Use Managed Identity for Event Grid Topics

Security · Event Grid · 2021_12

Use managed identities to deliver Event Grid Topic events.

Description

When delivering events you can use Managed Identities to authenticate event delivery. You can enable either system-assigned identity or user-assigned identity but not both. You can have at most two user-assigned identities assigned to a topic or domain.

Recommendation

Consider configuring a managed identity for each Event Grid Topic.

Examples

Configure with Azure template

To deploy Event Grid Topics that pass this rule:

• Set the identity.type to SystemAssigned or UserAssigned.
• If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

For example:

Azure Template snippet

{
    "type": "Microsoft.EventGrid/topics",
    "apiVersion": "2021-06-01-preview",
    "name": "[parameters('topicName')]",
    "location": "[parameters('location')]",
    "identity": {
        "type": "SystemAssigned"
    },
    "properties": {
        "disableLocalAuth": true,
        "publicNetworkAccess": "Disabled",
        "inputSchema": "CloudEventSchemaV1_0"
    }
}

Configure with Bicep

To deploy Event Grid Topics that pass this rule:

• Set the identity.type to SystemAssigned or UserAssigned.
• If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

For example:

Azure Bicep snippet

resource eventGrid 'Microsoft.EventGrid/topics@2021-06-01-preview' = {
  name: topicName
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    disableLocalAuth: true
    publicNetworkAccess: 'Disabled'
    inputSchema: 'CloudEventSchemaV1_0'
  }
}

Links

• Use identity-based authentication
• Assign a managed identity to an Event Grid custom topic or domain
• Authenticate event delivery to event handlers
• Azure deployment reference

---

Last update: 2022-12-03

Comments