Skip to content

Azure Notification

Hubs Namespace Key

Service Name: Azure Notification Hubs

Service Description: Azure Notification Hubs is a push notification engine that enables sending push notifications to any platform (iOS, Android, Windows, etc.) from any backend (cloud or on-premises). It provides a scalable, cross-platform push notification infrastructure for sending millions of notifications to mobile apps.

Service Address: https://azure.microsoft.com/en-us/services/notification-hubs/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the Azure service level using Network Security Groups and Virtual Networks.

Secret Access Scope: Grants access to manage and send notifications through a specific Azure Notification Hubs namespace. The key allows operations such as registering devices, sending notifications, and managing notification hub resources.

Secret Revokement URL: https://portal.azure.com/ (Navigate to your Notification Hubs namespace > Access policies > Select the policy > Delete)

Secret Example: Endpoint=sb://mynotificationhub.servicebus.windows.net/;SharedAccessKeyNam e=DefaultFullSharedAccessSignature;SharedAccessKey=A1B2C3D4E5F6G7H8I9J0K1L2 M3N4O5P6Q7R8S9T0=

Suspicious Activity Investigation Instructions:

  • Review Azure Activity Logs for unusual operations on your Notification Hubs namespace
  • Check for unexpected spikes in notification sends or device registrations
  • Monitor for unauthorized changes to notification hub configurations
  • Review Azure Monitor metrics for unusual patterns in notification delivery

  • Check for notifications sent to unexpected platforms or applications

  • Verify if there are any policy changes or new access policies created

Mitigation Instructions:

  • Immediately regenerate the Notification Hubs namespace access key in the Azure Portal
  • Navigate to your Notification Hubs namespace > Access policies > Select the affected policy
  • Click on "Regenerate Key" for either the primary or secondary key that was compromised
  • Update all legitimate applications with the new connection string
  • Review and update IP restrictions using Azure Network Security Groups if applicable
  • Enable Azure Defender for additional security monitoring
  • Consider implementing Azure Private Link for your Notification Hubs to restrict network access
  • Review all registered applications and remove any unauthorized registrations
  • Enable diagnostic logs for better monitoring and auditing