I have an Azure Event Grid Trigger Inside my Function's App. The Function is subscribed to Event Grid Topic through an Event Subscription. The Function works perfectly and is triggered when I have no Authentication Configured inside the Authentication / Authorization Blade of the Functions App. But when I integrate B2C AD App from the Blade, the topic is not delivered and the function is not triggered. Also, I can see "Unauthorized" Errors inside the Event Subscription. The B2C Flow is required for other HTTP triggers inside the Function App. How can I give exclusive access to the Event Grid so that this message is delivered without the B2C Flow?
2
votes
1 Answers
1
votes
You can try below approach:
Enable Event Grid to use your Azure AD Application:
Use the PowerShell script below in order to create a role and service principal in your Azure AD Application. You will need the Tenant ID and Object ID from your Azure AD Application:
Modify the PowerShell script's $myTenantId to use your Azure AD Tenant ID.
Modify the PowerShell script's $myAzureADApplicationObjectId to use the Object ID of your Azure AD Application.
Run the modified script.
$myTenantId = "<the Tenant Id of your Azure AD Application>" Connect-AzureAD -TenantId $myTenantId $myAzureADApplicationObjectId = "<the Object Id of your Azure AD Application>" $eventGridAppId = "4962773b-9cdb-44cf-a8bf-237846a00ab7" $eventGridRoleName = "AzureEventGridSecureWebhook" Function CreateAppRole([string] $Name, [string] $Description) { $appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole $appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string] $appRole.AllowedMemberTypes.Add("Application"); $appRole.DisplayName = $Name $appRole.Id = New-Guid $appRole.IsEnabled = $true $appRole.Description = $Description $appRole.Value = $Name; return $appRole } $myApp = Get-AzureADApplication -ObjectId $myAzureADApplicationObjectId $myAppRoles = $myApp.AppRoles $eventGridSP = Get-AzureADServicePrincipal -Filter ("appId eq '" + $eventGridAppId + "'") Write-Host "App Roles before addition of new role.." Write-Host $myAppRoles if ($myAppRoles -match $eventGridRoleName) { Write-Host "The Azure Event Grid role is already defined.`n" } else { $myServicePrincipal = Get-AzureADServicePrincipal -Filter ("appId eq '" + $myApp.AppId + "'") $newRole = CreateAppRole -Name $eventGridRoleName -Description "Azure Event Grid Role" $myAppRoles.Add($newRole) Set-AzureADApplication -ObjectId $myApp.ObjectId -AppRoles $myAppRoles } if ($eventGridSP -match "Microsoft.EventGrid") { Write-Host "The Service principal is already defined.`n" } else { $eventGridSP = New-AzureADServicePrincipal -AppId $eventGridAppId } New-AzureADServiceAppRoleAssignment -Id $myApp.AppRoles[0].Id -ResourceId $myServicePrincipal.ObjectId -ObjectId $eventGridSP.ObjectId -PrincipalId $eventGridSP.ObjectId Write-Host "My Azure AD Tenant Id: $myTenantId" Write-Host "My Azure AD Application Id: $($myApp.AppId)" Write-Host "My Azure AD Application ObjectId: $($myApp.ObjectId)" Write-Host "My Azure AD Application's Roles: " Write-Host $myApp.AppRoles
Configure the event subscription :
In the creation flow for your event subscription, select endpoint type 'Web Hook'. Once you've given your endpoint URI (webhook uri of event grid endpoint - https://FUNCTION_DOMAIN/runtime/webhooks/eventgrid?functionName={FUNCTION_NAME}), click on the additional features tab at the top of the create event subscriptions blade.
In the additional features tab, check the box for 'Use AAD authentication' and configure the Tenant ID and Application ID:
- Copy the Azure AD Tenant ID from the output of the script and enter it in the AAD Tenant ID field.
- Copy the Azure AD Application ID from the output of the script and enter it in the AAD Application ID field.
Edit:
For more details about this solution, visit here.
