Issue Creating Event Grid Webhook Subscription with API Management and System-Assigned Identity

Question

Issue Creating Event Grid Webhook Subscription with API Management and System-Assigned Identity

Lorca , Alberto 20

Hello,

I am implementing an Event Grid → API Management → App Service integration using a Webhook Event Grid subscription authenticated via Managed Identity. I have followed the official Microsoft documentation for configuring a webhook endpoint protected with Azure AD authentication (documented here): https://learn.microsoft.com/azure/event-grid/webhook-event-delivery

Architecture

Event Grid Topic publishes events.
API Management exposes a backend endpoint protected by Azure AD.
API Management forwards the request to an App Service.
The Event Grid subscription is configured to authenticate to the APIM endpoint using system-assigned managed identity.

Issue

I can successfully create the Event Grid subscription only when I configure the Azure AD application ID of Microsoft.EventGrid as the audience / App Registration.

However, if I try to use the application ID of my own Azure AD App Registration (created specifically for APIM authentication), Event Grid fails to acquire a token for that audience. Because of this:

The subscription cannot be created.
No calls reach APIM.
No traces appear in Application Insights.

Expected Behavior

My expectation is that Event Grid, when using system-assigned identity, should be able to request a token for any Azure AD application that I configure as the audience for APIM (as long as Event Grid identity has permission on that app / API).

Observed Behavior

Using audience = Microsoft.EventGrid (official app) → ✅ Works
Using audience = my custom Azure AD app registration → ❌ Fails, Event Grid cannot obtain a token

Request

Could you please confirm:

Is this the expected behavior? Is Event Grid limited to using the built-in Microsoft.EventGrid application ID when generating tokens for webhook authentication?

If not expected, what configuration might be missing?

Does the Event Grid system-assigned identity require additional permissions on my custom Azure AD app?
- Are there restrictions on defining custom audiences for webhook authentication?
  - Are there additional steps needed in the APIM OAuth 2.0 configuration?

Any guidance or clarification will be appreciated. Thank you.

Lorca , Alberto 20 Reputation points

2026-03-17T16:39:10.62+00:00

Thank you for your answer Rakesh. I have been speaking with technical support from Microsoft and they told me that we can only use Microsoft.EventGrid but he will give us more info about why. I have tried your recomendations but none of them work, so we will assume that there is a problem with the documentation and we can only use that application id.
Siddhesh Desai 5,590 Reputation points Microsoft External Staff Moderator

2026-03-24T12:16:09.2333333+00:00

Following up to see if the provided answer was helpful. If this answers your query, do click Accept Answer =>Yes, and upvote it. If you have any further queries do let us know.
Siddhesh Desai 5,590 Reputation points Microsoft External Staff Moderator

2026-03-30T04:49:22.63+00:00

Hi Lorca , Alberto, can you please help me with your email id on a private chat to look at this issue via a team's call on screenshare, we will try to see and check your configuration issue? Also, can you please help me with the Support ID of the ticket you have raised with Microsoft Entra Support team in Private chat?

1 answer

Your answer

Lorca , Alberto 20 Reputation points

2026-03-17T16:39:10.62+00:00

Thank you for your answer Rakesh. I have been speaking with technical support from Microsoft and they told me that we can only use Microsoft.EventGrid but he will give us more info about why. I have tried your recomendations but none of them work, so we will assume that there is a problem with the documentation and we can only use that application id.
Siddhesh Desai 5,590 Reputation points Microsoft External Staff Moderator

2026-03-24T12:16:09.2333333+00:00

Following up to see if the provided answer was helpful. If this answers your query, do click Accept Answer =>Yes, and upvote it. If you have any further queries do let us know.
Siddhesh Desai 5,590 Reputation points Microsoft External Staff Moderator

2026-03-30T04:49:22.63+00:00

Hi Lorca , Alberto, can you please help me with your email id on a private chat to look at this issue via a team's call on screenshare, we will try to see and check your configuration issue? Also, can you please help me with the Support ID of the ticket you have raised with Microsoft Entra Support team in Private chat?

Answer 1

Hi @Lorca , Alberto,

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

Glad the MS support was able to give you clarity on this, yes, The Document needs to be updated.

Why Microsoft Requires Microsoft.EventGrid as the Audience?

Event Grid Is a First‑Party Microsoft Service (Not a Generic Client)

When Event Grid delivers events using Managed Identity, it does not behave like a normal OAuth client.

Instead:

Event Grid uses a Microsoft‑owned, first‑party service principal

Token issuance is restricted at the platform level

The service is only allowed to request tokens for known, pre‑approved resource audiences

One of those explicitly allowed audiences is:

Microsoft.EventGrid

This is enforced internally by Azure and cannot be overridden.

Share via

Issue Creating Event Grid Webhook Subscription with API Management and System-Assigned Identity

Architecture

Issue

Expected Behavior

Observed Behavior

Request

1 answer

Your answer