Freshness

spelluru · spelluru · commit 6af676e35bc9 · 2025-07-29T17:56:12.000-04:00
diff --git a/articles/event-grid/managed-service-identity.md b/articles/event-grid/managed-service-identity.md
@@ -1,51 +1,61 @@
 ---
-title: Event delivery, managed service identity, and private link 
-description: This article describes how to enable managed service identity for an Azure Event Grid topic. Use it to forward events to supported destinations. 
+title: Use Managed Identities to Deliver Events in Azure Event Grid
+description: Learn how to enable managed identities for Azure Event Grid topics and domains, and then use them to securely deliver events to destinations like Service Bus, Event Hubs, and Storage accounts.
+#customer intent: As a developer, I want to enable managed identities for Azure Event Grid topics so that I can securely deliver events to supported destinations.  
 ms.topic: how-to
-ms.custom: devx-track-azurecli
-ms.date: 12/12/2023
+ms.custom:
+  - devx-track-azurecli
+  - ai-gen-docs-bap
+  - ai-gen-title
+  - ai-seo-date:07/29/2025
+  - ai-gen-description
+ms.date: 07/29/2025
 ---
 
-# Event delivery with a managed identity
-This article describes how to use a [managed service identity](/entra/identity/managed-identities-azure-resources/overview) for an Azure Event Grid system topic, custom topic, or domain. Use it to forward events to supported destinations such as Service Bus queues and topics, event hubs, and storage accounts.
-
+# Use managed identities to deliver events in Azure Event Grid
+This article explains how to enable [managed service identities](/entra/identity/managed-identities-azure-resources/overview) for Azure Event Grid system topics, custom topics, and domains. It also explains how to use managed identities to deliver events to supported destinations, such as Service Bus queues and topics, event hubs, and storage accounts.
 
 ## Prerequisites
-1. Assign a system-assigned identity or a user-assigned identity to a system topic, a custom topic, or a domain. 
-    - For custom topics and domains, see [Enable managed identity for custom topics and domains](enable-identity-custom-topics-domains.md). 
-    - For system topics, see [Enable managed identity for system topics](enable-identity-system-topics.md)
-1. Add the identity to an appropriate role (for example, Service Bus Data Sender) on the destination (for example, a Service Bus queue). For detailed steps, see [Add identity to Azure roles on destinations](add-identity-roles.md)
 
-    > [!NOTE]
-    > Currently, it's not possible to deliver events using [private endpoints](../private-link/private-endpoint-overview.md). For more information, see the [Private endpoints](#private-endpoints) section at the end of this article. 
+1. Assign a system-assigned identity or user-assigned identity to a system topic, custom topic, or domain.
+
+   - For custom topics and domains, see [Enable managed identity for custom topics and domains](enable-identity-custom-topics-domains.md).
+   - For system topics, see [Enable managed identity for system topics](enable-identity-system-topics.md).
+
+1. Add the identity to an appropriate role, such as Service Bus Data Sender, on the destination, such as a Service Bus queue. For detailed steps, see [Add identity to Azure roles on destinations](add-identity-roles.md).
+
+   > [!NOTE]
+   > Currently, it's not possible to deliver events using [private endpoints](../private-link/private-endpoint-overview.md). For more information, see the [Private endpoints](#private-endpoints) section at the end of this article.
 
 ## Create event subscriptions that use an identity
-After you have an Event Grid custom topic or system topic or domain with a managed identity and have added the identity to the appropriate role on the destination, you're ready to create subscriptions that use the identity. 
+
+After you set up an Event Grid custom topic, system topic, or domain with a managed identity and add the identity to the appropriate role on the destination, you're ready to create subscriptions that use the identity.
 
 ### Use the Azure portal
-When you create an event subscription, you see an option to enable the use of a system-assigned identity or user-assigned identity for an endpoint in the **ENDPOINT DETAILS** section. 
 
-Here's an example of enabling system-assigned identity while creating an event subscription with a Service Bus queue as a destination. 
+When you create an event subscription, you see an option to enable the use of a system-assigned identity or user-assigned identity for an endpoint in the **ENDPOINT DETAILS** section.
+
+This example shows how to enable a system-assigned identity while creating an event subscription with a Service Bus queue as a destination.
 
-:::image type="content" source="./media/managed-service-identity/service-bus-queue-subscription-identity.png" alt-text="Screenshot that shows how to enable an identity when creating an event subscription for a Service Bus queue.":::
+:::image type="content" source="./media/managed-service-identity/service-bus-queue-subscription-identity.png" alt-text="Screenshot showing how to enable a system-assigned identity for a Service Bus queue subscription.":::
 
-You can also enable using a system-assigned identity to be used for dead-lettering on the **Additional Features** tab. 
+You can also enable a system-assigned identity for dead-lettering on the **Additional Features** tab.
 
-![Screenshot that shows how to enable a system-assigned identity for dead-lettering.](./media/managed-service-identity/enable-deadletter-identity.png)
+:::image type="content" source="./media/managed-service-identity/enable-deadletter-identity.png" alt-text="Screenshot of enabling a system-assigned identity for dead-lettering.":::
 
-You can enable a managed identity on an event subscription after it's created. On the **Event Subscription** page for the event subscription, switch to the **Additional Features** tab to see the option. You can also enable identity for dead-lettering on this page.
+Enable a managed identity on an event subscription after it's created. On the **Event Subscription** page for the event subscription, switch to the **Additional Features** tab to see the option. You can also enable identity for dead-lettering on this page.
 
-:::image type="content" source="./media/managed-service-identity/event-subscription-additional-features.png" alt-text="Screenshot that shows how to enable a system-assigned identity on an existing event subscription.":::
+:::image type="content" source="./media/managed-service-identity/event-subscription-additional-features.png" alt-text="Screenshot of enabling a system-assigned identity on an existing event subscription.":::
 
-If you had enabled user-assigned identities for the topic, you'll see user-assigned identity option enabled in the drop-down list for **Managed Identity Type**. If you select **User Assigned** for **Managed Identity Type**, you can then select the user-assigned identity that you want to use to deliver events. 
+If you enable user-assigned identities for the topic, you see the user-assigned identity option enabled in the drop-down list for **Managed Identity Type**. If you select **User Assigned** for **Managed Identity Type**, you can then select the user-assigned identity that you want to use to deliver events.
 
-:::image type="content" source="./media/managed-service-identity/event-subscription-user-identity.png" alt-text="Screenshot that shows how to enable a user-assigned identity on an event subscription.":::
+:::image type="content" source="./media/managed-service-identity/event-subscription-user-identity.png" alt-text="Screenshot of enabling a user-assigned identity on an event subscription.":::
 
-### Use the Azure CLI - Service Bus queue 
-In this section, you learn how to use the Azure CLI to enable the use of a system-assigned identity to deliver events to a Service Bus queue. The identity must be a member of the **Azure Service Bus Data Sender** role. It must also be a member of the **Storage Blob Data Contributor** role on the storage account that's used for dead-lettering. 
+### Use the Azure CLI
+
+In this section, you learn how to use the Azure CLI to enable the use of a system-assigned identity to deliver events to a Service Bus queue. The identity must be a member of the **Azure Service Bus Data Sender** role and the **Storage Blob Data Contributor** role on the storage account used for dead-lettering.
 
 #### Define variables
-First, specify values for the following variables to be used in the CLI command. 
 
 ```azurecli-interactive
 subid="<AZURE SUBSCRIPTION ID>"
@@ -54,11 +64,12 @@ topicname = "<EVENT GRID TOPIC NAME>"
 
 # get the service bus queue resource id
 queueid=$(az servicebus queue show --namespace-name <SERVICE BUS NAMESPACE NAME> --name <QUEUE NAME> --resource-group <RESOURCE GROUP NAME> --query id --output tsv)
-sb_esname = "<Specify a name for the event subscription>" 
+sb_esname = "<Specify a name for the event subscription>"
 ```
 
-#### Create an event subscription by using a managed identity for delivery 
-This sample command creates an event subscription for an Event Grid custom topic with an endpoint type set to **Service Bus queue**. 
+#### Create an event subscription by using a managed identity for delivery
+
+This command creates an event subscription for an Event Grid custom topic with the endpoint type set to **Service Bus queue**.
 
 ```azurecli-interactive
 az eventgrid event-subscription create  
@@ -70,7 +81,8 @@ az eventgrid event-subscription create
 ```
 
 #### Create an event subscription by using a managed identity for delivery and dead-lettering
-This sample command creates an event subscription for an Event Grid custom topic with an endpoint type set to **Service Bus queue**. It also specifies that the system-managed identity is to be used for dead-lettering. 
+
+This sample command creates an event subscription for an Event Grid custom topic with an endpoint type set to **Service Bus queue**. It also specifies that the system-managed identity is to be used for dead-lettering.
 
 ```azurecli-interactive
 storageid=$(az storage account show --name demoStorage --resource-group gridResourceGroup --query id --output tsv)
@@ -86,21 +98,24 @@ az eventgrid event-subscription create
     -n $sb_esnameq 
 ```
 
-### Use the Azure CLI - Event Hubs 
-In this section, you learn how to use the Azure CLI to enable the use of a system-assigned identity to deliver events to an event hub. The identity must be a member of the **Azure Event Hubs Data Sender** role. It must also be a member of the **Storage Blob Data Contributor** role on the storage account that's used for dead-lettering. 
+### Use the Azure CLI - Event Hubs
+
+In this section, you learn how to use the Azure CLI to enable the use of a system-assigned identity to deliver events to an event hub. The identity must be a member of the **Azure Event Hubs Data Sender** role. It must also be a member of the **Storage Blob Data Contributor** role on the storage account that's used for dead-lettering.
 
 #### Define variables
+
 ```azurecli-interactive
 subid="<AZURE SUBSCRIPTION ID>"
 rg = "<RESOURCE GROUP of EVENT GRID CUSTOM TOPIC>"
 topicname = "<EVENT GRID CUSTOM TOPIC NAME>"
 
 hubid=$(az eventhubs eventhub show --name <EVENT HUB NAME> --namespace-name <NAMESPACE NAME> --resource-group <RESOURCE GROUP NAME> --query id --output tsv)
-eh_esname = "<SPECIFY EVENT SUBSCRIPTION NAME>" 
+eh_esname = "<SPECIFY EVENT SUBSCRIPTION NAME>"
 ```
 
-#### Create an event subscription by using a managed identity for delivery 
-This sample command creates an event subscription for an Event Grid custom topic with an endpoint type set to **Event Hubs**. 
+#### Create an event subscription by using a managed identity for delivery
+
+This sample command creates an event subscription for an Event Grid custom topic with an endpoint type set to **Event Hubs**.
 
 ```azurecli-interactive
 az eventgrid event-subscription create  
@@ -111,8 +126,9 @@ az eventgrid event-subscription create
     -n $sbq_esname 
 ```
 
-#### Create an event subscription by using a managed identity for delivery + deadletter 
-This sample command creates an event subscription for an Event Grid custom topic with an endpoint type set to **Event Hubs**. It also specifies that the system-managed identity is to be used for dead-lettering. 
+#### Create an event subscription by using a managed identity for delivery + deadletter
+
+This sample command creates an event subscription for an Event Grid custom topic with an endpoint type set to **Event Hubs**. It also specifies that the system-managed identity is to be used for dead-lettering.
 
 ```azurecli-interactive
 storageid=$(az storage account show --name demoStorage --resource-group gridResourceGroup --query id --output tsv)
@@ -128,10 +144,11 @@ az eventgrid event-subscription create
     -n $eh_esname 
 ```
 
-### Use the Azure CLI - Azure Storage queue 
+### Use the Azure CLI - Azure Storage queue
+
 In this section, you learn how to use the Azure CLI to enable the use of a system-assigned identity to deliver events to an Azure Storage queue. The identity must be a member of the **Storage Queue Data Message Sender** role on the storage account. It must also be a member of the **Storage Blob Data Contributor** role on the storage account that's used for dead-lettering.
 
-#### Define variables  
+#### Define variables
 
 ```azurecli-interactive
 subid="<AZURE SUBSCRIPTION ID>"
@@ -142,12 +159,12 @@ topicname = "<EVENT GRID CUSTOM TOPIC NAME>"
 storageid=$(az storage account show --name <STORAGE ACCOUNT NAME> --resource-group <RESOURCE GROUP NAME> --query id --output tsv)
 
 # build the resource id for the queue
-queueid="$storageid/queueservices/default/queues/<QUEUE NAME>" 
+queueid="$storageid/queueservices/default/queues/<QUEUE NAME>"
 
-sa_esname = "<SPECIFY EVENT SUBSCRIPTION NAME>" 
+sa_esname = "<SPECIFY EVENT SUBSCRIPTION NAME>"
 ```
 
-#### Create an event subscription by using a managed identity for delivery 
+#### Create an event subscription by using a managed identity for delivery
 
 ```azurecli-interactive
 az eventgrid event-subscription create 
@@ -158,7 +175,7 @@ az eventgrid event-subscription create
     -n $sa_esname 
 ```
 
-#### Create an event subscription by using a managed identity for delivery + deadletter 
+#### Create an event subscription by using a managed identity for delivery + deadletter
 
 ```azurecli-interactive
 storageid=$(az storage account show --name demoStorage --resource-group gridResourceGroup --query id --output tsv)
@@ -175,12 +192,13 @@ az eventgrid event-subscription create
 ```
 
 ## Private endpoints
-Currently, it's not possible to deliver events using [private endpoints](../private-link/private-endpoint-overview.md). That is, there's no support if you have strict network isolation requirements where your delivered events traffic must not leave the private IP space. 
 
-However, if your requirements call for a secure way to send events using an encrypted channel and a known identity of the sender (in this case, Event Grid) using public IP space, you could deliver events to Event Hubs, Service Bus, or Azure Storage service using an Azure Event Grid custom topic or a domain with a managed identity as shown in this article. Then, you can use a private link configured in Azure Functions or your webhook deployed on your virtual network to pull events. See the tutorial: [Connect to private endpoints with Azure Functions](../azure-functions/functions-create-vnet.md).
+Currently, it's not possible to deliver events using [private endpoints](../private-link/private-endpoint-overview.md). That is, there's no support if you have strict network isolation requirements where your delivered events traffic must not leave the private IP space.
 
-Under this configuration, the traffic goes over the public IP/internet from Event Grid to Event Hubs, Service Bus, or Azure Storage, but the channel can be encrypted and a managed identity of Event Grid is used. If you configure your Azure Functions or webhook deployed to your virtual network to use an Event Hubs, Service Bus, or Azure Storage via private link, that section of the traffic will evidently stay within Azure.
+However, if your requirements call for a secure way to send events using an encrypted channel and a known identity of the sender (in this case, Event Grid) using public IP space, you could deliver events to Event Hubs, Service Bus, or Azure Storage service using an Azure Event Grid custom topic or a domain with a managed identity as shown in this article. You can then use a private link configured in Azure Functions or a webhook deployed on your virtual network to pull events. See the tutorial: [Connect to private endpoints with Azure Functions](../azure-functions/functions-create-vnet.md).
 
+Under this configuration, the traffic goes over the public IP/internet from Event Grid to Event Hubs, Service Bus, or Azure Storage, but the channel can be encrypted and a managed identity of Event Grid is used. If you configure Azure Functions or a webhook deployed to your virtual network to use Event Hubs, Service Bus, or Azure Storage via private link, that section of the traffic stays within Azure.
 
 ## Next steps
-To learn about managed identities, see [What are managed identities for Azure resources](/entra/identity/managed-identities-azure-resources/overview).
+
+To learn about managed identities, see [what are managed identities for Azure resources](/entra/identity/managed-identities-azure-resources/overview).
diff --git a/articles/event-grid/subscribe-to-graph-api-events.md b/articles/event-grid/subscribe-to-graph-api-events.md
@@ -236,7 +236,7 @@ Web application samples are available for the following languages:
 - [Node.js sample](https://github.com/microsoftgraph/nodejs-webhooks-sample).
 
 > [!IMPORTANT]
-> You need to activate your partner topic that is created as part of your Graph API subscription creation. You also need to create an Event Grid event subscription to your web application to receive events. To that end, you use the URL configured in your web application to receive events as a webhook endpoint in your event subscription. [Next steps](#next-steps) for more information.
+> You need to activate your partner topic that is created as part of your Graph API subscription creation. You also need to create an Event Grid event subscription to your web application to receive events. To that end, you use the URL configured in your web application to receive events as a webhook endpoint in your event subscription.
 
 > [!IMPORTANT]
 > Need sample code for another language or have questions? Email [ask-graph-and-grid@microsoft.com](mailto:ask-graph-and-grid@microsoft.com?subject=Need%20support%20for%20sample%20in%20other%20language).
