WebHooklevering beveiligen met Microsoft Entra-gebruiker in Azure Event Grid
Dit script biedt de configuratie voor het leveren van gebeurtenissen aan HTTPS-eindpunten die worden beveiligd door Microsoft Entra-gebruiker met behulp van Azure Event Grid.
Hier volgen de stappen op hoog niveau van het script:
- Maak een service-principal voor Microsoft.EventGrid als deze nog niet bestaat.
- Maak een rol met de naam AzureEventGridSecureWebhookSubscriber in de Microsoft Entra-app voor uw webhook.
- Voeg een service-principal toe van de gebruiker die het abonnement maakt voor de rol AzureEventGridSecureWebhookSubscriber.
- Voeg een service-principal van Microsoft.EventGrid toe aan de AzureEventGridSecureWebhookSubscriber.
Microsoft.EventGrid-toepassings-id ophalen
Ga naar Azure Portal.
en selecteer vervolgens Microsoft.EventGrid (service-principal) in de vervolgkeuzelijst in de zoekbalk.Noteer of kopieer de toepassings-id naar het klembord op de pagina Microsoft.EventGrid.
Stel in het volgende script de
variabele in op deze waarde voordat u deze uitvoert.
# NOTE: Before run this script ensure you are logged in Azure by using "az login" command.
$webhookAppObjectId = "[REPLACE_WITH_YOUR_ID]"
# Start execution
try {
# Creates an application role of given name and description
Function CreateAppRole([string] $Name, [string] $Description)
$appRole = New-Object Microsoft.Graph.PowerShell.Models.MicrosoftGraphAppRole
$appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
$appRole.AllowedMemberTypes += "Application";
$appRole.AllowedMemberTypes += "User";
$appRole.DisplayName = $Name
$appRole.Id = New-Guid
$appRole.IsEnabled = $true
$appRole.Description = $Description
$appRole.Value = $Name;
return $appRole
# Creates Azure Event Grid Microsoft Entra Application if not exists
# You don't need to modify this id
# But Azure Event Grid Microsoft Entra Application Id is different for different clouds
$eventGridSP = Get-MgServicePrincipal -Filter ("appId eq '" + $eventGridAppId + "'")
if ($eventGridSP.DisplayName -match "Microsoft.EventGrid")
Write-Host "The Event Grid Microsoft Entra Application is already defined.`n"
} else {
Write-Host "Creating the Azure Event Grid Microsoft Entra Application"
$eventGridSP = New-MgServicePrincipal -AppId $eventGridAppId
# Creates the Azure app role for the webhook Microsoft Entra application
$eventGridRoleName = "AzureEventGridSecureWebhookSubscriber" # You don't need to modify this role name
$app = Get-MgApplication -ApplicationId $webhookAppObjectId
$appRoles = $app.AppRoles
Write-Host "Microsoft Entra App roles before addition of the new role..."
Write-Host $appRoles.DisplayName
if ($appRoles.DisplayName -match $eventGridRoleName)
Write-Host "The Azure Event Grid role is already defined.`n"
} else {
Write-Host "Creating the Azure Event Grid role in Microsoft Entra Application: " $webhookAppObjectId
$newRole = CreateAppRole -Name $eventGridRoleName -Description "Azure Event Grid Role"
$appRoles += $newRole
Update-MgApplication -ApplicationId $webhookAppObjectId -AppRoles $appRoles
Write-Host "Microsoft Entra App roles after addition of the new role..."
Write-Host $appRoles.DisplayName
# Creates the user role assignment for the user who will create event subscription
$servicePrincipal = Get-MgServicePrincipal -Filter ("appId eq '" + $app.AppId + "'")
Write-Host "Creating the Microsoft Entra App Role assignment for user: " $eventSubscriptionWriterUserPrincipalName
$eventSubscriptionWriterUser = Get-MgUser -UserId $eventSubscriptionWriterUserPrincipalName
$eventGridAppRole = $app.AppRoles | Where-Object -Property "DisplayName" -eq -Value $eventGridRoleName
New-MgUserAppRoleAssignment -UserId $eventSubscriptionWriterUser.Id -PrincipalId $eventSubscriptionWriterUser.Id -ResourceId $servicePrincipal.Id -AppRoleId $eventGridAppRole.Id
if( $_.Exception.Message -like '*Permission being assigned already exists on the object*')
Write-Host "The Microsoft Entra User Application role is already defined.`n"
Write-Error $_.Exception.Message
# Creates the service app role assignment for Event Grid Microsoft Entra Application
$eventGridAppRole = $app.AppRoles | Where-Object -Property "DisplayName" -eq -Value $eventGridRoleName
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $eventGridSP.Id -PrincipalId $eventGridSP.Id -ResourceId $servicePrincipal.Id -AppRoleId $eventGridAppRole.Id
# Print output references for backup
Write-Host ">> Webhook's Microsoft Entra Application Id: $($app.AppId)"
Write-Host ">> Webhook's Microsoft Entra Application Object Id: $($app.Id)"
catch {
Write-Host ">> Exception:"
Write-Host $_
Write-Host ">> StackTrace:"
Write-Host $_.ScriptStackTrace
Uitleg van het script
Zie Secure WebHook delivery with Microsoft Entra ID in Azure Event Grid (Secure WebHook delivery with Microsoft Entra ID in Azure Event Grid) voor meer informatie.