Microsoft.EventGrid systemTopics

• Latest
• 2025-07-15-preview
• 2025-04-01-preview
• 2025-02-15
• 2024-12-15-preview
• 2024-06-01-preview
• 2023-12-15-preview
• 2023-06-01-preview
• 2022-06-15
• 2021-12-01
• 2021-10-15-preview
• 2021-06-01-preview
• 2020-10-15-preview
• 2020-04-01-preview

Bicep resource definition

The systemTopics resource type can be deployed with operations that target:

• Resource groups - See resource group deployment commands

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.EventGrid/systemTopics resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.EventGrid/systemTopics@2025-07-15-preview' = {
  identity: {
    principalId: 'string'
    tenantId: 'string'
    type: 'string'
    userAssignedIdentities: {
      {customized property}: {
        clientId: 'string'
        principalId: 'string'
      }
    }
  }
  location: 'string'
  name: 'string'
  properties: {
    encryption: {
      customerManagedKeyEncryption: [
        {
          keyEncryptionKeyIdentity: {
            type: 'string'
            userAssignedIdentityResourceId: 'string'
          }
          keyEncryptionKeyUrl: 'string'
        }
      ]
    }
    platformCapabilities: {
      confidentialCompute: {
        mode: 'string'
      }
    }
    source: 'string'
    topicType: 'string'
  }
  tags: {
    {customized property}: 'string'
  }
}

Property Values

Microsoft.EventGrid/systemTopics

Name	Description	Value
identity	Identity information for the resource.	IdentityInfo
location	Location of the resource.	string (required)
name	The resource name	string (required)
properties	Properties of the system topic.	SystemTopicProperties
tags	Resource tags	Dictionary of tag names and values. See Tags in templates

ConfidentialCompute

Name	Description	Value
mode	This property specifies the mode of the Azure Confidential Compute configuration. Possible values are 'Disabled' or 'Enabled'. This is an immutable property set at the time of resource creation and cannot be modified later. Enabling this property ensures that messages are processed and stored in a Azure Confidential Compute environment.	'Disabled' 'Enabled' (required)

CustomerManagedKeyEncryption

Name	Description	Value
keyEncryptionKeyIdentity	All identity configuration for Customer-managed key settings defining which identity should be used to auth to Key Vault. This is an optional property. When not specified, the SystemAssigned identity will be used.	KeyEncryptionKeyIdentity
keyEncryptionKeyUrl	Key encryption key URL. This URL can be either versioned (e.g., https://contosovault.vault.azure.net/keys/contosokek/562a4bb76b524a1493a6afe8e536ee78), or unversioned (e.g., https://contosovault.vault.azure.net/keys/contosokek. When versioned URL is used, this version of the key will be used by Event Grid Runtime even if it is rotated. It is user responsibility to update the URL with the new version by updating the namespace resource. When URL without version is used, Event Grid will query and get latest version and will be used automatically.	string (required)

IdentityInfo

Name	Description	Value
principalId	The principal ID of resource identity.	string
tenantId	The tenant ID of resource.	string
type	The type of managed identity used. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user-assigned identities. The type 'None' will remove any identity.	'None' 'SystemAssigned' 'SystemAssigned, UserAssigned' 'UserAssigned'
userAssignedIdentities	The list of user identities associated with the resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. This property is currently not used and reserved for future usage.	IdentityInfoUserAssignedIdentities

IdentityInfoUserAssignedIdentities

Name	Description	Value

KeyEncryption

Name	Description	Value
customerManagedKeyEncryption	List of all customer-managed key encryption properties for the resource. However only one key is supported at a time.	CustomerManagedKeyEncryption[] (required)

KeyEncryptionKeyIdentity

Name	Description	Value
type	The type of managed identity used. Only UserAssigned or SystemAssigned Identity are supported.	'SystemAssigned' 'UserAssigned' (required)
userAssignedIdentityResourceId	Azure Resource fully qualified Id for the user-assigned identity associated with the resource. The resource Id takes the following format: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.	string

PlatformCapabilities

Name	Description	Value
confidentialCompute	Represents the Azure Confidential Compute properties of the resource.	ConfidentialCompute

SystemTopicProperties

Name	Description	Value
encryption	Key encryption configuration properties of the system topic resource. This is an optional property. When not specified, no key encryption is used.	KeyEncryption
platformCapabilities	Represents the platform capabilities of the resource, including Azure Confidential Compute related properties.	PlatformCapabilities
source	Source for the system topic.	string
topicType	TopicType for the system topic.	string

TrackedResourceTags

Name	Description	Value

UserIdentityProperties

Name	Description	Value
clientId	The client id of user assigned identity.	string
principalId	The principal id of user assigned identity.	string

Usage Examples

Azure Verified Modules

The following Azure Verified Modules can be used to deploy this resource type.

Module	Description
Event Grid System Topic	AVM Resource Module for Event Grid System Topic

Azure Quickstart Samples

The following Azure Quickstart templates contain Bicep samples for deploying this resource type.

Bicep File	Description
Create Blob Storage and Event Grid subscription to the Blob	Creates Azure Blob Storage account and then creates an Event Grid subscription to that Blob.
Deploy Azure Data Explorer db with Event Grid connection	Deploy Azure Data Explorer db with Event Grid connection.

ARM template resource definition

The systemTopics resource type can be deployed with operations that target:

• Resource groups - See resource group deployment commands

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.EventGrid/systemTopics resource, add the following JSON to your template.

{
  "type": "Microsoft.EventGrid/systemTopics",
  "apiVersion": "2025-07-15-preview",
  "name": "string",
  "identity": {
    "principalId": "string",
    "tenantId": "string",
    "type": "string",
    "userAssignedIdentities": {
      "{customized property}": {
        "clientId": "string",
        "principalId": "string"
      }
    }
  },
  "location": "string",
  "properties": {
    "encryption": {
      "customerManagedKeyEncryption": [
        {
          "keyEncryptionKeyIdentity": {
            "type": "string",
            "userAssignedIdentityResourceId": "string"
          },
          "keyEncryptionKeyUrl": "string"
        }
      ]
    },
    "platformCapabilities": {
      "confidentialCompute": {
        "mode": "string"
      }
    },
    "source": "string",
    "topicType": "string"
  },
  "tags": {
    "{customized property}": "string"
  }
}

Property Values

Microsoft.EventGrid/systemTopics

Name	Description	Value
apiVersion	The api version	'2025-07-15-preview'
identity	Identity information for the resource.	IdentityInfo
location	Location of the resource.	string (required)
name	The resource name	string (required)
properties	Properties of the system topic.	SystemTopicProperties
tags	Resource tags	Dictionary of tag names and values. See Tags in templates
type	The resource type	'Microsoft.EventGrid/systemTopics'

ConfidentialCompute

Name	Description	Value
mode	This property specifies the mode of the Azure Confidential Compute configuration. Possible values are 'Disabled' or 'Enabled'. This is an immutable property set at the time of resource creation and cannot be modified later. Enabling this property ensures that messages are processed and stored in a Azure Confidential Compute environment.	'Disabled' 'Enabled' (required)

CustomerManagedKeyEncryption

Name	Description	Value
keyEncryptionKeyIdentity	All identity configuration for Customer-managed key settings defining which identity should be used to auth to Key Vault. This is an optional property. When not specified, the SystemAssigned identity will be used.	KeyEncryptionKeyIdentity
keyEncryptionKeyUrl	Key encryption key URL. This URL can be either versioned (e.g., https://contosovault.vault.azure.net/keys/contosokek/562a4bb76b524a1493a6afe8e536ee78), or unversioned (e.g., https://contosovault.vault.azure.net/keys/contosokek. When versioned URL is used, this version of the key will be used by Event Grid Runtime even if it is rotated. It is user responsibility to update the URL with the new version by updating the namespace resource. When URL without version is used, Event Grid will query and get latest version and will be used automatically.	string (required)

IdentityInfo

Name	Description	Value
principalId	The principal ID of resource identity.	string
tenantId	The tenant ID of resource.	string
type	The type of managed identity used. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user-assigned identities. The type 'None' will remove any identity.	'None' 'SystemAssigned' 'SystemAssigned, UserAssigned' 'UserAssigned'
userAssignedIdentities	The list of user identities associated with the resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. This property is currently not used and reserved for future usage.	IdentityInfoUserAssignedIdentities

IdentityInfoUserAssignedIdentities

Name	Description	Value

KeyEncryption

Name	Description	Value
customerManagedKeyEncryption	List of all customer-managed key encryption properties for the resource. However only one key is supported at a time.	CustomerManagedKeyEncryption[] (required)

KeyEncryptionKeyIdentity

Name	Description	Value
type	The type of managed identity used. Only UserAssigned or SystemAssigned Identity are supported.	'SystemAssigned' 'UserAssigned' (required)
userAssignedIdentityResourceId	Azure Resource fully qualified Id for the user-assigned identity associated with the resource. The resource Id takes the following format: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.	string

PlatformCapabilities

Name	Description	Value
confidentialCompute	Represents the Azure Confidential Compute properties of the resource.	ConfidentialCompute

SystemTopicProperties

Name	Description	Value
encryption	Key encryption configuration properties of the system topic resource. This is an optional property. When not specified, no key encryption is used.	KeyEncryption
platformCapabilities	Represents the platform capabilities of the resource, including Azure Confidential Compute related properties.	PlatformCapabilities
source	Source for the system topic.	string
topicType	TopicType for the system topic.	string

TrackedResourceTags

Name	Description	Value

UserIdentityProperties

Name	Description	Value
clientId	The client id of user assigned identity.	string
principalId	The principal id of user assigned identity.	string

Usage Examples

Azure Quickstart Templates

The following Azure Quickstart templates deploy this resource type.

Template	Description
Create Blob Storage and Event Grid subscription to the Blob	Creates Azure Blob Storage account and then creates an Event Grid subscription to that Blob.
Deploy Azure Data Explorer db with Event Grid connection	Deploy Azure Data Explorer db with Event Grid connection.

Terraform (AzAPI provider) resource definition

The systemTopics resource type can be deployed with operations that target:

• Resource groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.EventGrid/systemTopics resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.EventGrid/systemTopics@2025-07-15-preview"
  name = "string"
  parent_id = "string"
  identity {
    type = "string"
    identity_ids = [
      "string"
    ]
  }
  location = "string"
  tags = {
    {customized property} = "string"
  }
  body = {
    properties = {
      encryption = {
        customerManagedKeyEncryption = [
          {
            keyEncryptionKeyIdentity = {
              type = "string"
              userAssignedIdentityResourceId = "string"
            }
            keyEncryptionKeyUrl = "string"
          }
        ]
      }
      platformCapabilities = {
        confidentialCompute = {
          mode = "string"
        }
      }
      source = "string"
      topicType = "string"
    }
  }
}

Property Values

Microsoft.EventGrid/systemTopics

Name	Description	Value
identity	Identity information for the resource.	IdentityInfo
location	Location of the resource.	string (required)
name	The resource name	string (required)
properties	Properties of the system topic.	SystemTopicProperties
tags	Resource tags	Dictionary of tag names and values.
type	The resource type	"Microsoft.EventGrid/systemTopics@2025-07-15-preview"

ConfidentialCompute

Name	Description	Value
mode	This property specifies the mode of the Azure Confidential Compute configuration. Possible values are 'Disabled' or 'Enabled'. This is an immutable property set at the time of resource creation and cannot be modified later. Enabling this property ensures that messages are processed and stored in a Azure Confidential Compute environment.	'Disabled' 'Enabled' (required)

CustomerManagedKeyEncryption

Name	Description	Value
keyEncryptionKeyIdentity	All identity configuration for Customer-managed key settings defining which identity should be used to auth to Key Vault. This is an optional property. When not specified, the SystemAssigned identity will be used.	KeyEncryptionKeyIdentity
keyEncryptionKeyUrl	Key encryption key URL. This URL can be either versioned (e.g., https://contosovault.vault.azure.net/keys/contosokek/562a4bb76b524a1493a6afe8e536ee78), or unversioned (e.g., https://contosovault.vault.azure.net/keys/contosokek. When versioned URL is used, this version of the key will be used by Event Grid Runtime even if it is rotated. It is user responsibility to update the URL with the new version by updating the namespace resource. When URL without version is used, Event Grid will query and get latest version and will be used automatically.	string (required)

IdentityInfo

Name	Description	Value
principalId	The principal ID of resource identity.	string
tenantId	The tenant ID of resource.	string
type	The type of managed identity used. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user-assigned identities. The type 'None' will remove any identity.	'None' 'SystemAssigned' 'SystemAssigned, UserAssigned' 'UserAssigned'
userAssignedIdentities	The list of user identities associated with the resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. This property is currently not used and reserved for future usage.	IdentityInfoUserAssignedIdentities

IdentityInfoUserAssignedIdentities

Name	Description	Value

KeyEncryption

Name	Description	Value
customerManagedKeyEncryption	List of all customer-managed key encryption properties for the resource. However only one key is supported at a time.	CustomerManagedKeyEncryption[] (required)

KeyEncryptionKeyIdentity

Name	Description	Value
type	The type of managed identity used. Only UserAssigned or SystemAssigned Identity are supported.	'SystemAssigned' 'UserAssigned' (required)
userAssignedIdentityResourceId	Azure Resource fully qualified Id for the user-assigned identity associated with the resource. The resource Id takes the following format: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.	string

PlatformCapabilities

Name	Description	Value
confidentialCompute	Represents the Azure Confidential Compute properties of the resource.	ConfidentialCompute

SystemTopicProperties

Name	Description	Value
encryption	Key encryption configuration properties of the system topic resource. This is an optional property. When not specified, no key encryption is used.	KeyEncryption
platformCapabilities	Represents the platform capabilities of the resource, including Azure Confidential Compute related properties.	PlatformCapabilities
source	Source for the system topic.	string
topicType	TopicType for the system topic.	string

TrackedResourceTags

Name	Description	Value

UserIdentityProperties

Name	Description	Value
clientId	The client id of user assigned identity.	string
principalId	The principal id of user assigned identity.	string

Usage Examples

Terraform Samples

A basic example of deploying Event Grid System Topic.

terraform {
  required_providers {
    azapi = {
      source = "Azure/azapi"
    }
  }
}

provider "azapi" {
  skip_provider_registration = false
}

variable "resource_name" {
  type    = string
  default = "acctest0001"
}

variable "location" {
  type    = string
  default = "westeurope"
}

resource "azapi_resource" "resourceGroup" {
  type     = "Microsoft.Resources/resourceGroups@2020-06-01"
  name     = var.resource_name
  location = var.location
}

resource "azapi_resource" "systemTopic" {
  type      = "Microsoft.EventGrid/systemTopics@2021-12-01"
  parent_id = azapi_resource.resourceGroup.id
  name      = var.resource_name
  location  = "global"
  body = {
    properties = {
      source    = azapi_resource.resourceGroup.id
      topicType = "Microsoft.Resources.ResourceGroups"
    }
  }
  schema_validation_enabled = false
  response_export_values    = ["*"]
}