publish-subscribe/controlling-what-is-subscribed.md).
+#end-if
+- `Azure Service Bus Data Sender` is required for the audit queue when [auditing](/nservicebus/operations/auditing.md#configuring-auditing) is enabled.
+- `Azure Service Bus Data Sender` is required for the [transactional session remote processor](/nservicebus/transactional-session/#remote-processor) queue, when configured.
+- `Azure Service Bus Data Sender` is required for the metrics queue when ServiceControl [metrics](/monitoring/metrics/install-plugin.md#configuration) are enabled.
+- `Azure Service Bus Data Sender` is required for the ServiceControl queue when [heartbeats](/monitoring/heartbeats/install-plugin.md) or [custom checks](/monitoring/custom-checks/install-plugin.md) are being used.
+- `Azure Service Bus Data Sender` is required for any queue the endpoint [forwards to](/nservicebus/messaging/forwarding.md).
+- `Azure Service Bus Data Receiver` is required for every [satellite queue](/nservicebus/satellites/) created.
+
+include: managed-access-rights