The azure-native:digitaltwins:DigitalTwinsEndpoint resource, part of the Pulumi Azure Native provider, defines an egress endpoint that routes Digital Twins telemetry and events to external Azure services. This guide focuses on three capabilities: Service Bus endpoint configuration, connection string authentication, and managed identity authentication.
Endpoints belong to a Digital Twins instance and reference Service Bus namespaces, topics, and optionally managed identities. The examples are intentionally small. Combine them with your own Digital Twins instances, Service Bus infrastructure, and RBAC role assignments.
Connect to Service Bus with connection strings
Digital Twins instances route telemetry and events to external systems for processing and storage. Service Bus provides reliable message delivery with connection string authentication.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const digitalTwinsEndpoint = new azure_native.digitaltwins.DigitalTwinsEndpoint("digitalTwinsEndpoint", {
endpointName: "myServiceBus",
properties: {
authenticationType: azure_native.digitaltwins.AuthenticationType.KeyBased,
endpointType: "ServiceBus",
primaryConnectionString: "Endpoint=sb://mysb.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=xyzxyzoX4=;EntityPath=abcabc",
secondaryConnectionString: "Endpoint=sb://mysb.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=xyzxyzoX4=;EntityPath=abcabc",
},
resourceGroupName: "resRg",
resourceName: "myDigitalTwinsService",
});
import pulumi
import pulumi_azure_native as azure_native
digital_twins_endpoint = azure_native.digitaltwins.DigitalTwinsEndpoint("digitalTwinsEndpoint",
endpoint_name="myServiceBus",
properties={
"authentication_type": azure_native.digitaltwins.AuthenticationType.KEY_BASED,
"endpoint_type": "ServiceBus",
"primary_connection_string": "Endpoint=sb://mysb.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=xyzxyzoX4=;EntityPath=abcabc",
"secondary_connection_string": "Endpoint=sb://mysb.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=xyzxyzoX4=;EntityPath=abcabc",
},
resource_group_name="resRg",
resource_name_="myDigitalTwinsService")
package main
import (
digitaltwins "github.com/pulumi/pulumi-azure-native-sdk/digitaltwins/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := digitaltwins.NewDigitalTwinsEndpoint(ctx, "digitalTwinsEndpoint", &digitaltwins.DigitalTwinsEndpointArgs{
EndpointName: pulumi.String("myServiceBus"),
Properties: &digitaltwins.ServiceBusArgs{
AuthenticationType: pulumi.String(digitaltwins.AuthenticationTypeKeyBased),
EndpointType: pulumi.String("ServiceBus"),
PrimaryConnectionString: pulumi.String("Endpoint=sb://mysb.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=xyzxyzoX4=;EntityPath=abcabc"),
SecondaryConnectionString: pulumi.String("Endpoint=sb://mysb.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=xyzxyzoX4=;EntityPath=abcabc"),
},
ResourceGroupName: pulumi.String("resRg"),
ResourceName: pulumi.String("myDigitalTwinsService"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var digitalTwinsEndpoint = new AzureNative.DigitalTwins.DigitalTwinsEndpoint("digitalTwinsEndpoint", new()
{
EndpointName = "myServiceBus",
Properties = new AzureNative.DigitalTwins.Inputs.ServiceBusArgs
{
AuthenticationType = AzureNative.DigitalTwins.AuthenticationType.KeyBased,
EndpointType = "ServiceBus",
PrimaryConnectionString = "Endpoint=sb://mysb.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=xyzxyzoX4=;EntityPath=abcabc",
SecondaryConnectionString = "Endpoint=sb://mysb.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=xyzxyzoX4=;EntityPath=abcabc",
},
ResourceGroupName = "resRg",
ResourceName = "myDigitalTwinsService",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.digitaltwins.DigitalTwinsEndpoint;
import com.pulumi.azurenative.digitaltwins.DigitalTwinsEndpointArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var digitalTwinsEndpoint = new DigitalTwinsEndpoint("digitalTwinsEndpoint", DigitalTwinsEndpointArgs.builder()
.endpointName("myServiceBus")
.properties(ServiceBusArgs.builder()
.authenticationType("KeyBased")
.endpointType("ServiceBus")
.primaryConnectionString("Endpoint=sb://mysb.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=xyzxyzoX4=;EntityPath=abcabc")
.secondaryConnectionString("Endpoint=sb://mysb.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=xyzxyzoX4=;EntityPath=abcabc")
.build())
.resourceGroupName("resRg")
.resourceName("myDigitalTwinsService")
.build());
}
}
resources:
digitalTwinsEndpoint:
type: azure-native:digitaltwins:DigitalTwinsEndpoint
properties:
endpointName: myServiceBus
properties:
authenticationType: KeyBased
endpointType: ServiceBus
primaryConnectionString: Endpoint=sb://mysb.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=xyzxyzoX4=;EntityPath=abcabc
secondaryConnectionString: Endpoint=sb://mysb.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=xyzxyzoX4=;EntityPath=abcabc
resourceGroupName: resRg
resourceName: myDigitalTwinsService
The authenticationType property set to KeyBased enables connection string authentication. The primaryConnectionString and secondaryConnectionString contain Service Bus credentials including the endpoint, shared access key, and entity path. The resourceName references the parent Digital Twins instance that owns this endpoint.
Authenticate with system-assigned managed identity
Managed identities eliminate the need to store connection strings by using Azure AD authentication between Digital Twins and Service Bus.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const digitalTwinsEndpoint = new azure_native.digitaltwins.DigitalTwinsEndpoint("digitalTwinsEndpoint", {
endpointName: "myServiceBus",
properties: {
authenticationType: azure_native.digitaltwins.AuthenticationType.IdentityBased,
endpointType: "ServiceBus",
endpointUri: "sb://mysb.servicebus.windows.net/",
entityPath: "mysbtopic",
},
resourceGroupName: "resRg",
resourceName: "myDigitalTwinsService",
});
import pulumi
import pulumi_azure_native as azure_native
digital_twins_endpoint = azure_native.digitaltwins.DigitalTwinsEndpoint("digitalTwinsEndpoint",
endpoint_name="myServiceBus",
properties={
"authentication_type": azure_native.digitaltwins.AuthenticationType.IDENTITY_BASED,
"endpoint_type": "ServiceBus",
"endpoint_uri": "sb://mysb.servicebus.windows.net/",
"entity_path": "mysbtopic",
},
resource_group_name="resRg",
resource_name_="myDigitalTwinsService")
package main
import (
digitaltwins "github.com/pulumi/pulumi-azure-native-sdk/digitaltwins/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := digitaltwins.NewDigitalTwinsEndpoint(ctx, "digitalTwinsEndpoint", &digitaltwins.DigitalTwinsEndpointArgs{
EndpointName: pulumi.String("myServiceBus"),
Properties: &digitaltwins.ServiceBusArgs{
AuthenticationType: pulumi.String(digitaltwins.AuthenticationTypeIdentityBased),
EndpointType: pulumi.String("ServiceBus"),
EndpointUri: pulumi.String("sb://mysb.servicebus.windows.net/"),
EntityPath: pulumi.String("mysbtopic"),
},
ResourceGroupName: pulumi.String("resRg"),
ResourceName: pulumi.String("myDigitalTwinsService"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var digitalTwinsEndpoint = new AzureNative.DigitalTwins.DigitalTwinsEndpoint("digitalTwinsEndpoint", new()
{
EndpointName = "myServiceBus",
Properties = new AzureNative.DigitalTwins.Inputs.ServiceBusArgs
{
AuthenticationType = AzureNative.DigitalTwins.AuthenticationType.IdentityBased,
EndpointType = "ServiceBus",
EndpointUri = "sb://mysb.servicebus.windows.net/",
EntityPath = "mysbtopic",
},
ResourceGroupName = "resRg",
ResourceName = "myDigitalTwinsService",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.digitaltwins.DigitalTwinsEndpoint;
import com.pulumi.azurenative.digitaltwins.DigitalTwinsEndpointArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var digitalTwinsEndpoint = new DigitalTwinsEndpoint("digitalTwinsEndpoint", DigitalTwinsEndpointArgs.builder()
.endpointName("myServiceBus")
.properties(ServiceBusArgs.builder()
.authenticationType("IdentityBased")
.endpointType("ServiceBus")
.endpointUri("sb://mysb.servicebus.windows.net/")
.entityPath("mysbtopic")
.build())
.resourceGroupName("resRg")
.resourceName("myDigitalTwinsService")
.build());
}
}
resources:
digitalTwinsEndpoint:
type: azure-native:digitaltwins:DigitalTwinsEndpoint
properties:
endpointName: myServiceBus
properties:
authenticationType: IdentityBased
endpointType: ServiceBus
endpointUri: sb://mysb.servicebus.windows.net/
entityPath: mysbtopic
resourceGroupName: resRg
resourceName: myDigitalTwinsService
When authenticationType is IdentityBased, the endpoint uses the Digital Twins instance’s managed identity instead of connection strings. The endpointUri points to the Service Bus namespace, and entityPath specifies the topic or queue. This configuration requires the Digital Twins instance to have a system-assigned identity with Azure Service Bus Data Sender role on the target topic.
Authenticate with user-assigned managed identity
User-assigned identities provide centralized identity management when multiple resources need to share the same authentication credentials.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const digitalTwinsEndpoint = new azure_native.digitaltwins.DigitalTwinsEndpoint("digitalTwinsEndpoint", {
endpointName: "myServiceBus",
properties: {
authenticationType: azure_native.digitaltwins.AuthenticationType.IdentityBased,
endpointType: "ServiceBus",
endpointUri: "sb://mysb.servicebus.windows.net/",
entityPath: "mysbtopic",
identity: {
type: azure_native.digitaltwins.IdentityType.UserAssigned,
userAssignedIdentity: "/subscriptions/50016170-c839-41ba-a724-51e9df440b9e/resourceGroups/testrg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testidentity",
},
},
resourceGroupName: "resRg",
resourceName: "myDigitalTwinsService",
});
import pulumi
import pulumi_azure_native as azure_native
digital_twins_endpoint = azure_native.digitaltwins.DigitalTwinsEndpoint("digitalTwinsEndpoint",
endpoint_name="myServiceBus",
properties={
"authentication_type": azure_native.digitaltwins.AuthenticationType.IDENTITY_BASED,
"endpoint_type": "ServiceBus",
"endpoint_uri": "sb://mysb.servicebus.windows.net/",
"entity_path": "mysbtopic",
"identity": {
"type": azure_native.digitaltwins.IdentityType.USER_ASSIGNED,
"user_assigned_identity": "/subscriptions/50016170-c839-41ba-a724-51e9df440b9e/resourceGroups/testrg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testidentity",
},
},
resource_group_name="resRg",
resource_name_="myDigitalTwinsService")
package main
import (
digitaltwins "github.com/pulumi/pulumi-azure-native-sdk/digitaltwins/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := digitaltwins.NewDigitalTwinsEndpoint(ctx, "digitalTwinsEndpoint", &digitaltwins.DigitalTwinsEndpointArgs{
EndpointName: pulumi.String("myServiceBus"),
Properties: &digitaltwins.ServiceBusArgs{
AuthenticationType: pulumi.String(digitaltwins.AuthenticationTypeIdentityBased),
EndpointType: pulumi.String("ServiceBus"),
EndpointUri: pulumi.String("sb://mysb.servicebus.windows.net/"),
EntityPath: pulumi.String("mysbtopic"),
Identity: &digitaltwins.ManagedIdentityReferenceArgs{
Type: pulumi.String(digitaltwins.IdentityTypeUserAssigned),
UserAssignedIdentity: pulumi.String("/subscriptions/50016170-c839-41ba-a724-51e9df440b9e/resourceGroups/testrg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testidentity"),
},
},
ResourceGroupName: pulumi.String("resRg"),
ResourceName: pulumi.String("myDigitalTwinsService"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var digitalTwinsEndpoint = new AzureNative.DigitalTwins.DigitalTwinsEndpoint("digitalTwinsEndpoint", new()
{
EndpointName = "myServiceBus",
Properties = new AzureNative.DigitalTwins.Inputs.ServiceBusArgs
{
AuthenticationType = AzureNative.DigitalTwins.AuthenticationType.IdentityBased,
EndpointType = "ServiceBus",
EndpointUri = "sb://mysb.servicebus.windows.net/",
EntityPath = "mysbtopic",
Identity = new AzureNative.DigitalTwins.Inputs.ManagedIdentityReferenceArgs
{
Type = AzureNative.DigitalTwins.IdentityType.UserAssigned,
UserAssignedIdentity = "/subscriptions/50016170-c839-41ba-a724-51e9df440b9e/resourceGroups/testrg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testidentity",
},
},
ResourceGroupName = "resRg",
ResourceName = "myDigitalTwinsService",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.digitaltwins.DigitalTwinsEndpoint;
import com.pulumi.azurenative.digitaltwins.DigitalTwinsEndpointArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var digitalTwinsEndpoint = new DigitalTwinsEndpoint("digitalTwinsEndpoint", DigitalTwinsEndpointArgs.builder()
.endpointName("myServiceBus")
.properties(ServiceBusArgs.builder()
.authenticationType("IdentityBased")
.endpointType("ServiceBus")
.endpointUri("sb://mysb.servicebus.windows.net/")
.entityPath("mysbtopic")
.identity(ManagedIdentityReferenceArgs.builder()
.type("UserAssigned")
.userAssignedIdentity("/subscriptions/50016170-c839-41ba-a724-51e9df440b9e/resourceGroups/testrg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testidentity")
.build())
.build())
.resourceGroupName("resRg")
.resourceName("myDigitalTwinsService")
.build());
}
}
resources:
digitalTwinsEndpoint:
type: azure-native:digitaltwins:DigitalTwinsEndpoint
properties:
endpointName: myServiceBus
properties:
authenticationType: IdentityBased
endpointType: ServiceBus
endpointUri: sb://mysb.servicebus.windows.net/
entityPath: mysbtopic
identity:
type: UserAssigned
userAssignedIdentity: /subscriptions/50016170-c839-41ba-a724-51e9df440b9e/resourceGroups/testrg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testidentity
resourceGroupName: resRg
resourceName: myDigitalTwinsService
The identity property specifies a user-assigned managed identity by its resource ID. Set type to UserAssigned and provide the full userAssignedIdentity path. This allows multiple Digital Twins instances or other Azure resources to share the same identity for Service Bus access, simplifying RBAC management across resources.
Beyond these examples
These snippets focus on specific endpoint features: Service Bus endpoint configuration, connection string and managed identity authentication, and system-assigned and user-assigned identity types. They’re intentionally minimal rather than full event routing solutions.
The examples reference pre-existing infrastructure such as Digital Twins instances, Service Bus namespaces and topics, user-assigned managed identities, and Azure RBAC role assignments for identity-based authentication. They focus on configuring the endpoint rather than provisioning the surrounding infrastructure.
To keep things focused, common endpoint patterns are omitted, including:
- Event Hub and Event Grid endpoint types
- Dead letter configuration for failed deliveries
- Endpoint lifecycle management (provisioning state)
- Multiple endpoints per Digital Twins instance
These omissions are intentional: the goal is to illustrate how each endpoint feature is wired, not provide drop-in event routing modules. See the DigitalTwinsEndpoint resource reference for all available configuration options.
Let's configure Azure Digital Twins Endpoints
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Authentication & Identity
What authentication methods are available for Digital Twins endpoints?
You can use KeyBased authentication with connection strings, or IdentityBased authentication with managed identities.
How do I configure KeyBased authentication?
Set
authenticationType to KeyBased and provide primaryConnectionString and secondaryConnectionString with your Service Bus connection details.How do I configure IdentityBased authentication?
Set
authenticationType to IdentityBased and provide endpointUri and entityPath instead of connection strings. This uses the Digital Twins instance’s managed identity.Can I use a user-assigned managed identity instead of system-assigned?
Yes, when using IdentityBased authentication, add an
identity property with type set to UserAssigned and specify the userAssignedIdentity resource ID.Configuration & Immutability
Which properties can't be changed after creating an endpoint?
The
endpointName, resourceGroupName, and resourceName properties are immutable and require resource replacement to change.Using a different cloud?
Explore integration guides for other cloud providers: