How to set Bearer token authentication between system topic and B2 service with Event as webhook

Question

How to set Bearer token authentication between system topic and B2 service with Event as webhook

Liangjun Hu 20 Microsoft Employee

I want to set the push delivery mode by using system grid, the flow will be like: event hub ->system topic->webhook, so when new data ingested into eventhub, it will be pushed to the webhook directly. I will set microsoft B2 service as the webhook endpoint. I already created an enterprise application, and enabled microsoft identity auth when create the system topic, but the token received by the B2 service only contain basic info like below, so the question is:

How to set the token with the right permission like, mail.ReadWrite?

I already set the api permission with it, but not working
The fficial doc I followed: https://learn.microsoft.com/en-us/azure/event-grid/security-authentication#authenticate-event-delivery-to-webhook-endpoints
https://learn.microsoft.com/en-us/azure/event-grid/secure-webhook-delivery#deliver-events-to-a-webhook-in-a-different-azure-ad-tenant User's image

Vinodh247 34,741 Reputation points MVP Volunteer Moderator

2025-04-01T05:02:19.09+00:00
Hi ,

Thanks for reaching out to Microsoft Q&A.

Thanks for the detailed context and the screenshot. You are essentially trying to secure webhook delivery from Azure Event Grid System Topic to a Microsoft B2 service using Bearer token (OAuth 2.0), but the access token only contains default/basic claims and does not include delegated/scoped permissions like Mail.ReadWrite, despite configuring API permissions.

Here is a breakdown of the issue and what you need to do:

What is happening?

The token being sent is a client credentials token (client_credentials flow), used for app-to-app authentication which only gives app roles (application permissions) and does not support delegated permissions like Mail.ReadWrite (which requires user context).

This is evident from the token structure you posted (no scp, only roles or azp, oid etc.), meaning it is app-only.

Why Mail.ReadWrite is missing

Mail.ReadWrite is a delegated permission — it requires a signed-in user.

When Event Grid delivers events, it uses Managed Identity or App Registration in client credentials flow — user context is not involved, so delegated permissions are ignored.

Even if you grant delegated permissions like Mail.ReadWrite in Azure AD, they will not appear in access tokens unless the user logs in and consents.

Solution Path

If your B2 service (webhook) needs delegated permissions like Mail.ReadWrite, you must redesign the flow. You have two possible options:

Option 1: Use Application Permissions Instead

Grant Mail.ReadWrite application permission (not delegated) to the app registration used by Event Grid.

Consent it (admin consent required).

In the webhook, accept application token and ensure it uses Microsoft Graph API with app permissions.

Note: Mail.ReadWrite application permission can only be used for shared mailboxes or service accounts — not per-user mailboxes unless granted tenant-wide.

Option 2: Proxy Pattern with User Delegation

Create a middle tier API (proxy webhook) between Event Grid and B2 service.

The proxy authenticates with delegated permissions (via user login or refresh token) and calls the B2 service with Mail.ReadWrite on behalf of a user.

Event Grid sends the event to the proxy. Proxy does the user-authenticated action.

🔒 Bonus: Secure System Topic Token Setup (for webhook delivery)

In the System Topic, configure AAD authentication with either: Managed Identity (preferred) or App Registration In the webhook/B2 API:
Validate the token by verifying `aud`, `iss`, `appid`, etc. Optionally validate roles or appid for authorization.

This will give you a valid access token with app identity, but no delegated scopes.

Event Grid delivers using app identity, not a user.

Delegated scopes like Mail.ReadWrite are ignored unless a user is involved.

Use application permissions instead, or redesign with a proxy that can handle delegated flows.

Please feel free to click the 'Upvote' (Thumbs-up) button and 'Accept as Answer'. This helps the community by allowing others with similar queries to easily find the solution.
Shireesha Eeraboina 3,435 Reputation points Microsoft External Staff Moderator

2025-04-03T05:15:36.18+00:00

Hello Liangjun Hu,

Just checking in to see if the above information provided by @Vinodh247 helped.

if you have any further query do let us know.
Shireesha Eeraboina 3,435 Reputation points Microsoft External Staff Moderator

2025-04-04T04:17:00.9666667+00:00

Hello Liangjun Hu,

Just checking in to see if the information below was helpful. If you have any further updates on this issue, please feel free to post them here.
Liangjun Hu 20 Reputation points Microsoft Employee

2025-04-07T04:33:29.42+00:00

Thanks for the answer, I have not taken a deep look of the answer below yet.
Shireesha Eeraboina 3,435 Reputation points Microsoft External Staff Moderator

2025-04-09T03:45:07.65+00:00

Hello Liangjun Hu,

Can you please confirm are you still facing the issue?
Shireesha Eeraboina 3,435 Reputation points Microsoft External Staff Moderator

2025-04-10T05:15:41.8933333+00:00

Hello Liangjun Hu,

Following up to see if you had a chance to review the above response. If you have any further updates on this issue, please feel free to post them here.
Liangjun Hu 20 Reputation points Microsoft Employee

2025-04-10T05:33:30.0833333+00:00

Yes, I used the test subscription and follow the solution 1, but it still no permission from the token.
Shireesha Eeraboina 3,435 Reputation points Microsoft External Staff Moderator

2025-04-11T05:12:20.4466667+00:00
Hi Liangjun Hu,

Thanks for the detailed explanation. You’ve already set the right API permissions (like Mail.ReadWrite), but the issue is that Event Grid system topics use a managed identity to authenticate, not a service principal with custom permissions.

Even though you've added the correct API permissions like Mail.ReadWrite, these need to be explicitly assigned to the managed identity of the system topic.

To resolve this, go to Azure Active Directory > Enterprise applications, locate the system topic’s managed identity, and add the required Microsoft Graph API permissions.

Then make sure to grant admin consent for those permissions. This will ensure the token sent to your B2 service includes the proper access rights.

For your reference, please review the following documentations for further clarification:

Application and delegated permissions for access tokens in the Microsoft identity platform

I hope this helps! Let me know if you have any further questions or need additional assistance.
Shireesha Eeraboina 3,435 Reputation points Microsoft External Staff Moderator

2025-04-14T04:51:34.9+00:00

Hello Liangjun Hu,

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Shireesha Eeraboina 3,435 Reputation points Microsoft External Staff Moderator

2025-04-16T06:40:18.94+00:00
Hi Liangjun Hu,

I apologize for the delay in my response and thank you for your understanding.

Thank you for the update during the offline discussion. I understand your confusion.

The reason you can’t add Mail.ReadWrite permission to the system topic is because managed identities (like the one used by system topics) don’t support adding Microsoft Graph API permissions directly.

What you can do:

To get a token with Mail.ReadWrite, you need to:

Use a separate App Registration (not the system topic identity).

Assign Mail.ReadWrite (Application permission) to it.

Use that app in a proxy/middleware service (like Azure Function or API App) between Event Grid and your B2 service (Event Grid → Proxy App (with right token) → B2 service).

This way, the proxy gets the correct token and permissions, and Event Grid sends events securely.

To help you better understand, kindly refer to the documentation below :

Secure webhook delivery in Event Grid

I hope this addresses your query. Please let me know if you need any further assistance or clarification.
Liangjun Hu 20 Reputation points Microsoft Employee

2025-04-16T06:53:00.2466667+00:00

Hi @Shireesha Eeraboina thanks for the info, so it means the only way is to use the proxy service to make the token with graph permission. But I still have another question: can I use a customized permission to make the request token with permission in it?
Shireesha Eeraboina 3,435 Reputation points Microsoft External Staff Moderator

2025-04-17T06:05:06.23+00:00
Hello Liangjun Hu,

Yes, you can use custom permissions, but only if you’re calling your own API, not Microsoft Graph.

To do this:

You’ll need to expose an API through your App Registration.

Define your custom scopes/permissions there.

Then, another app (or service) can request tokens with those custom permissions.

But just to clarify — custom permissions won't work with Microsoft Graph. For Graph permissions like Mail.ReadWrite, you'll still need to use the proxy service with an App Registration that has the proper Graph API permissions.

I hope this addresses your query. Please let me know if you need any further assistance or clarification.
Liangjun Hu 20 Reputation points Microsoft Employee

2025-04-23T15:03:58.43+00:00

Since I want the application level permission within the request token, so I used the App roles for aad app, but it still can't generate token with permission from the aad app
Praveen Kumar Gudipudi 1,875 Reputation points Microsoft External Staff Moderator

2025-05-05T20:08:03.2766667+00:00

Hello Liangjun Hu,

Could you please share the error message with me so I can proceed further on the issue?
Praveen Kumar Gudipudi 1,875 Reputation points Microsoft External Staff Moderator

2025-05-07T19:08:27.2533333+00:00

Hello Liangjun Hu,

Following up to see if you have chance to check my previous response and help us with requested information to check and assist you further on this.

Your answer

Shireesha Eeraboina 3,435 Reputation points Microsoft External Staff Moderator

2025-04-03T05:15:36.18+00:00

Hello Liangjun Hu,

Just checking in to see if the above information provided by @Vinodh247 helped.

if you have any further query do let us know.
Shireesha Eeraboina 3,435 Reputation points Microsoft External Staff Moderator

2025-04-04T04:17:00.9666667+00:00

Hello Liangjun Hu,

Just checking in to see if the information below was helpful. If you have any further updates on this issue, please feel free to post them here.
Liangjun Hu 20 Reputation points Microsoft Employee

2025-04-07T04:33:29.42+00:00

Thanks for the answer, I have not taken a deep look of the answer below yet.
Shireesha Eeraboina 3,435 Reputation points Microsoft External Staff Moderator

2025-04-09T03:45:07.65+00:00

Hello Liangjun Hu,

Can you please confirm are you still facing the issue?
Shireesha Eeraboina 3,435 Reputation points Microsoft External Staff Moderator

2025-04-10T05:15:41.8933333+00:00

Hello Liangjun Hu,

Following up to see if you had a chance to review the above response. If you have any further updates on this issue, please feel free to post them here.
Liangjun Hu 20 Reputation points Microsoft Employee

2025-04-10T05:33:30.0833333+00:00

Yes, I used the test subscription and follow the solution 1, but it still no permission from the token.
Shireesha Eeraboina 3,435 Reputation points Microsoft External Staff Moderator

2025-04-11T05:12:20.4466667+00:00

Hi Liangjun Hu,

Thanks for the detailed explanation. You’ve already set the right API permissions (like Mail.ReadWrite), but the issue is that Event Grid system topics use a managed identity to authenticate, not a service principal with custom permissions.

Even though you've added the correct API permissions like Mail.ReadWrite, these need to be explicitly assigned to the managed identity of the system topic.

To resolve this, go to Azure Active Directory > Enterprise applications, locate the system topic’s managed identity, and add the required Microsoft Graph API permissions.

Then make sure to grant admin consent for those permissions. This will ensure the token sent to your B2 service includes the proper access rights.

For your reference, please review the following documentations for further clarification:

Application and delegated permissions for access tokens in the Microsoft identity platform

I hope this helps! Let me know if you have any further questions or need additional assistance.
Shireesha Eeraboina 3,435 Reputation points Microsoft External Staff Moderator

2025-04-14T04:51:34.9+00:00

Hello Liangjun Hu,

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Shireesha Eeraboina 3,435 Reputation points Microsoft External Staff Moderator

2025-04-16T06:40:18.94+00:00

Hi Liangjun Hu,

I apologize for the delay in my response and thank you for your understanding.

Thank you for the update during the offline discussion. I understand your confusion.

The reason you can’t add Mail.ReadWrite permission to the system topic is because managed identities (like the one used by system topics) don’t support adding Microsoft Graph API permissions directly.

What you can do:

To get a token with Mail.ReadWrite, you need to:

Use a separate App Registration (not the system topic identity).

Assign Mail.ReadWrite (Application permission) to it.

Use that app in a proxy/middleware service (like Azure Function or API App) between Event Grid and your B2 service (Event Grid → Proxy App (with right token) → B2 service).

This way, the proxy gets the correct token and permissions, and Event Grid sends events securely.

To help you better understand, kindly refer to the documentation below :

Secure webhook delivery in Event Grid

I hope this addresses your query. Please let me know if you need any further assistance or clarification.
Liangjun Hu 20 Reputation points Microsoft Employee

2025-04-16T06:53:00.2466667+00:00

Hi @Shireesha Eeraboina thanks for the info, so it means the only way is to use the proxy service to make the token with graph permission. But I still have another question: can I use a customized permission to make the request token with permission in it?
Shireesha Eeraboina 3,435 Reputation points Microsoft External Staff Moderator

2025-04-17T06:05:06.23+00:00

Hello Liangjun Hu,

Yes, you can use custom permissions, but only if you’re calling your own API, not Microsoft Graph.

To do this:

You’ll need to expose an API through your App Registration.

Define your custom scopes/permissions there.

Then, another app (or service) can request tokens with those custom permissions.

But just to clarify — custom permissions won't work with Microsoft Graph. For Graph permissions like Mail.ReadWrite, you'll still need to use the proxy service with an App Registration that has the proper Graph API permissions.

I hope this addresses your query. Please let me know if you need any further assistance or clarification.
Liangjun Hu 20 Reputation points Microsoft Employee

2025-04-23T15:03:58.43+00:00

Since I want the application level permission within the request token, so I used the App roles for aad app, but it still can't generate token with permission from the aad app
Praveen Kumar Gudipudi 1,875 Reputation points Microsoft External Staff Moderator

2025-05-05T20:08:03.2766667+00:00

Hello Liangjun Hu,

Could you please share the error message with me so I can proceed further on the issue?
Praveen Kumar Gudipudi 1,875 Reputation points Microsoft External Staff Moderator

2025-05-07T19:08:27.2533333+00:00

Hello Liangjun Hu,

Following up to see if you have chance to check my previous response and help us with requested information to check and assist you further on this.

Share via

How to set Bearer token authentication between system topic and B2 service with Event as webhook

Your answer