Can't update Azure Event Grid Partner Topic from a PowerShell AzureFunction

Cyril Lacroix 1 Reputation point
2023-02-06T10:46:24.9533333+00:00

I want to update a Subscription of an Azure Event Grid Partner Topic to change the ExpirationDateTime.

To do so I'm using a PowerShell AzureFunction authenticated with an App Registration on GraphAPI. I'm using the Update-MgSubscription function to update the field above.

When I execute the function I get the following error message: "The app id 'appid' is not enabled for event grid subscription." where 'appid' is the id of my App Registration.

I was able to update the field with Graph Explorer but I couldn't manage to find a specifc permission to do it with the App Registration. I've tried to allow the App in the IAM of the Azure Event Grid Partner Topic with no success.

Any idea?

Azure Event Grid
Azure Event Grid
An Azure event routing service designed for high availability, consistent performance, and dynamic scale.
319 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 43,961 Reputation points
    2023-02-06T15:23:53.11+00:00

    Hi. Thank you for your question and reaching out. I’d be more than happy to help you with your query

    The error message "The app id 'appid' is not enabled for event grid subscription" suggests that the app you are using to update the subscription is not authorized to perform this action.

    To resolve this issue, you may need to grant the app the necessary permissions to update the subscription. To do this, you can use Azure Role-Based Access Control (RBAC) to assign the app the "Contributor" or "Event Grid Publisher" role on the Azure Event Grid Partner Topic.

    Here are the steps to assign the role:

    1. Open the Azure portal.
    2. Go to the Azure Event Grid Partner Topic for which you want to assign the role.
    3. Click on "Access control (IAM)" in the left-side menu.
    4. Click on "Add role assignment".
    5. In the "Add role assignment" blade, select the "Contributor" or "Event Grid Publisher" role.
    6. In the "Assign access to" field, select "App".
    7. In the search box, type in the name of the app that you want to assign the role to.
    8. Select the app from the list.
    9. Click on "Save" to assign the role.

    After these steps, the app should have the necessary permissions to update the subscription. You can then retry the update process and the error message should be resolved.

    If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.

  2. Mike Urnun 9,676 Reputation points Microsoft Employee
    2023-02-08T05:23:09.26+00:00

    Hello @Cyril Lacroix - The doc states the following:

    At some point in the sample, you will have an application registered with Azure AD. Email your application ID to mailto:ask-graph-and-grid@service.microsoft.com?subject=Please allow my Azure AD application with ID to send events through Graph API so that the Microsoft Graph API team can add your application ID to allow list to use this new capability.

    While you did say that your post above that the PowerShell AzureFunction is authenticated with an App Registration on GraphAPI, I wanted to confirm if the function executing the Update-MgSubscription is part of the same Function App.

    The list of Permissions required is here: https://learn.microsoft.com/en-us/graph/api/subscription-update?view=graph-rest-1.0&tabs=powershell#permissions