Share via

Event Grid cross-tenant delivery using Managed Identity fails with “Internal error” when creating Event Subscription

EliT 0 Reputation points
2025-11-27T09:37:37.2433333+00:00

Hi,

I’m implementing cross-tenant Event Grid delivery using Managed Identity, following this official Microsoft doc:

https://learn.microsoft.com/azure/event-grid/cross-tenant-delivery-using-managed-identity

I have two tenants:

  • Customer tenant (Tenant A)
    • Contains the Storage Account
    • Has the Event Grid system topic
    • Created a user-assigned managed identity (UAMI) and assigned it to the system topic
    • Trying to create a cross-tenant event subscription
    Vega (SaaS) tenant (Tenant B) Contains a Service Bus namespace + queue 
      Contains a **multi-tenant application** with a **Federated Identity Credential (FIC)**

        Issuer = Customer tenant

              Subject = clientId of the UAMI

                    Audience = `api://AzureADTokenExchange`

                       The Vega app’s service principal has **Azure Service Bus Data Sender** role on the queue

This matches the steps described in the documentation exactly.

Problem

When I try to create the Event Grid subscription in the customer tenant using cross-tenant delivery:

Endpoint type: Service Bus Queue

Cross-tenant delivery: Enabled

Managed identity type: User Assigned

Managed identity: the UAMI assigned to the system topic

Federated identity credentials (multitenant application ID): the Vega appId

The deployment fails immediately with:

Deployment has failed with the following error:
{"code":"Internal error","message":"The operation failed due to an internal server error. 
The initial state of the impacted resources (if any) are restored. 
Please try again in few minutes. If error still persists, report 
12471e63-0fca-4eec-bc39-6d75375764cb:11/27/2025 8:59:39 AM (UTC) 
to our forums for assistance or raise a support ticket ."}

There are no additional details in Activity Log.

Operation ID shown in the error:

12471e63-0fca-4eec-bc39-6d75375764cb Timestamp: 2025-11-27 08:59:39 UTCHi,

I’m implementing cross-tenant Event Grid delivery using Managed Identity, following this official Microsoft doc:

https://learn.microsoft.com/azure/event-grid/cross-tenant-delivery-using-managed-identity

I have two tenants:

Customer tenant (Tenant A)

Contains the Storage Account

  Has the **Event Grid system topic**
  
     Created a **user-assigned managed identity (UAMI)** and assigned it to the system topic
     
        Trying to create a cross-tenant event subscription
        
        **Vega (SaaS) tenant** (Tenant B)
        
           Contains a **Service Bus namespace + queue**
           
              Contains a **multi-tenant application** with a **Federated Identity Credential (FIC)**
              
                    Issuer = Customer tenant
                    
                          Subject = clientId of the UAMI
                          
                                Audience = `api://AzureADTokenExchange`
                                
                                   The Vega app’s service principal has **Azure Service Bus Data Sender** role on the queue

This matches the steps described in the documentation exactly.

Problem

When I try to create the Event Grid subscription in the customer tenant using cross-tenant delivery:

Endpoint type: Service Bus Queue

Cross-tenant delivery: Enabled

Managed identity type: User Assigned

Managed identity: the UAMI assigned to the system topic

Federated identity credentials (multitenant application ID): the Vega appId

The deployment fails immediately with:

Deployment has failed with the following error:
{

There are no additional details in Activity Log.

Operation ID shown in the error:

12471e63-0fca-4eec-bc39-6d75375764cb
Timestamp: 2025-11-27 08:59:39 UTC

Azure Event Grid
Azure Event Grid

An Azure event routing service designed for high availability, consistent performance, and dynamic scale.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Siddhesh Desai 7,055 Reputation points Microsoft External Staff Moderator
    2025-12-23T16:05:37.3866667+00:00

    Hi @EliT

    Thank you for reaching out to Microsoft Q&A

    Event Grid requires a SessionId when delivering to a session‑enabled queue otherwise, the portal/ARM call often surfaces only “Internal error”. Either disable sessions on the queue or add a Delivery Property for SessionId in the event subscription creation portal - Delivery properties - add SessionId with a static value ARM/CLI - delivery properties block.

    Assign Azure Service Bus Data Sender at the namespace scope as well, you can keep the queue‑level assignment just add namespace‑level

    az role assignment create \
  --assignee <xxxxxxx> \
  --role "Azure Service Bus Data Sender" \
  --scope /subscriptions/<xxxxx>/resourceGroups/<xxxx>/providers/Microsoft.ServiceBus/namespaces/<xxxxx>

    Your namespace shows defaultAction: Allow and trustedServiceAccessEnabled: false. With Allow, the “trusted services” bypass isn’t required.

    Toggle trusted services bypass to true (even though Allow) and re‑apply:

    az servicebus namespace network-rule-set update \
  --resource-group xxxxxxxx \
  --namespace-name xxxxxxxxx \
  --trusted-service-access-enabled true

    Your issuer and subject UAMI clientId look right. If the enterprise app (Vega) wasn’t properly consented or if there’s a stale SP, the exchange can fail without a clear portal error.

    Re‑generate the FIC delete & recreate to rule out hidden characters.

    In Tenant B, check Entra sign‑in logs filtered to the Vega app at the timestamp of the creation attempt you should see token exchange entries. Any aud/iss/sub mismatch will be explicit there.

    Confirm the Vega app is multi‑tenant, and the Service Principal exists in Tenant B, you already have the SP id from the role assignment.

    You can fetch the internal error from your Operation ID, by using the Rest API below:

    # Replace with Tenant A subscription where you ran the create
az rest --method get \
  --url "https://management.azure.com/subscriptions/xxxxx/providers/Microsoft.EventGrid/operationsStatus/xxxxxxxxxb?api-version=2022-06-15"

    You can recreate the subscription using azure cli again:

    # IDs
SB_QUEUE_ID="/subscriptions/xxxxx/resourceGroups/xxxxxx/providers/Microsoft.ServiceBus/namespaces/xxxxxx/queues/xxxxx"
UAMI_ID="/subscriptions/xxxxx/resourceGroups/xxxxx/providers/Microsoft.ManagedIdentity/userAssignedIdentities/xxxxx"
SYSTEM_TOPIC_ID="/subscriptions/xxxx/resourceGroups/xxxxx/providers/Microsoft.EventGrid/systemTopics/xxxxxx"
Client_Id="xxxxxxx"
# If your queue uses sessions, set a SessionId delivery property
SESSION_ID="xxxxxx"   # choose any static string
# Create the subscription
az eventgrid event-subscription create \
  --name xxxxx \
  --source-resource-id "xxxxxx" \
  --endpoint-type servicebusqueue \
  --endpoint "xxxxxx" \
  --delivery-identity userassigned \
  --delivery-identity-resource-id "xxxx \
  --delivery-identity-endpoint-type servicebusqueue \
  --delivery-identity-federated-credential-application-id "xxxxxx" \
  --delivery-properties "key=SessionId value=xxxxxx"   # <-- add only if queue has sessions

    Ensure the DL Storage grants the delivery identity Storage Blob Data Contributor. Missing DL permissions cause creation errors.

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.