Share via

Azure Functions Event Grid Trigger Authentication Issues

Elias Vargas Loyola 0 Reputation points
2025-03-13T16:07:54.1966667+00:00

I having an issue with Azure Functions and Event Grid with authentication enabled.

I have an Azure Function (Java 11 + Maven) with an Event Grid Trigger from Storage Account with Event Grid Systems that was working correctly using Function Keys. However, after enabling Authentication in the Function App through the Azure Portal, Event Grid started receiving 401 Unauthorized errors, even though the event grid is linked as system identity.

I need enable the authentication to protect my function for anonymous calls, but need my function event grid keep working, so this is what I'm do

  1. Create the resource group: 
   az group create --name rg-event-hub-fn-01 --location westus
  1. Create the storage account and container: 
   az storage account create \
   --name staccwestus01 \
   --resource-group rg-event-hub-fn-01 \
   --location westus \
   --sku Standard_LRS

   az storage container create \
   --account-name staccwestus01 \
   --name contracts \
   --public-access off

Created 2 folders inside the contracts container: approved / rejected.

  1. Create the service plan for Azure Function: 
   az functionapp plan create \
   --name sp-azure-function-event-grid-01 \
   --resource-group rg-event-hub-fn-01 \
   --location westus \
   --sku B1 \
   --is-linux
  1. Create the Azure Function: 
   az functionapp create \
   --resource-group rg-event-hub-fn-01 \
   --name azure-function-event-example-01 \
   --storage-account staccwestus01 \
   --plan sp-azure-function-event-grid-01 \
   --runtime java \
   --runtime-version 11 \
   --functions-version 4 \
   --os-type Linux \
   --assign-identity
  1. Package the project and deploy it: 
   mvn clean package azure-functions:package

   az functionapp deployment source config-zip \
   --resource-group rg-event-hub-fn-01 \
   --name azure-function-event-example-01 \
   --src function.zip
  1. Create the Event Grid system topic through the Azure Portal:
    • Enter to the Storage Account resource staccwestus01
    • In the left menu, the "Events" section.
    • "Event Grid".
    • "Create Create Event Subscription".
    • Name: event-grid-sys-subsc-fn-01
    • Event Schema: Event Grid Schema.
    • Topic Type: Storage Account
    • Source Resource: staccwestus01
    • System Topic Name: staccwestus-event-grid-theme-01
    • Event Types: Microsoft.Storage.BlobCreated
    • Endpoint Type: Azure Function
    • Subscription: My Azure subscription.
    • Resource Group: rg-event-hub-fn-01
    • Function App: azure-function-event-example-01
    • Function Name: EventGridStorageAccountJava
    • In the Filter Tab, "Subject Filter" section.
    • Subject Begins With:
    • /blobServices/default/containers/contracts/blobs/approved
  2. Upload a file to the folder: This worked without issues.

image

  1. POST through Postman to Event Grid webhook: This also worked without issues.

image

  1. Enable the authentication option from the Azure Function:
    • In the Azure Function azure-function-event-example-01, under Authentication Settings:
    • Configure the Microsoft Provider
    • Under "Identity provider", select Microsoft
    • "Create a new app registration" (as default).
    • App registration name: Keep the default suggested name.
    • Secret expiration: 180 days
    • Account types: Current tenant
    • Client application requirement: Allow requests only from this application itself.
    • Identity requirement: Allow requests from any identity
    • Tenant requirement: Allow requests only from the issuer tenant
    • Restrict access: Require authentication
    • Unauthenticated requests: HTTP 401 Unauthorized: recommended for APIs
    • Token Store: Check
  2. Enable system identity from Event Grid system and grant roles to the Azure Function:
    • In the Event Grid System Topic staccwestus-event-grid-theme-01, set "Status" to On.
    • Go to the Function app azure-function-event-example-01 and assign the role "Contributor" to "Event Grid Topic Systems".
    • Restart the Azure Function
  3. Upload a file to the folder:

Attempted to upload a file to the folder, which resulted in a 401 error.

image

  1. POST through Postman to Event Grid webhook: This also resulted in a 401 error.

image

Finally i need to keep enable the authentication to prevent the anonymus calls for example in the home function page.

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,909 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Elias Vargas Loyola 0 Reputation points
    2025-03-21T22:56:29.92+00:00

    Finally, after a full week of reading documentation and watching videos on YouTube, I figured out how to configure and connect. I’m leaving the steps here in case someone needs them in the future. Microsoft has a script and other stuff to do it, but I think these steps are better.

    Before starting, these are the required variables for all configurations. Fill them while proceed in the instructions.

    TENANT_ID="<<REPLACE_TENANT_ID>>"
EVENTGRID_APPID="<<REPLACE_EVENTGRID_APPID>>"
APP_ID="<<REPLACE_APP_ID>>"
APP_URI="<<REPLACE_APP_URI>>"
RESOURCE_GROUP="rg-event-hub-fn-01"
SYSTEM_TOPIC_NAME="staccwestus-event-grid-theme-01"
FUNCTION_URL="<<REPLACE_FUNCTION_URL>>"
SUBJECT_PREFIX="/blobServices/default/containers/contracts/blobs/approved"
EVENT_TYPE="Microsoft.Storage.BlobCreated"

    All configurations are based on the resources created in the question above.

    1. Obtain the Application ID of Event Grid

    • Search for the application "Microsoft.EventGrid" in the "Microsoft Entra ID" section.
    • Copy the Application ID and save it in the variables list under "EVENTGRID_APPID".

    2. Update the Azure Function

    • In your Azure Function, verify no authentication method or identity provider is configured. If it is already enable, remove it.
    • Navigate to your Azure Function, e.g., "EventGridStorageAccountJava".
    • Go to the "Code + Test" tab and select "Get function URL".
    • A panel will appear on the right with a list of URLs. Copy the function URL and save it in the variable FUNCTION_URL.

    3. Create an App / Service Principal to Connect Event Grid with Azure Function

    • Create a new App Registration:
    • Name: event-grid-sys-subsc-app-01
    • Supported Account Type: Select "Accounts in this organizational directory only"
    • Leave everything else as default and create it.
    • Copy the Application ID and save it in the variables list under "APP_ID".
    • Copy the Directory (Tenant) ID and save it in the variables list under "TENANT_ID".
    • In the "Application ID URI", click "Add an Application ID URI".
    • In the new view, click the "Add" link.
    • Leave everything as default and click the "Add" button.
    • The Application ID URI will now be displayed. Copy it and save it in the variable APP_URI.

    4. Create an App Role

    • In the newly created app / service principal, go to Manage → App Roles in the left menu.
    • Create a new Role:
    • Display Name: AzureEventGridSecureWebhookSubscriber
    • Allow Member Types: Both (User/Groups + Applications)
    • Value: AzureEventGridSecureWebhookSubscriber
    • Description: Event Grid Sender
    • Do you want to enable this app role?: True (Checked)
    • Click "Apply".

    5. Assign API Permissions to the App

    • In the newly created app, go to Manage → API Permissions in the left menu.
    • Click "+ Add a permission".
    • Click on the "APIs my organization uses" tab.
    • In the search bar, enter the name of the app/service principal created before (event-grid-sys-subsc-app-01) and select it.
    • Select Application permissions and, under the Permissions section, choose the role created before (AzureEventGridSecureWebhookSubscriber).
    • Click the "Add permissions" button.
    • Back in the Manage → API Permissions screen, click "Grant admin consent for Default Directory".

    6. Create a new client secret and save it securely.

    7. Assign Permissions to the just created App / Service Principal

    • Navigate to the System Topic, in this case "staccwestus-event-grid-theme-01".
    • Go to "Access Control (IAM)" and assign a new role:
    • Selected Role: EventGrid Contributor
    • Assign Access To: User, group, or service principal
    • Members: Select "Members", then search for and select the app created in Step 3 (event-grid-sys-subsc-app-01).
    • Wait 5 minutes for Azure to update role assignments.

    8. Create Event Subscriptions

    • Open Azure Cloud Shell (Bash).
    • Paste into the console all the variables defined at the beginning (with values updated).
    • Log in using the Service Principal by running:
    az login --service-principal --username "$APP_ID" --tenant "$TENANT_ID"
    • It will prompt for a password. Enter the client secret created.
    • Once successfully logged in, execute the command:
    az eventgrid system-topic event-subscription create \
--name "event-grid-sys-subsc-fn-01" \
--resource-group "$RESOURCE_GROUP" \
--system-topic-name "$SYSTEM_TOPIC_NAME" \
--endpoint "$FUNCTION_URL" \
--subject-begins-with "$SUBJECT_PREFIX" \
--included-event-types "$EVENT_TYPE" \
--azure-active-directory-tenant-id "$TENANT_ID" \
--azure-active-directory-application-id-or-uri "$APP_ID"

    9. Configure Identity Provider in the Azure Function

    • Open the Azure Function "azure-function-event-example-01".
    • Enable authentication and select Microsoft as the Identity Provider.
    • Fill it in like this:
    • Choose a tenant for your application and its users: Workforce configuration (current tenant)
    • App registration type: Pick an existing app registration in this directory
    • Name or App ID: Select the app created in Step 3 (event-grid-sys-subsc-app-01).
    • Client secret expiration: 180 days
    • Client application requirement: Allow requests only from this application itself
    • Identity requirement: Allow requests from any identity
    • Tenant requirement: Allow requests only from the issuer tenant
    • Restrict access: Require authentication
    • Unauthenticated requests: HTTP 401
    • Any other field not listed should remain as default
    • Click "Add" and refresh the Settings → Authentication view.
    • The new configured provider will appear. Click "Edit".
    • A list of fields will appear. Make the following changes:
    • Allowed token audiences: Paste the value stored in the variable APP_URI.
    • Client application requirement: Allow requests only from specific client applications
    • Click the edit pencil icon, a right-side panel will open.
    • Add a new entry by pasting the value stored in the EVENTGRID_APPID variable.
    • Click OK.
    • Any other field not listed should remain as default.
    • Click "Save".
    • Return to the Function Overview and click "Restart".
    • A confirmation window will appear. Click "Yes".
    • Wait 10 minutes for changes to take effect.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.