다음을 통해 공유

Azure Event Grid의 Microsoft Entra 애플리케이션을 통한 보안 WebHook 전달

  • 아티클

이 스크립트는 Azure Event Grid를 사용하여 Microsoft Entra 애플리케이션으로 보호되는 HTTPS 엔드포인트에 이벤트를 전달하는 구성을 제공합니다.

다음은 스크립트의 상위 수준 단계입니다.

  1. Microsoft.EventGrid에 대한 서비스 주체(아직 없는 경우)를 만듭니다.
  2. Webhook용 Microsoft Entra 앱에서 AzureEventGridSecureWebhookSubscriber라는 역할을 만듭니다.
  3. 이벤트 구독 기록기 앱이 아직 없는 경우 해당 앱에 대한 서비스 주체를 만듭니다.
  4. AzureEventGridSecureWebhookSubscriber 역할에 이벤트 구독 작성자 Microsoft Entra 앱의 서비스 주체 추가
  5. AzureEventGridSecureWebhookSubscriber 역할에도 Microsoft.EventGrid의 서비스 주체 추가

Microsoft.EventGrid 애플리케이션 ID 가져오기

  1. Azure Portal로 이동합니다.

  2. 검색 창에서 입력Microsoft.EventGrid한 다음, 드롭다운 목록에서 Microsoft.EventGrid(서비스 주체)를 선택합니다.

    드롭다운 목록에서 선택한 Microsoft Event Grid를 보여 주는 스크린샷

  3. Microsoft.EventGrid 페이지에서 애플리케이션 ID기록하거나 클립보드에 복사합니다.

  4. 다음 스크립트에서 변수를 $eventGridAppId 실행하기 전에 이 값으로 설정합니다.

샘플 스크립트 - 안정적

# NOTE: Before run this script ensure you are logged in Azure by using "az login" command.

$eventGridAppId = "[REPLACE_WITH_EVENT_GRID_APP_ID]"
$webhookAppObjectId = "[REPLACE_WITH_YOUR_ID]"
$eventSubscriptionWriterAppId = "[REPLACE_WITH_YOUR_ID]"


# Start execution
try {

    # Creates an application role of given name and description

    Function CreateAppRole([string] $Name, [string] $Description)
    {
        $appRole = New-Object Microsoft.Graph.PowerShell.Models.MicrosoftGraphAppRole
        $appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
        $appRole.AllowedMemberTypes += "Application";
        $appRole.AllowedMemberTypes += "User";
        $appRole.DisplayName = $Name
        $appRole.Id = New-Guid
        $appRole.IsEnabled = $true
        $appRole.Description = $Description
        $appRole.Value = $Name;

        return $appRole
    }

    # Creates Azure Event Grid Microsoft Entra Application if not exists
    # You don't need to modify this id
    # But Azure Event Grid Entra Application Id is different for different clouds

    $eventGridSP = Get-MgServicePrincipal -Filter ("appId eq '" + $eventGridAppId + "'")
    if ($eventGridSP.DisplayName -match "Microsoft.EventGrid")
    {
        Write-Host "The Event Grid Microsoft Entra Application is already defined.`n"
    } else {
        Write-Host "Creating the Azure Event Grid Microsoft Entra Application"
        $eventGridSP = New-MgServicePrincipal -AppId $eventGridAppId
    }

    # Creates the Azure app role for the webhook Microsoft Entra application
    $eventGridRoleName = "AzureEventGridSecureWebhookSubscriber" # You don't need to modify this role name
    $app = Get-MgApplication -ObjectId $webhookAppObjectId
    $appRoles = $app.AppRoles

    Write-Host "Microsoft Entra App roles before addition of the new role..."
    Write-Host $appRoles.DisplayName
    
    if ($appRoles.DisplayName -match $eventGridRoleName)
    {
        Write-Host "The Azure Event Grid role is already defined.`n"
    } else {      
        Write-Host "Creating the Azure Event Grid role in Microsoft Entra Application: " $webhookAppObjectId
        $newRole = CreateAppRole -Name $eventGridRoleName -Description "Azure Event Grid Role"
        $appRoles += $newRole
        Update-MgApplication -ApplicationId $webhookAppObjectId -AppRoles $appRoles
    }

    Write-Host "Microsoft Entra App roles after addition of the new role..."
    Write-Host $appRoles.DisplayName

    # Creates the user role assignment for the app that will create event subscription

    $servicePrincipal = Get-MgServicePrincipal -Filter ("appId eq '" + $app.AppId + "'")
    $eventSubscriptionWriterSP = Get-MgServicePrincipal -Filter ("appId eq '" + $eventSubscriptionWriterAppId + "'")

    if ($null -eq $eventSubscriptionWriterSP)
    {
        Write-Host "Create new Microsoft Entra Application"
        $eventSubscriptionWriterSP = New-MgServicePrincipal -AppId $eventSubscriptionWriterAppId
    }

    try
    {
        Write-Host "Creating the Microsoft Entra Application role assignment: " $eventSubscriptionWriterAppId
        $eventGridAppRole = $app.AppRoles | Where-Object -Property "DisplayName" -eq -Value $eventGridRoleName
        New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $eventSubscriptionWriterSP.Id -PrincipalId $eventSubscriptionWriterSP.Id -ResourceId $servicePrincipal.Id -AppRoleId $eventGridAppRole.Id 
    }
    catch
    {
        if( $_.Exception.Message -like '*Permission being assigned already exists on the object*')
        {
            Write-Host "The Microsoft Entra Application role is already defined.`n"
        }
        else
        {
            Write-Error $_.Exception.Message
        }
        Break
    }

    # Creates the service app role assignment for Event Grid Microsoft Entra Application

    $eventGridAppRole = $app.AppRoles | Where-Object -Property "DisplayName" -eq -Value $eventGridRoleName
    New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $eventGridSP.Id -PrincipalId $eventGridSP.Id -ResourceId $servicePrincipal.Id -AppRoleId $eventGridAppRole.Id 
    
    # Print output references for backup

    Write-Host ">> Webhook's Microsoft Entra Application Id: $($app.AppId)"
    Write-Host ">> Webhook's Microsoft Entra Application ObjectId Id: $($app.ObjectId)"
}
catch {
  Write-Host ">> Exception:"
  Write-Host $_
  Write-Host ">> StackTrace:"  
  Write-Host $_.ScriptStackTrace
}

스크립트 설명

자세한 내용은 Azure Event Grid에서 Microsoft Entra ID를 사용한 안전한 WebHook 제공을 참조하세요.