Merge pull request #299158 from spelluru/mqttauthwebhook

New: Authenticate with webhook auth

Author: Stacyrch140

articles/event-grid/authenticate-with-namespaces-using-webhook-authentication.md

@@ -0,0 +1,224 @@
+---
+title: Authenticate with namespaces using webhook auth
+description: This article shows you how to authenticate with Azure Event Grid namespace using webhook or Azure function. 
+ms.topic: how-to
+ms.custom: build-2025
+ms.date: 04/30/2025
+author: Connected-Seth
+ms.author: seshanmugam
+---
+
+# Authenticate with MQTT broker using custom webhook authentication (Preview)
+This article shows how to authenticate with Azure Event Grid namespace using webhook or Azure function. 
+
+Webhook authentication allows external HTTP endpoints (webhooks or functions) to authenticate MQTT connections dynamically. This method uses Microsoft Entra ID JWT validation to ensure secure access.  
+
+When a client attempts to connect, the broker invokes a user-defined HTTP endpoint that validates credentials such SAS tokens, usernames/passwords, or even performs Certificate Revocation List (CRL) checks. The webhook evaluates the request and returns a decision to allow or deny the connection, along with optional metadata for fine-grained authorization. This approach supports flexible and centralized authentication policies across diverse device fleets and use cases. 
+
+> [!NOTE]
+> This feature is currently in preview. 
+
+## Prerequisites 
+
+To use custom webhook authentication for namespaces, you need to have the following prerequisites: 
+
+- An Event Grid namespace with either system-assigned or user-assigned managed identity. 
+- The External Webhook or Azure function. 
+- Grant access to the Event Grid Namespace’s Managed identity to Azure  function /Webhook. 
+
+## High-level steps 
+
+To use custom webhook authentication for namespaces, follow these steps: 
+
+1. Create a namespace and configure its subresources. 
+1. Enable managed identity on your Event Grid namespace. 
+1. Grant the managed identity access to your Azure function or Webhook. 
+1. Configure custom webhook settings on your Event Grid namespace 
+1. Connect your clients to the Event Grid namespace and get authenticated via the webhook or function. 
+
+## Create a namespace and configure its subresources 
+Follow instructions from [Quickstart: Publish and subscribe to MQTT messages on Event Grid Namespace with Azure portal](mqtt-publish-and-subscribe-portal.md) to create a namespace and configure its subresources. Skip the certificate and client creation steps as the client identities come from the provided token. Client attributes are based on the custom claims in the client token. The client attributes are used in the client group query, topic template variables, and routing enrichment configuration.
+
+## Enable managed identity on your Event Grid namespace 
+Use the following command to enable system-assigned managed identity on your Event Grid namespace:  
+ 
+```azurecli-interactive
+az eventgrid namespace update --resource-group <resource group name> --name <namespace name> --identity "{type:systemassigned}" 
+```
+ 
+For information on configuring system and user-assigned identities using the Azure portal, see [Enable managed identity for an Event Grid namespace](event-grid-namespace-managed-identity.md).
+
+## Grant the managed identity appropriate access to function or webhook
+Grant the managed identity of your Event Grid namespace the appropriate access to the target Azure function or webhook. 
+
+### Use Azure portal
+
+1. Identify the managed identity. 
+    1. Navigate to your **Event Grid namespace** in the [Azure portal](https://portal.azure.com). 
+    1. On the **Event Grid namespace** page, select **Identity** on the left menu.
+    1. Copy the **object ID** of the managed identity. 
+1. Navigate to your **Azure function app** or the **app service hosting the Webhook**. 
+1. Assign appropriate role to the managed identity. 
+    1. On the **Function App** page, select **Access Control (IAM)** on the left menu, and then select **Add Role Assignment**. 
+    1. Choose a role like **Contributor** or **Function App Contributor** (or a custom role with required permissions). 
+    1. Scope it appropriately (for example, at the resource or resource group level). 
+    1. Select **Assign access to**, and then select user, group, or service principal. 
+    1. Paste the object ID of the managed identity for your Event Grid namespace. 
+1. **Save** and **Confirm** access. Complete the role assignment and confirm access is reflected under the **Role assignments** tab. 
+
+### Use Azure CLI
+
+1. Get the object ID of the managed identity for your Event Grid namespace. 
+
+    ```azurecli
+    az eventgrid namespace identity show \ 
+      --name <eventgrid-namespace-name> \ 
+      --resource-group <eventgrid-resource-group> \ 
+      --query principalId \ 
+      --output tsv 
+    ```    
+    
+    Save the output (let’s call it EG_MI_ID). 
+2. Assign a role (for example, Contributor) to the managed identity on the Azure function or Webhook resource.
+
+    ```azurecli
+    az role assignment create \ 
+      --assignee-object-id <EG_MI_ID> \ 
+      --assignee-principal-type ServicePrincipal \ 
+      --role "Contributor" \  # or use a least-privileged custom role 
+      --scope $(az functionapp show \ 
+                 --name <function-app-name> \ 
+                 --resource-group <function-app-resource-group> \ 
+                 --query id --output tsv) 
+    ```    
+    You can replace **Contributor** with a custom role name that grants only required permissions (for example, **Azure Event Grid Event Subscription Contributor** for webhooks). 
+
+ ## Configure custom webhook authentication settings on your Event Grid namespace 
+In this step, you configure custom webhook authentication settings on your Event Grid namespace using Azure portal and Azure CLI. You need to create the namespace first and then update it using the following steps. 
+
+### Use Azure portal 
+
+1. Navigate to your Event Grid namespace in the [Azure portal](https://portal.azure.com). 
+1. On the **Event Grid Namespace** page, select **Configuration** on the left menu. 
+1. In the **Custom Webhook authentication** section, specify values for the following properties: 
+    1. Select **Managed identity** type.
+    1. For **Webhook URL**, enter the value of the URL endpoint where the Event Grid service sends authenticated webhook requests using the specified managed identity. 
+    1. For **Token audience URI**, enter the value of Microsoft Entra application ID or URI to get the access token that will be included as the bearer token in delivery requests. 
+    1. For **Microsoft Entra tenant ID**, enter the value of Microsoft Entra tenant ID used to acquire the bearer token for authenticated webhook delivery. 
+    1. Select **Apply**. 
+
+### Use Azure CLI 
+
+Use the following command to update your namespace with the custom webhook authentication configuration. 
+
+```azurecli    
+az eventgrid namespace update \ 
+    --resource-group <resource-group-name> \ 
+    --name <namespace-name> \ 
+    --api-version 2025-04-01-preview \ 
+    --identity-type UserAssigned \ 
+    --identity-user-assigned-identities "/subscriptions/XXXXXXXXXXX/resourcegroups/XXXXXXXXXXX/providers/Microsoft.ManagedIdentity/userAssignedIdentities/XXXXXXXXXXX={}" \ 
+    --set properties.isZoneRedundant=true \ 
+        properties.topicSpacesConfiguration.state=Enabled \ 
+        properties.topicSpacesConfiguration.clientAuthentication.webHookAuthentication.identity.type=UserAssigned \ 
+        properties.topicSpacesConfiguration.clientAuthentication.webHookAuthentication.identity.userAssignedIdentity="/subscriptions/XXXXXXXXXXX/resourcegroups/XXXXXXXXXXX/providers/Microsoft.ManagedIdentity/userAssignedIdentities/XXXXXXXXXXX" \ 
+        properties.topicSpacesConfiguration.clientAuthentication.webHookAuthentication.endpointUrl="https://XXXXXXXXXXX" \ 
+        properties.topicSpacesConfiguration.clientAuthentication.webHookAuthentication.azureActiveDirectoryApplicationIdOrUri="api://XXXXXXXXXXX/.default" \ 
+        properties.topicSpacesConfiguration.clientAuthentication.webHookAuthentication.azureActiveDirectoryTenantId="XXXXXXXXXXX" 
+```
+
+Replace <NAMESPACE_NAME> and <RESOURCE_GROUP_NAME> with your actual values, and fill in the placeholders in the subscription/resource group/identity/app ID/URL/tenant ID. To enhance the performance and reliability of webhook-based authentication for Azure Event Grid MQTT Broker, we strongly recommend enabling HTTP/2 support for your webhook endpoint. 
+
+## Webhook API details 
+
+### Request Headers 
+
+- Authorization: Bearer token 
+    - token is an Entra ID token for the managed identity configured to call the webhook. 
+    
+### Request payload 
+
+```json
+{
+    "clientId": "<string>",
+    "userName": "<string>",
+    "password": "<base64 encoded bytes>",
+    "authenticationMethod": "<string>",
+    "authenticationData": "<base64 encoded bytes>",
+    "clientCertificate": "<certificate in PEM format>",
+    "clientCertificateChain": "<certificates from chain in PEM format>"
+}
+```
+
+### Payload field descriptions 
+
+| Field | Required/Optional | Description | 
+|-----------------|------------------|---------| 
+| clientId | Required | Client ID from MQTT CONNECT packet. | 
+| userName | Optional | Username from MQTT CONNECT packet. | 
+| password | Optional | Password from MQTT CONNECT packet in base64 encoding. | 
+| authenticationMethod | Optional | Authentication method from MQTT CONNECT packet (MQTT5 only). | 
+| authenticationData | Optional | Authentication data from MQTT CONNECT packet in base64 encoding (MQTT5 only). | 
+| clientCertificate | Optional | Client certificate in PEM format. | 
+| clientCertificateChain| Optional | Additional certificates provided by the client required for building the chain from the client certificate to the CA certificate. | 
+| userProperties | Optional | User properties from CONNECT packet (MQTT5 only). | 
+
+### Response payload 
+
+#### Successful response 
+
+```json
+HTTP/1.1 200 OK 
+Content-Type: application/json 
+
+{ 
+    "decision": "allow", 
+    "clientAuthenticationName": "<string>", 
+    "attributes": { 
+        "attr": "<int/string/array_of_strings>", 
+        ... 
+    }, 
+    "expiration": "<unix time format>" 
+} 
+```
+
+#### Denied response 
+
+```json
+HTTP/1.1 400 Bad Request 
+Content-Type: application/json 
+
+{ 
+    "decision": "deny", 
+    "errorReason": "<string>" 
+}
+```
+
+### Response field descriptions
+
+
+| Field             | Description  |
+|---------------------------|------------------------------------|
+| Decision (required)       | Authentication decision. Can be either **allow** or **deny**. |
+| clientAuthenticationName  | Client authentication name (identity name). (Required when Decision is set to allow).  |
+| attributes                | Dictionary with attributes. Key is the attribute name, and the value can be an int/string/array. (Optional when Decision is set to allow). |
+| expiration                | Expiration date in Unix time format. (Optional when Decision is set to allow) |
+| errorReason               | Error message if decision is set to deny. This error is logged. (Optional when Decision is set to deny) |
+
+### Examples of supported attribute types: 
+
+```json
+"bool_attr": true, 
+  "num_attr_pos": 1, 
+  "num_attr_neg": -1, 
+  "num_attr_to_big": 9223372036854775807, 
+  "num_attr_float": 1.23, 
+  "str_attr": "str_value", 
+  "str_list_attr": [ 
+    "str_value_1", 
+    "str_value_2"] 
+```
+
+## Related content
+- [MQTT client authentication](mqtt-client-authentication.md)
+- [Authenticate client using custom JWT](mqtt-client-custom-jwt.md)

articles/event-grid/deliver-events-using-managed-identity.md

@@ -56,7 +56,8 @@ To deliver events to Storage queues using managed identity, follow these steps:
 To deliver events to a Webhook using managed identity, follow these steps: 
 
 1. Enable system-assigned or user-assigned managed identity: [system topics](enable-identity-system-topics.md), [custom topics and domains](enable-identity-custom-topics-domains.md), and [namespaces](event-grid-namespace-managed-identity.md). 
-1. [Configure the event subscription](create-view-manage-event-subscriptions.md) that uses a Webhook as an endpoint to use the system-assigned or user-assigned managed identity. 
+1. Create a single tenant or multitenant application to set the audience for the token. 
+1. [Configure the event subscription](create-view-manage-event-subscriptions.md) that uses a Webhook as an endpoint to use the system-assigned or user-assigned managed identity. Once you select the type of managed identity, you need to introduce the new application ID and the tenant ID. In the cross-tenant scenario, the application ID must be from an application created in the destination tenant. 
 
 ## Firewall and virtual network rules
 If there's no firewall or virtual network rules configured for the destination Storage account, Event Hubs namespace, or Service Bus namespace, you can use both user-assigned and system-assigned identities to deliver events. 

articles/event-grid/includes/limits.md

@@ -4,7 +4,7 @@
  author: robece
  ms.service: azure-event-grid
  ms.topic: include
- ms.date: 11/15/2023
+ ms.date: 04/30/2025
  ms.author: robece
 ms.custom: include file, ignite-2023
 ---
@@ -41,9 +41,9 @@ The following limits apply to MQTT in Azure Event Grid namespace resource.
 | Session Expiry Interval                      | 8 hours, [configurable on the Event Grid namespace](../mqtt-support.md#maximum-session-expiry-interval-configuration)|
 | Inbound MQTT publishing requests per Event Grid namespace  | 1,000 messages per second per TU                                                         |
 | Inbound MQTT bandwidth per Event Grid namespace         | 1 MB per second per TU                                                            |
-| Inbound MQTT publishing requests per session | 100 messages per second                                                           |
+| Inbound MQTT publishing requests per session | 1000 messages per second                                                           |
 | Inbound MQTT bandwidth per session        | 1 MB per second                                                                   |
-| Inbound in-flight MQTT messages*        | 100 messages                                                                   |
+| Inbound in-flight MQTT messages*        | 1000 messages                                                                   |
 | Inbound in-flight MQTT bandwidth*         | 64 KB                                                             |
 | Outbound MQTT publishing requests per Event Grid namespace | 1,000 messages per second per TU                                                         |
 | Outbound MQTT bandwidth per Event Grid namespace        | 1 MB per second per TU                                                            |
@@ -52,11 +52,12 @@ The following limits apply to MQTT in Azure Event Grid namespace resource.
 | Outbound in-flight MQTT messages*        | 100 messages                                                                   |
 | Outbound in-flight MQTT bandwidth*         | 64 KB                                                             |
 | Max message size                             | 512 KB                                                                            |
-| Segments per topic/ topic filter             | 8                                                                                 |
+| Segments per topic/ topic filter             | 15                                                                                 |
 | Topic size                                   | 256 B                                                                             |
 | MQTTv5 response topic                        | 256 B                                                                             |
 | MQTTv5 topic aliases                         | 10 per session                                                                 |
 | MQTTv5 total size of all user properties     | 32 KB                                                                              |
+| MQTT connect rate per client Session |  1 connection attempt per second per client session | 
 | MQTTv5 content type size                     | 256 B                                                                             |
 | MQTTv5 correlation data size                 | 256 B                                                                             |
 | Connect requests                             | 200 requests per second per TU                                                    |

articles/event-grid/quotas-limits.md

@@ -3,7 +3,7 @@ title: Quotas and limits - Azure Event Grid | Microsoft Docs
 description: This article provides limits and quotas for Azure Event Grid. For example, number of subscriptions for topic, number of custom topics per subscription, etc.
 ms.topic: reference
 ms.custom: build-2023
-ms.date: 05/09/2023
+ms.date: 04/30/2025
 ---
 
 # Azure Event Grid quotas and limits

articles/event-grid/toc.yml

@@ -118,8 +118,6 @@ items:
           href: mqtt-request-response-messages.md                
         - name: Assign custom domain name to a namespace
           href: assign-custom-domain-name.md
-        - name: Authenticate with MQTT broker using OAuth 2.0 authentication
-          href: authenticate-with-namespaces-using-json-web-tokens.md
         - name: Monitor
           items:
           - name: Monitor Event Grid namespaces
@@ -140,6 +138,10 @@ items:
             href: event-grid-namespace-managed-identity.md 
           - name: MQTT client authentication using certificate chain
             href: mqtt-certificate-chain-client-authentication.md            
+          - name: Authenticate with MQTT broker using OAuth 2.0 authentication
+            href: authenticate-with-namespaces-using-json-web-tokens.md
+          - name: Authenticate with MQTT broker using webhook authentication
+            href: authenticate-with-namespaces-using-webhook-authentication.md
     - name: Namespace topics
       items:
       - name: Pull delivery overview