Share via

How to create a event subscription between event grid in one tenant and service bus in another tenant?

Wen Gao 36 Reputation points
2021-11-20T05:06:02.663+00:00

I am developing a service that utilize Azure Event Grid Domain to fanout custom event. The event grid domain is located in PME domain and the event handler is a service bus topic locates in Redmond domain. When created event subscription though Azure CLI, I got the error like this:

The client has permission to perform action 'Microsoft.ServiceBus/namespaces/queues/write' on scope '/subscriptions/*********************/resourceGroups/****/providers/Microsoft.EventGrid/domains/*****/topics/********/providers/Microsoft.EventGrid/eventSubscriptions/*****************', however the current tenant '*************************' is not authorized to access linked subscription '******************************************'

Anyone knows if I can create event subscription for the service bus in another tenant?

Azure Service Bus
Azure Service Bus

An Azure service that provides cloud messaging as a service and hybrid integration.

Azure Event Grid
Azure Event Grid

An Azure event routing service designed for high availability, consistent performance, and dynamic scale.

0 comments
Answer accepted by question author
  1. MayankBargali-MSFT 71,006 Reputation points Moderator
    2021-11-22T06:03:20.28+00:00

    @Wen Gao Yes, you can follow the below steps for the cross-tenant subscriptions

    • You need to make the REST call that should include two tokens. One token is useful to create an event subscription and the other token is to do an access check on the target destination. You can refer to authenticate multi tenant document for more details.
    • You can use CLI code to make the REST call as below snippet. This is only for reference and you can build it according to your requirement. 
      eventSubUri = /subscriptions/yoursubscriptionID/resourceGroups/resourcegroupname/providers/Microsoft.EventGrid/systemTopics/yourtopic/providers/Microsoft.EventGrid/eventSubscriptions/yoursubscription?api-version=2020-01-01-preview`  

method=PUT  

primaryToken="Bearer yourprimarytoken"   

auxToken="Bearer auxToken"  

az rest --uri $eventSubUri --method $method --skip-authorization-header --headers Authorization="$primaryToken" x-ms-authorization-auxiliary="$auxToken" ContentType="application/json" --body "{\"properties\":{\"destination\":{\"endpointType\":\"ServiceBusQueue\",\"properties\":{\"resourceId\":\"/subscriptions/yoursubscriptionID/resourceGroups/yourresourcegroupname/providers/Microsoft.ServiceBus/namespaces/yourservicebusnamespacename/queues/yourqueuename\"}},\"eventDeliverySchema\":\"EventGridSchema\"}}"
      You can refer to Az get access token command on how to get the token and az rest command document on how the REST call is created.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.