Share via

How can I deliver Azure Event Grid events across tenants to a webhook using Managed Identity?

Jia Xie 0 Reputation points Microsoft Employee
2025-06-10T18:54:53.9266667+00:00

I’m trying to set up cross-tenant delivery of Event Grid events to a webhook endpoint secured with a Managed Identity, but the only example in the docs shows delivery to a Storage Queue. The webhook scenario is currently in Public Preview.

Could anyone help me learn how to configure and test the webhook delivery path that’s in Public Preview?

Azure Event Grid
Azure Event Grid
An Azure event routing service designed for high availability, consistent performance, and dynamic scale.
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vinodh247 36,031 Reputation points MVP Volunteer Moderator
    2025-06-11T00:49:03.9633333+00:00

    Hi ,

    Thanks for reaching out to Microsoft Q&A.

    right the official documentation on cross-tenant delivery using Managed Identity only includes a sample for Storage Queue, and webhook as a destination is currently in public Preview with limited samples and portal support. you can configure cross-tenant Event Grid webhook delivery with Managed Identity (Public peview) via ARM template / Bicep / REST API, since the portal does not yet support cross-tenant webhook creation.

    Prerequisites

    Two tenants (source and target).

    A system-assigned or user-assigned managed identity in the source tenant.

    A webhook endpoint in the target tenant that:

    Requires Azure AD authentication.

      Accepts JWT tokens issued for the managed identity.
  
     Can validate the Event Grid handshake (`validationCode`).
     
     Permission granted to the managed identity to call the webhook (e.g., via App Role or RBAC on Azure App Service, if used).

    High-Level Steps

    1. Create a Managed Identity in the Source Tenant

    This will be used by Event Grid to authenticate to the target webhook.

    az identity create --name eventgrid-identity --resource-group source-rg

    1. Assign Webhook Permissions in Target Tenant

    In the target tenant, assign the managed identity access to the webhook app (e.g., via App Role Assignment if it is an App Service with Azure AD auth).

    You need to:

    Register an Azure AD app (if not already).

    Enable authentication (AAD) on the webhook.

    Add the managed identity as a user or grant it access via a policy.

    1. Create an Event Subscription using ARM Template or REST API
    2. Test the Event Subscription

    Ensure that the....

    The webhook returns a 200 OK and handles validationCode for the Event Grid subscription handshake.

    The endpoint can parse Event Grid events and validate the JWT from the Managed Identity.

    Use tools like Postman + Azure CLI to manually acquire a token for the Managed Identity and test the webhook authorization.

    Workarounds/Things to keep in mind:

    • This feature is only supported via API, not via Azure Portal yet.
    • If using Azure Functions or App Services as webhook:
      • Enable AAD Auth.
      • Set issuer and audience correctly.
      • Enable App Role Assignment if using custom roles.

    How to Validate and Debug

    Use https://jwt.ms to decode the token issued to the managed identity.

    Enable logging in your webhook app (e.g., Application Insights).

    Use Event Grid's delivery logs to debug failures.

    Please 'Upvote'(Thumbs-up) and 'Accept' as answer if the reply was helpful. This will be benefitting other community members who face the same issue.

    0 comments
  2. Sai Prabhu Naveen Parimi 3,470 Reputation points Microsoft External Staff Moderator
    2025-06-12T10:54:27.34+00:00

    @Jia Xie

    It sounds like you're trying to set up cross-tenant delivery of Azure Event Grid events to a webhook endpoint using Managed Identity, which is currently in public preview. Since the documentation primarily covers delivery to a Storage Queue, I can see why you might be feeling a bit stuck.

    Here's a rundown of what you can do to configure and test the webhook delivery:

    Prerequisites

    1. Two Tenants: Ensure you have both a source and a target tenant.
    2. Managed Identity: Create a system-assigned or user-assigned managed identity in the source tenant.
    3. Webhook Endpoint: Set up a webhook in the target tenant that:
      • Requires Azure AD authentication.
        • Can accept JWT tokens issued for the managed identity.
          • Validates the Event Grid handshake with the validationCode.
            • Has permissions granted to the managed identity (via App Role or RBAC).

    High-Level Steps

    Create a Managed Identity: In your source tenant, use the Azure CLI command:

    az identity create --name eventgrid-identity --resource-group source-rg
    1. Create an Event Subscription: Currently, this can only be done using ARM templates, Bicep, or REST API since the portal doesn't support cross-tenant webhook creation yet.
    2. Test Your Configuration: Ensure that:
      • The webhook returns a 200 OK response and appropriately handles the validationCode.
      • The endpoint can parse Event Grid events and validate the JWT from the Managed Identity.
      • You can utilize tools like Postman and Azure CLI to manually acquire a token and test the webhook authorization.
    • Enable logging in your webhook application (like Application Insights).
    • Check Event Grid's delivery logs for any failures.
    • Use jwt.ms to check the JWT token issued to the managed identity.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.