3

I have an Azure Event Grid Trigger Inside my Function's App. The Function is subscribed to Event Grid Topic through an Event Subscription. The Function works perfectly and is triggered when I have no Authentication Configured inside the Authentication / Authorization Blade of the Functions App. But when I integrate B2C AD App from the Blade, the topic is not delivered and the function is not triggered. Also, I can see "Unauthorized" Errors inside the Event Subscription. The B2C Flow is required for other HTTP triggers inside the Function App. How can I give exclusive access to the Event Grid so that this message is delivered without the B2C Flow?

Liqteq Developer
  • 77
  • 7
  • I have the same problem. I can't find anything about this limitation in the documentation. – keft Sep 16 '20 at 16:17

1 Answers1

1

You can try below approach:

Enable Event Grid to use your Azure AD Application:

Use the PowerShell script below in order to create a role and service principal in your Azure AD Application. You will need the Tenant ID and Object ID from your Azure AD Application:

  1. Modify the PowerShell script's $myTenantId to use your Azure AD Tenant ID.

  2. Modify the PowerShell script's $myAzureADApplicationObjectId to use the Object ID of your Azure AD Application.

  3. Run the modified script.

    $myTenantId = "<the Tenant Id of your Azure AD Application>"

Connect-AzureAD -TenantId $myTenantId

$myAzureADApplicationObjectId = "<the Object Id of your Azure AD Application>"

$eventGridAppId = "4962773b-9cdb-44cf-a8bf-237846a00ab7"

$eventGridRoleName = "AzureEventGridSecureWebhook"

Function CreateAppRole([string] $Name, [string] $Description)
{
    $appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole
    $appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
    $appRole.AllowedMemberTypes.Add("Application");
    $appRole.DisplayName = $Name
    $appRole.Id = New-Guid
    $appRole.IsEnabled = $true
    $appRole.Description = $Description
    $appRole.Value = $Name;
    return $appRole
}

$myApp = Get-AzureADApplication -ObjectId $myAzureADApplicationObjectId
$myAppRoles = $myApp.AppRoles
$eventGridSP = Get-AzureADServicePrincipal -Filter ("appId eq '" + $eventGridAppId + "'")

Write-Host "App Roles before addition of new role.."
Write-Host $myAppRoles

if ($myAppRoles -match $eventGridRoleName)
{
    Write-Host "The Azure Event Grid role is already defined.`n"
}
else
{
    $myServicePrincipal = Get-AzureADServicePrincipal -Filter ("appId eq '" + $myApp.AppId + "'")

    $newRole = CreateAppRole -Name $eventGridRoleName -Description "Azure Event Grid Role"
    $myAppRoles.Add($newRole)
    Set-AzureADApplication -ObjectId $myApp.ObjectId -AppRoles $myAppRoles
}

if ($eventGridSP -match "Microsoft.EventGrid")
{
    Write-Host "The Service principal is already defined.`n"
}
else
{
    $eventGridSP = New-AzureADServicePrincipal -AppId $eventGridAppId
}

New-AzureADServiceAppRoleAssignment -Id $myApp.AppRoles[0].Id -ResourceId         $myServicePrincipal.ObjectId -ObjectId $eventGridSP.ObjectId -PrincipalId $eventGridSP.ObjectId

Write-Host "My Azure AD Tenant Id: $myTenantId"
Write-Host "My Azure AD Application Id: $($myApp.AppId)"
Write-Host "My Azure AD Application ObjectId: $($myApp.ObjectId)"
Write-Host "My Azure AD Application's Roles: "
Write-Host $myApp.AppRoles

Configure the event subscription :

In the creation flow for your event subscription, select endpoint type 'Web Hook'. Once you've given your endpoint URI (webhook uri of event grid endpoint - https://FUNCTION_DOMAIN/runtime/webhooks/eventgrid?functionName={FUNCTION_NAME}), click on the additional features tab at the top of the create event subscriptions blade.

enter image description here

In the additional features tab, check the box for 'Use AAD authentication' and configure the Tenant ID and Application ID:

  • Copy the Azure AD Tenant ID from the output of the script and enter it in the AAD Tenant ID field.
  • Copy the Azure AD Application ID from the output of the script and enter it in the AAD Application ID field.

enter image description here

Edit:

For more details about this solution, visit here.

Harshita Singh
  • 4,590
  • 1
  • 10
  • 13
  • So I tried this but I am not able to create Event Subscription in the end. I receive this error: Deployment has failed with the following error: {"code":"Url validation","message":"Webhook validation handshake failed for https://{function-app-url}.azurewebsites.net/runtime/webhooks/EventGrid. Http POST request failed with response code Unknown. For troublehooting, visit https://aka.ms/esvalidation. Activity id:fa614249-ee37-4847-a236-3cdea6cda70b, timestamp: 8/18/2020 9:42:51 AM (UTC)."}. – Liqteq Developer Aug 18 '20 at 09:54
  • $eventGridAppId = "4962773b-9cdb-44cf-a8bf-237846a00ab7" Is this Id fixed or should I replace it from any other Id in the portal ? – Liqteq Developer Aug 18 '20 at 09:56
  • @LiqteqDeveloper, $eventGridAppId is the "Azure Event Grid" Azure Active Directory AppId. – Harshita Singh Aug 18 '20 at 16:01
  • Please refer to https://learn.microsoft.com/en-us/azure/event-grid/webhook-event-delivery#validation-details for details about Endpoint validation with Event Grid events. You can refer to https://github.com/Azure-Samples/event-grid-dotnet-publish-consume-events/blob/master/EventGridConsumer/EventGridConsumer/Function1.cs for sample code that handles Event Grid event validation for webhooks. – Harshita Singh Aug 18 '20 at 17:49
  • @Liqteq Developer Did you get it to work using this solution? – keft Sep 16 '20 at 16:21
  • @HarshitaSingh-MSFT Event Grid has a specific Functions Endpoint. I would expect that it can be used to send events to an Azure Function...? If AD secured functions are not supported it should say so right there in the Azure Portal. Can we expect this feature to be available any time soon? – keft Sep 16 '20 at 16:27
  • Did you follow the links which I have commented above? – Harshita Singh Sep 17 '20 at 09:30
  • Also, you can always check out https://azure.microsoft.com/en-in/updates/ website for upcoming updates. – Harshita Singh Sep 17 '20 at 09:54
  • Yes I followed those instructions. I got an error running the script but it seems the app role and service principal was created. I get the same error as @LiqteqDeveloper. Deployment has failed with the following error: {"code":"Url validation","message":"Webhook validation handshake failed for https://*****/runtime/webhooks/eventgrid. Http POST request failed with response code Unknown. For troublehooting, visit https://aka.ms/esvalidation. – keft Sep 17 '20 at 16:07
  • Let me contact PG regarding this and get back to you! – Harshita Singh Sep 18 '20 at 04:25
  • When running the PS script I get the followin error: New-AzureADServiceAppRoleAssignment : Error occurred while executing NewServicePrincipalAppRoleAssignment Code: Request_BadRequest Message: Permission being assigned was not found on application – keft Sep 18 '20 at 12:23
  • For which part are you doing this @keft? – Harshita Singh Sep 21 '20 at 04:57