MicrosoftDocs
diff --git a/‎articles/event-grid/media/secure-webhook-delivery/multitenant-diagram.png
18.7 KB b/‎articles/event-grid/media/secure-webhook-delivery/multitenant-diagram.png
18.7 KB
diff --git a/‎articles/event-grid/media/secure-webhook-delivery/single-tenant-diagram.png
15.4 KB b/‎articles/event-grid/media/secure-webhook-delivery/single-tenant-diagram.png
15.4 KB
diff --git a/‎articles/event-grid/scripts/event-grid-powershell-webhook-secure-delivery-azure-ad-app.md
Lines changed: 125 additions & 0 deletions b/‎articles/event-grid/scripts/event-grid-powershell-webhook-secure-delivery-azure-ad-app.md
Lines changed: 125 additions & 0 deletions
diff --git a/‎articles/event-grid/scripts/event-grid-powershell-webhook-secure-delivery-azure-ad-user.md
Lines changed: 119 additions & 0 deletions b/‎articles/event-grid/scripts/event-grid-powershell-webhook-secure-delivery-azure-ad-user.md
Lines changed: 119 additions & 0 deletions
@@ -0,0 +1,125 @@
+---
+title: Azure PowerShell - Secure WebHook delivery with Azure AD Application in Azure Event Grid
+description: Describes how to deliver events to HTTPS endpoints protected by Azure AD Application using Azure Event Grid
+ms.devlang: powershell
+ms.topic: sample
+ms.date: 09/29/2021
+---
+
+# Secure WebHook delivery with Azure AD Application in Azure Event Grid
+
+This script provides the configuration to deliver events to HTTPS endpoints protected by Azure AD Application using Azure Event Grid.
+
+## Sample script - stable
+
+```azurepowershell
+# NOTE: Before run this script ensure you are logged in Azure by using "az login" command.
+
+$webhookAppObjectId = "[REPLACE_WITH_YOUR_ID]"
+$eventSubscriptionWriterAppId = "[REPLACE_WITH_YOUR_ID]"
+
+# Start execution
+try {
+
+    # Creates an application role of given name and description
+
+    Function CreateAppRole([string] $Name, [string] $Description)
+    {
+        $appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole
+        $appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
+        $appRole.AllowedMemberTypes.Add("Application");
+        $appRole.AllowedMemberTypes.Add("User");
+        $appRole.DisplayName = $Name
+        $appRole.Id = New-Guid
+        $appRole.IsEnabled = $true
+        $appRole.Description = $Description
+        $appRole.Value = $Name;
+
+        return $appRole
+    }
+
+    # Creates Azure Event Grid Azure AD Application if not exists
+
+    $eventGridAppId = "4962773b-9cdb-44cf-a8bf-237846a00ab7" # You don't need to modify this id
+    $eventGridRoleName = "AzureEventGridSecureWebhookSubscriber" # You don't need to modify this role name
+    $eventGridSP = Get-AzureADServicePrincipal -Filter ("appId eq '" + $eventGridAppId + "'")
+    if ($eventGridSP -match "Microsoft.EventGrid")
+    {
+        Write-Host "The Azure AD Application is already defined.`n"
+    } else {
+        Write-Host "Creating the Azure Event Grid Azure AD Application"
+        $eventGridSP = New-AzureADServicePrincipal -AppId $eventGridAppId
+    }
+
+    # Creates the Azure app role for the webhook Azure AD application
+
+    $app = Get-AzureADApplication -ObjectId $webhookAppObjectId
+    $appRoles = $app.AppRoles
+
+    Write-Host "Azure AD App roles before addition of the new role..."
+    Write-Host $appRoles
+    
+    if ($appRoles -match $eventGridRoleName)
+    {
+        Write-Host "The Azure Event Grid role is already defined.`n"
+    } else {      
+        Write-Host "Creating the Azure Event Grid role in Azure AD Application: " $webhookAppObjectId
+        $newRole = CreateAppRole -Name $eventGridRoleName -Description "Azure Event Grid Role"
+        $appRoles.Add($newRole)
+        Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $appRoles
+    }
+
+    Write-Host "Azure AD App roles after addition of the new role..."
+    Write-Host $appRoles
+
+    # Creates the user role assignment for the app that will create event subscription
+
+    $servicePrincipal = Get-AzureADServicePrincipal -Filter ("appId eq '" + $app.AppId + "'")
+    $eventSubscriptionWriterSP = Get-AzureADServicePrincipal -Filter ("appId eq '" + $eventSubscriptionWriterAppId + "'")
+
+    if ($null -eq $eventSubscriptionWriterSP)
+    {
+        Write-Host "Create new Azure AD Application"
+        $eventSubscriptionWriterSP = New-AzureADServicePrincipal -AppId $eventSubscriptionWriterAppId
+    }
+
+    try
+    {
+        Write-Host "Creating the Azure AD Application role assignment: " $eventSubscriptionWriterAppId
+        $eventGridAppRole = $app.AppRoles | Where-Object -Property "DisplayName" -eq -Value $eventGridRoleName
+        New-AzureADServiceAppRoleAssignment -Id $eventGridAppRole.Id -ResourceId $servicePrincipal.ObjectId -ObjectId $eventSubscriptionWriterSP.ObjectId -PrincipalId $eventSubscriptionWriterSP.ObjectId
+    }
+    catch
+    {
+        if( $_.Exception.Message -like '*Permission being assigned already exists on the object*')
+        {
+            Write-Host "The Azure AD Application role is already defined.`n"
+        }
+        else
+        {
+            Write-Error $_.Exception.Message
+        }
+        Break
+    }
+
+    # Creates the service app role assignment for Event Grid Azure AD Application
+
+    $eventGridAppRole = $app.AppRoles | Where-Object -Property "DisplayName" -eq -Value $eventGridRoleName
+    New-AzureADServiceAppRoleAssignment -Id $eventGridAppRole.Id -ResourceId $servicePrincipal.ObjectId -ObjectId $eventGridSP.ObjectId -PrincipalId $eventGridSP.ObjectId
+    
+    # Print output references for backup
+
+    Write-Host ">> Webhook's Azure AD Application Id: $($app.AppId)"
+    Write-Host ">> Webhook's Azure AD Application ObjectId Id: $($app.ObjectId)"
+}
+catch {
+  Write-Host ">> Exception:"
+  Write-Host $_
+  Write-Host ">> StackTrace:"  
+  Write-Host $_.ScriptStackTrace
+}
+```
+
+## Script explanation
+
+For more details refer to [Secure WebHook delivery with Azure AD in Azure Event Grid](../secure-webhook-delivery.md)
@@ -0,0 +1,119 @@
+---
+title: Azure PowerShell - Secure WebHook delivery with Azure AD User in Azure Event Grid
+description: Describes how to deliver events to HTTPS endpoints protected by Azure AD User using Azure Event Grid
+ms.devlang: powershell
+ms.topic: sample
+ms.date: 09/29/2021
+---
+
+# Secure WebHook delivery with Azure AD User in Azure Event Grid
+
+This script provides the configuration to deliver events to HTTPS endpoints protected by Azure AD User using Azure Event Grid.
+
+## Sample script - stable
+
+```azurepowershell
+# NOTE: Before run this script ensure you are logged in Azure by using "az login" command.
+
+$webhookAppObjectId = "[REPLACE_WITH_YOUR_ID]"
+$eventSubscriptionWriterUserPrincipalName = "[REPLACE_WITH_USER_PRINCIPAL_NAME_OF_THE_USER_WHO_WILL_CREATE_THE_SUBSCRIPTION]"
+
+# Start execution
+try {
+
+    # Creates an application role of given name and description
+
+    Function CreateAppRole([string] $Name, [string] $Description)
+    {
+        $appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole
+        $appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
+        $appRole.AllowedMemberTypes.Add("Application");
+        $appRole.AllowedMemberTypes.Add("User");
+        $appRole.DisplayName = $Name
+        $appRole.Id = New-Guid
+        $appRole.IsEnabled = $true
+        $appRole.Description = $Description
+        $appRole.Value = $Name;
+
+        return $appRole
+    }
+
+    # Creates Azure Event Grid Azure AD Application if not exists
+
+    $eventGridAppId = "4962773b-9cdb-44cf-a8bf-237846a00ab7" # You don't need to modify this id
+    $eventGridRoleName = "AzureEventGridSecureWebhookSubscriber" # You don't need to modify this role name
+    $eventGridSP = Get-AzureADServicePrincipal -Filter ("appId eq '" + $eventGridAppId + "'")
+    if ($eventGridSP -match "Microsoft.EventGrid")
+    {
+        Write-Host "The Azure AD Application is already defined.`n"
+    } else {
+        Write-Host "Creating the Azure Event Grid Azure AD Application"
+        $eventGridSP = New-AzureADServicePrincipal -AppId $eventGridAppId
+    }
+
+    # Creates the Azure app role for the webhook Azure AD application
+
+    $app = Get-AzureADApplication -ObjectId $webhookAppObjectId
+    $appRoles = $app.AppRoles
+
+    Write-Host "Azure AD App roles before addition of the new role..."
+    Write-Host $appRoles
+    
+    if ($appRoles -match $eventGridRoleName)
+    {
+        Write-Host "The Azure Event Grid role is already defined.`n"
+    } else {      
+        Write-Host "Creating the Azure Event Grid role in Azure AD Application: " $webhookAppObjectId
+        $newRole = CreateAppRole -Name $eventGridRoleName -Description "Azure Event Grid Role"
+        $appRoles.Add($newRole)
+        Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $appRoles
+    }
+
+    Write-Host "Azure AD App roles after addition of the new role..."
+    Write-Host $appRoles
+
+    # Creates the user role assignment for the user who will create event subscription
+
+    $servicePrincipal = Get-AzureADServicePrincipal -Filter ("appId eq '" + $app.AppId + "'")
+
+    try
+    {
+        Write-Host "Creating the Azure Ad App Role assignment for user: " $eventSubscriptionWriterUserPrincipalName
+        $eventSubscriptionWriterUser = Get-AzureAdUser -ObjectId $eventSubscriptionWriterUserPrincipalName
+        $eventGridAppRole = $app.AppRoles | Where-Object -Property "DisplayName" -eq -Value $eventGridRoleName
+        New-AzureADUserAppRoleAssignment -Id $eventGridAppRole.Id -ResourceId $servicePrincipal.ObjectId -ObjectId $eventSubscriptionWriterUser.ObjectId -PrincipalId $eventSubscriptionWriterUser.ObjectId        
+    }
+    catch
+    {
+        if( $_.Exception.Message -like '*Permission being assigned already exists on the object*')
+        {
+            Write-Host "The Azure AD User Application role is already defined.`n"
+        }
+        else
+        {
+            Write-Error $_.Exception.Message
+        }
+        Break
+    }
+
+    # Creates the service app role assignment for Event Grid Azure AD Application
+
+    $eventGridAppRole = $app.AppRoles | Where-Object -Property "DisplayName" -eq -Value $eventGridRoleName
+    New-AzureADServiceAppRoleAssignment -Id $eventGridAppRole.Id -ResourceId $servicePrincipal.ObjectId -ObjectId $eventGridSP.ObjectId -PrincipalId $eventGridSP.ObjectId
+    
+    # Print output references for backup
+
+    Write-Host ">> Webhook's Azure AD Application Id: $($app.AppId)"
+    Write-Host ">> Webhook's Azure AD Application ObjectId Id: $($app.ObjectId)"
+}
+catch {
+  Write-Host ">> Exception:"
+  Write-Host $_
+  Write-Host ">> StackTrace:"  
+  Write-Host $_.ScriptStackTrace
+}
+```
+
+## Script explanation
+
+For more details refer to [Secure WebHook delivery with Azure AD in Azure Event Grid](../secure-webhook-delivery.md)