Event subscription managed identity type issue change from "None" to "System Assigned"

Question

Event subscription managed identity type issue change from "None" to "System Assigned"

Janczewski, Michal 20

Hi

I have an issue. When I'm trying to change existing event subcription Managed identity type from "None" into "System Assigned" I have a following error: "Managed Identity for XXXXX:YYYYY:ZZZZZ:TTTT (hiding for security) does not have permission to perform appropriate action on the destination resource. Managed identity for event subscription does not have authorization to deliver to the endpoint." However I have added "Storage Queue Data Contributor" to service principal associated with Event Grid Topic. What should I do to enable it?

Regards,

Pravallika KV 11,110 Reputation points Microsoft External Staff Moderator

2026-02-06T09:02:13.6066667+00:00
Hi Janczewski, Michal,

Thanks for reaching out to Microsoft Q&A.

Follow below steps:

Check Managed Identity Configuration:

Ensure that you've successfully enabled the system-assigned identity for your Event Grid subscription. This can be done via the Azure portal:

Navigate to your Event Grid subscription.

Under Settings, select Identity and confirm that the System-assigned identity is enabled and saved.

Assign the Correct Role:

It's crucial that the system-assigned identity you set up has the necessary roles assigned at the destination resource level (e.g., for a Storage Queue, this would be the Storage Queue Data Sender role). Here’s how you can assign this:

Go to the Access Control (IAM) section of the destination resource.

Click on + Add > Add role assignment.

Choose the Storage Queue Data Sender role and then assign it to the system-assigned identity of your Event Grid.

Validate Permissions:

Double-check that the identity is indeed listed under the permissions for the destination resource, and that the correct permissions have been granted.

Testing:

After making these changes, try to change the managed identity type again and see if the error persists.

Hope this helps!
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Janczewski, Michal 20 Reputation points

2026-02-06T09:10:18.7166667+00:00

Could you please clarify if Storage Queue Data Contributor role is also sufficient for this purpose?
Pravallika KV 11,110 Reputation points Microsoft External Staff Moderator

2026-02-06T09:13:16.36+00:00

Yes Michal, Storage Queue Data Contributor is sufficient.
Janczewski, Michal 20 Reputation points

2026-02-06T09:55:19.6366667+00:00

@Pravallika KV I have already check it so:

1.System identity is enabled on Event Grid topic level

2.Correct role (Storage Queue Data Contributor) is assigned on storage account to event grid topic service principal

Adding screenshot for reference. Unfortunately issue still occurs.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Janczewski, Michal 20 Reputation points

2026-02-06T11:57:17.79+00:00

Unfortunately it still does not work after the checks. Any further clarifications?

2 answers

Your answer

Pravallika KV 11,110 Reputation points Microsoft External Staff Moderator

2026-02-06T09:02:13.6066667+00:00

Hi Janczewski, Michal,

Thanks for reaching out to Microsoft Q&A.

Follow below steps:

Check Managed Identity Configuration:

Ensure that you've successfully enabled the system-assigned identity for your Event Grid subscription. This can be done via the Azure portal:

Navigate to your Event Grid subscription.

Under Settings, select Identity and confirm that the System-assigned identity is enabled and saved.

Assign the Correct Role:

It's crucial that the system-assigned identity you set up has the necessary roles assigned at the destination resource level (e.g., for a Storage Queue, this would be the Storage Queue Data Sender role). Here’s how you can assign this:

Go to the Access Control (IAM) section of the destination resource.

Click on + Add > Add role assignment.

Choose the Storage Queue Data Sender role and then assign it to the system-assigned identity of your Event Grid.

Validate Permissions:

Double-check that the identity is indeed listed under the permissions for the destination resource, and that the correct permissions have been granted.

Testing:

After making these changes, try to change the managed identity type again and see if the error persists.

Hope this helps!
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Janczewski, Michal 20 Reputation points

2026-02-06T09:10:18.7166667+00:00

Could you please clarify if Storage Queue Data Contributor role is also sufficient for this purpose?
Pravallika KV 11,110 Reputation points Microsoft External Staff Moderator

2026-02-06T09:13:16.36+00:00

Yes Michal, Storage Queue Data Contributor is sufficient.
Janczewski, Michal 20 Reputation points

2026-02-06T09:55:19.6366667+00:00

@Pravallika KV I have already check it so:

1.System identity is enabled on Event Grid topic level

2.Correct role (Storage Queue Data Contributor) is assigned on storage account to event grid topic service principal

Adding screenshot for reference. Unfortunately issue still occurs.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Janczewski, Michal 20 Reputation points

2026-02-06T11:57:17.79+00:00

Unfortunately it still does not work after the checks. Any further clarifications?

Answer 1

Praveen Kumar Gudipudi 1,880 Microsoft External Staff Moderator

Hello Janczewski, Michal,

Root Cause

When the identity type is switched to System Assigned, Azure creates a new managed identity specifically for the Event Subscription. This identity must have the required data-plane permissions on the destination resource (for example, Storage Queue or Service Bus).

In this scenario, the role was assigned to the Event Grid Topic service principal, but Event Grid validates permissions using the Event Subscription’s managed identity, which currently does not have sufficient authorization to deliver events to the endpoint.

Resolution

Please follow the steps below:

Navigate to the Event Subscription → Identity blade.

Copy the Principal (Object) ID of the System Assigned managed identity.

Assign the appropriate RBAC role to this identity on the destination resource:
- For Azure Storage Queue: Storage Queue Data Contributor also try with storage data contributor at the storage account scope.
For Azure Service Bus: Grant Azure Service Bus Data Sender at the namespace scope. If the destination resource has network restrictions or firewall enabled, ensure: Allow trusted Microsoft services is enabled.
```
  System-assigned identity is being used.

  Wait a few minutes for RBAC propagation, then retry updating the Event Subscription.
```

Expected Outcome

After the correct role assignment to the Event Subscription managed identity, the identity type change to System Assigned should succeed and event delivery authorization will function as expected.

Please accept as answer and do a Thumbs-up to upvote this response if you are satisfied with the community help. Your upvote will be beneficial for the community users facing similar issues.

Janczewski, Michal 20 Reputation points

2026-02-06T10:04:03.1466667+00:00

@Praveen Kumar Gudipudi thanks for raising this.

So my question here is where I can find "Navigate to the Event Subscription → Identity blade." when I entry event subscription I can see only "Metrics", "Filters", "Additional Features", "Delivery Properties".
Praveen Kumar Gudipudi 1,880 Reputation points Microsoft External Staff Moderator

2026-02-06T10:19:57.5666667+00:00

Hello Janczewski, Michal,

Event Grid Topic → Event Subscriptions → Your Subscription → Additional Features tab → Managed identity for delivery

If it is disabled for you please go to event grid topic --> identity --> enable it.
Janczewski, Michal 20 Reputation points

2026-02-06T10:26:46.73+00:00

It is already enabled however when I try to save it I have an error like I mentioned before.
Janczewski, Michal 20 Reputation points

2026-02-06T11:05:09.1933333+00:00

@Praveen Kumar Gudipudi And this system assigned object id is the same as SP connected to event grid topic. You mentioned "Event Subscription’s managed identity" - so each event subscription has his own separated managed identity? How can I find it?
Praveen Kumar Gudipudi 1,880 Reputation points Microsoft External Staff Moderator

2026-02-10T10:32:03.3866667+00:00

Hello Janczewski, Michal,

Yes — each Event Subscription can have its own managed identity, and this is separate from:

The Event Grid Topic’s system-assigned identity

Any Service Principal (SP) you manually created

How to find the Event Subscription managed identity

In Azure Portal

Go to Event Grid Topic

Open Event Subscriptions

Click the specific subscription

Look for Identity or Managed Identity section

If System-assigned = On, you'll see:

Object ID → this is the identity used by that subscription
Praveen Kumar Gudipudi 1,880 Reputation points Microsoft External Staff Moderator

2026-02-13T08:06:11.9466667+00:00

Hello Janczewski, Michal,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

Answer 2

To resolve the issue of changing the managed identity type from "None" to "System Assigned" for your event subscription, ensure that the managed identity has the necessary permissions on the destination resource. Here are the steps you can follow:

Check Role Assignments: Verify that the managed identity associated with your Event Grid topic has been assigned the appropriate roles on the destination resource (e.g., the Storage Queue). You mentioned adding "Storage Queue Data Contributor"; ensure that this role is correctly assigned to the managed identity and not just the service principal.
Add Additional Roles: Depending on the endpoint you're using, you may need to add other roles as well. For example, if you're delivering events to a Service Bus queue, the managed identity must also have the "Azure Service Bus Data Sender" role on the Service Bus namespace.
Allow Trusted Microsoft Services: Ensure that the setting "Allow trusted Microsoft services to bypass this firewall" is enabled on the destination resource, if applicable. This setting can help in scenarios where the managed identity needs to communicate with other Azure services securely.
Reconfigure the Event Subscription: After ensuring that the managed identity has the correct permissions, try reconfiguring the event subscription to use the system-assigned identity again.

If you continue to experience issues, check the Azure Activity Log for any additional error messages that might provide more context on the permissions issue.

References:

Share via

Event subscription managed identity type issue change from "None" to "System Assigned"

2 answers

Root Cause

Resolution

Expected Outcome

Your answer