We have several services running in ServiceFabric on Azure and they sporadically start throwing the following UnauthorizedAccessException exception, then after some period ranging from minutes to days the exceptions stop.

Environment variables are used to provide the App Registration secret for DefaultAzureCredential.

The Azure Service Bus Data Receiver role is assigned in the Service Bus Namespace to the group containing the Service Principals.

The code looks like this:

// the credentials are also used to authenticate with other azure resources without issues
var credentials = new DefaultAzureCredential();
...
var serviceBusClient = new ServiceBusClient("*redacted*", credentials);
var serviceBusReceiver = serviceBusClient.CreateReceiver(
   "*redacted*",
   "*redacted*",
   new() { ReceiveMode = ServiceBusReceiveMode.ReceiveAndDelete });
while (!cancellationToken.IsCancellationRequested) 
{
   var message = await serviceBusReceiver.PeekMessageAsync();
}

Bellow is the full exception:

System.UnauthorizedAccessException: Unauthorized access. 'Listen' claim(s) are required to perform this operation. Resource: 'sb://*redacted*.servicebus.windows.net/*redacted*/subscriptions/*redacted*/$management'. TrackingId:$management, SystemTracker:NoSystemTracker, Timestamp:2024-05-10T07:17:06
For troubleshooting information, see https://aka.ms/azsdk/net/servicebus/exceptions/troubleshoot.
   at Azure.Messaging.ServiceBus.Amqp.AmqpReceiver.PeekMessagesInternalAsync(Int64 sequenceNumber, Int32 messageCount, TimeSpan timeout, CancellationToken cancellationToken)
   at Azure.Messaging.ServiceBus.Amqp.AmqpReceiver.<>c.<<PeekMessagesAsync>b__61_0>d.MoveNext()
--- End of stack trace from previous location ---
   at Azure.Messaging.ServiceBus.ServiceBusRetryPolicy.RunOperation[T1,TResult](Func`4 operation, T1 t1, TransportConnectionScope scope, CancellationToken cancellationToken, Boolean logTimeoutRetriesAsVerbose)
   at Azure.Messaging.ServiceBus.ServiceBusRetryPolicy.RunOperation[T1,TResult](Func`4 operation, T1 t1, TransportConnectionScope scope, CancellationToken cancellationToken, Boolean logTimeoutRetriesAsVerbose)
   at Azure.Messaging.ServiceBus.Amqp.AmqpReceiver.PeekMessagesAsync(Nullable`1 sequenceNumber, Int32 messageCount, CancellationToken cancellationToken)
   at Azure.Messaging.ServiceBus.ServiceBusReceiver.PeekMessagesInternalAsync(Nullable`1 sequenceNumber, Int32 maxMessages, CancellationToken cancellationToken)
   at Azure.Messaging.ServiceBus.ServiceBusReceiver.PeekMessageAsync(Nullable`1 fromSequenceNumber, CancellationToken cancellationToken)
   at *redacted*

The following nugets are used:

    <PackageReference Include="Azure.Identity" Version="1.*" />
    <PackageReference Include="Azure.Messaging.ServiceBus" Version="7.*" />