MicrosoftDocs
diff --git a/‎articles/event-grid/configure-network-security-perimeter.md
Lines changed: 86 additions & 0 deletions b/‎articles/event-grid/configure-network-security-perimeter.md
Lines changed: 86 additions & 0 deletions
diff --git a/‎articles/event-grid/cross-tenant-delivery-using-managed-identity.md
Lines changed: 97 additions & 0 deletions b/‎articles/event-grid/cross-tenant-delivery-using-managed-identity.md
Lines changed: 97 additions & 0 deletions
diff --git a/‎articles/event-grid/custom-domains-namespaces.md
Lines changed: 1 addition & 5 deletions b/‎articles/event-grid/custom-domains-namespaces.md
Lines changed: 1 addition & 5 deletions
@@ -0,0 +1,86 @@
+---
+title: Network security perimeter in Azure Event Grid
+description: This article shows how to configure network security perimeter in Azure Event Grid. This feature is currently in preview.
+ms.topic: how-to
+ms.date: 11/18/2024
+# Customer intent: I want to know how to configure network security perimeter in Azure Event Grid. 
+---
+
+# Network security perimeter in Azure Event Grid (Preview) 
+Network security perimeter is a framework created to manage public traffic to Azure Platform-as-a-Service (PaaS) resources, and traffic between those PaaS resources. The basic building block is a **perimeter**, a group of PaaS resources that can communicate freely with each other. The perimeter defines a boundary with implicit trust access between each resource. This perimeter can have sets of inbound and outbound access rules. 
+
+This article shows you how to associate a network security perimeter with an Event Grid topic or a domain.
+
+> [!NOTE]
+> The Network security perimeter configuration is currently available only for topics and domains under the **Networking** setting. 
+
+## Prerequisites
+The following procedure assumes that you have the following Azure resources: 
+
+- An Event Grid topic or a domain
+- An Event Hubs namespace with an event hub. The event hub is used as an event handler in the example. 
+
+## Create a network security perimeter
+First, you create a network security perimeter and add the Event Grid domain and the Event Hubs namespace resources to it. 
+
+1. In the [Azure portal](https://portal.azure.com), search for and navigate to the **Network Security Perimeters** page, and select **Create** on the toolbar or **Create network security perimeter** on the page. 
+
+    :::image type="content" source="./media/configure-network-security-perimeter/create-network-security-perimeter-button.png" alt-text="Screenshot that shows Network Security Perimeters page with Create button selected." lightbox="./media/configure-network-security-perimeter/create-network-security-perimeter-button.png":::        
+1. On the **Create a network security perimeter** wizard, follow these steps:
+    1. Select your Azure subscription, resource group, and region in which you want to create the network security perimeter.
+    1. Enter a **name** for the perimeter. 
+    1. For **profile name**, enter a name for the default profile. 
+    1. Select **Next** at the bottom of the page. 
+    
+        :::image type="content" source="./media/configure-network-security-perimeter/create-network-security-perimeter-page.png" alt-text="Screenshot that shows Create a network security perimeter page." lightbox="./media/configure-network-security-perimeter/create-network-security-perimeter-page.png":::             
+  1. On the **Resources** page, select **Add**. Then, on the **Select resources** page, select resources you want in your perimeter. For example, you can add an Azure Event Grid domain and an Azure Event Hubs namespace that's used as an event handler or destination. Then, select **Next**.
+  
+        :::image type="content" source="./media/configure-network-security-perimeter/perimeter-resources.png" alt-text="Screenshot that shows Select resources page for a perimeter." lightbox="./media/configure-network-security-perimeter/perimeter-resources.png":::                 
+  1. On the **Inbound access rules** page, select **Add inbound access rule**. 
+  1. On the **Add inbound access rule** page, select the source type. You can use this setting to allow inbound access to specific IP address ranges or subscriptions. When you're done, select **Next** at the bottom of the page. 
+  
+        :::image type="content" source="./media/configure-network-security-perimeter/add-inbound-access-rule.png" alt-text="Screenshot that shows Add inbound access rule." lightbox="./media/configure-network-security-perimeter/add-inbound-access-rule.png":::                 
+  1. On the **Outbound access rules** page, if you want to allow egress access, select **Add outbound access rule**. 
+  1. On the **Add outbound access rule** page, select the fully qualified domain (FQDN) destination. 
+  
+        :::image type="content" source="./media/configure-network-security-perimeter/add-outbound-access-rule.png" alt-text="Screenshot that shows Add outbound access rule." lightbox="./media/configure-network-security-perimeter/add-outbound-access-rule.png":::                      
+  1. Select **Next** to navigate to the **Tags**, and then select **Next** again to move on to the **Review + create** page.
+  1. On the **Review + create** page, review the configuration, and select **Create** to create the security perimeter. 
+  
+        :::image type="content" source="./media/configure-network-security-perimeter/review-create-page.png" alt-text="Screenshot that shows the Review + create page." lightbox="./media/configure-network-security-perimeter/review-create-page.png":::       
+1. Once the network security perimeter resource is created, you find it in the resource group you specified. 
+
+    :::image type="content" source="./media/configure-network-security-perimeter/resource-group-page.png" alt-text="Screenshot that shows the Resource group page with the network security perimeter resource." lightbox="./media/configure-network-security-perimeter/resource-group-page.png":::           
+
+
+## Configure the network security perimeter
+In this step, you associate the network security perimeter you created in the previous step with the Event Grid domain. To configure network security perimeter for a topic or a domain, use the **Networking** tab on **Event Grid Topic** or **Event Grid Domain** page. 
+
+1. On the **Event Grid Topic** or **Event Grid Domain** page, select **Networking** under **Settings** on the left navigation menu. The screenshots and steps in this article use an example Azure Event Grid domain. The steps for the topic are identical. 
+1. On the **Networking** page, select **Manage**. 
+
+    :::image type="content" source="./media/configure-network-security-perimeter/networking-page-manage-button.png" alt-text="Screenshot that shows the Networking page with the Manage button selected." lightbox="./media/configure-network-security-perimeter/networking-page-manage-button.png":::
+1. On the **Public network access** page, select **Secured by perimeter (Most restricted)**, and then select **Save**.  
+
+    :::image type="content" source="./media/configure-network-security-perimeter/secured-by-perimeter-setting.png" alt-text="Screenshot that shows the selection of Secured by perimeter setting." lightbox="./media/configure-network-security-perimeter/secured-by-perimeter-setting.png":::    
+
+    **Network security perimeter** restricts inbound and outbound access offering the greatest level of inbound and outbound restriction to secure the Azure Event Grid resource. 
+1. Now, it’s time to associate the network security perimeter with the Azure Event Grid domain or topic in the **Networking** settings by selecting **Associate**. 
+
+    :::image type="content" source="./media/configure-network-security-perimeter/associate-button.png" alt-text="Screenshot that shows the Networking page with Associate button selected." lightbox="./media/configure-network-security-perimeter/associate-button.png":::               
+1. On the **Associate a network security perimeter** page, choose **Select network security perimeter**. 
+
+    :::image type="content" source="./media/configure-network-security-perimeter/select-perimeter-link.png" alt-text="Screenshot that shows the Associate a network security perimeter page with the Select network security perimeter link selected.":::                   
+1. Search for the network security perimeter resource, and select the resource. 
+
+    :::image type="content" source="./media/configure-network-security-perimeter/select-perimeter.png" alt-text="Screenshot that shows the Select network security perimeter page.":::                       
+1. Now, on the **Associate a network security perimeter** page, select the **profile**, and then select **Associate**.
+
+    :::image type="content" source="./media/configure-network-security-perimeter/select-profile.png" alt-text="Screenshot that shows the Select network security perimeter page with a profile selected.":::                            
+1. Now you see the network security perimeter associated with your Azure Event Grid domain or topic resource. 
+
+    :::image type="content" source="./media/configure-network-security-perimeter/network-security-perimeter-filled.png" alt-text="Screenshot that shows the Networking page with the perimeter selected." lightbox="./media/configure-network-security-perimeter/network-security-perimeter-filled.png":::
+
+## Considerations when using network security perimeter 
+This article discusses a scenario involving Azure Event Grid domains and Azure Event Hubs as destination. In this scenario, you enable managed identity for the Azure Event Grid domain, and then assign identity the Event Hubs Data Sender role on the Event Hubs namespace. For more information, see [Event delivery, managed service identity, and private link](managed-service-identity.md#use-the-azure-cli---event-hubs). 
+
@@ -0,0 +1,97 @@
+---
+title: Cross-tenant delivery in Azure Event Grid
+description: Describes how to publish and deliver events across tenants using an Azure Event Grid topic with a user-assigned identity. 
+ms.topic: how-to
+ms.custom: devx-track-azurecli
+ms.date: 11/18/2024
+# Customer intent: As a developer, I want to know how to delivery events using managed identity to a destination in another tenant.
+---
+
+# Cross-tenant event delivery using a managed identity 
+This article provides information on delivery of events where Azure Event Grid basic resources like topics, domains, system topics, and partner topics are in one tenant and the Azure destination resource is in another tenant. 
+
+The following sections show you how to implement a sample scenario where an Azure Event Grid topic with a user-assigned identity as a federated credential delivers events to an Azure Storage Queue destination hosted in another tenant. Here are the high-level steps:
+
+1. Create an Azure Event Grid topic with a user-assigned managed identity in Tenant A.
+1. Create a multitenant app with a federated client credential.
+1. Create an Azure Storage Queue destination in Tenant B. 
+1. While creating an event subscription to the topic, enable cross-tenant delivery and configure an endpoint.
+
+> [!NOTE]
+> - This feature is currently in preview. 
+> - Cross-tenant delivery is currently available for the following endpoints: Service Bus topics and queues, Event Hubs, and Storage queues. 
+
+## Create a topic with a user-assigned identity (Tenant A) 
+Create a user-assigned identity by following instructions in the [Manage user-assigned managed identities](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities) article. Then, enable a user-assigned managed identity while creating a topic or updating an existing topic by using steps in the following procedure. 
+
+### Enable user-assigned identity for a new topic
+1. On the **Security** page of the topic or domain creation wizard, select **Add user assigned identity**. 
+1. In the **Select user assigned identity** window, select the subscription that has the user-assigned identity, select the **user-assigned identity**, and then choose **Select**. 
+
+    :::image type="content" source="./media/managed-service-identity/create-page-add-user-assigned-identity-link.png" alt-text="Screenshot showing the Enable user-assigned identity option selected." lightbox="./media/managed-service-identity/create-page-add-user-assigned-identity-link.png":::
+
+
+### Enable user-assigned identity for an existing topic
+1. On the **Identity** page, switch to the **User assigned** tab in the right pane, and then select **+ Add** on the toolbar.
+
+    :::image type="content" source="./media/managed-service-identity/user-assigned-identity-add-button.png" alt-text="Screenshot showing the User Assigned Identity tab.":::     
+1. In the **Add user managed identity** window, follow these steps:
+    1. Select the **Azure subscription** that has the user-assigned identity. 
+    1. Select the **user-assigned identity**. 
+    1. Select **Add**. 
+1. Refresh the list in the **User assigned** tab to see the added user-assigned identity.
+
+
+For more information, see the following articles:
+- [Enable user-assigned identity for a system topic](enable-identity-system-topics.md)
+- [Enable user-assigned identity for a custom topic or a domain](enable-identity-custom-topics-domains.md)
+
+## Create a multitenant Application 
+
+1. Create a Microsoft Entra app and update the registration to be multitenant. For details, see [Enable multitenant registration](/entra/identity-platform/howto-convert-app-to-be-multi-tenant#update-registration-to-be-multitenant). 
+
+    :::image type="content" source="./media/cross-tenant-delivery-using-managed-identity/multi-tenant-app.png" alt-text="Screenshot that shows the Microsoft Entra app authentication setting set to Multitenant." lightbox="./media/cross-tenant-delivery-using-managed-identity/multi-tenant-app.png":::
+1. Create the federated identity credential relationship between multitenant app and the user-assigned identity of the Event Grid topic using Graph API. 
+
+    :::image type="content" source="./media/cross-tenant-delivery-using-managed-identity/federated-identity-credential-post-api.png" alt-text="Screenshot that shows the sample POST method to enable federated identity credential relationship between multitenant app and user-assigned identity." lightbox="./media/cross-tenant-delivery-using-managed-identity/federated-identity-credential-post-api.png":::   
+
+    - In the URL, use the multitenant app object ID. 
+    - For **Name**, provide a unique name for the federated client credential.
+    - For **Issuer**, use `https://login.microsoftonline.com/TENANTAID/v2.0` where `TENANTAID` is the ID of the tenant where the user-assigned identity is located. 
+    - For **Subject**, specify the client ID of the user-assigned identity. 
+   
+    Verify and wait for the API call to succeed.     
+1. Once the API call succeeds, proceed to verify that the federated client credential is set up correctly on the multitenant app. 
+
+    :::image type="content" source="./media/cross-tenant-delivery-using-managed-identity/certificates-secrets-federated-credential.png" alt-text="Screenshot that shows the certificates and secrets page of the multitenant app." lightbox="./media/cross-tenant-delivery-using-managed-identity/certificates-secrets-federated-credential.png":::
+
+    > [!NOTE]
+    > The subject identifier is the client ID of the user-assigned identity on the topic. 
+
+## Create destination storage account (Tenant B)
+Create a storage account in a tenant that's different from the tenant that has the source Event Grid topic and user-assigned identity. You create an event subscription to the topic (in tenant A) using the storage account (in tenant B) later. 
+
+1. Create a storage account by following instructions from the [Create a storage account](../storage/common/storage-account-create.md#create-a-storage-account) article. 
+1. Using the **Access Control (IAM)** page, add the multitenant app to the appropriate role so that the app can send events to the storage account. For example: Storage Account Contributor, Storage Queue Data Contributor, Storage Queue Data Message Sender. For instructions, see [Assign an Azure role for an Azure queue](../storage/queues/assign-azure-role-data-access.md#assign-an-azure-role).
+
+    :::image type="content" source="./media/cross-tenant-delivery-using-managed-identity/storage-role.png" alt-text="Screenshot that shows the Access Control (IAM) page for the storage account." lightbox="./media/cross-tenant-delivery-using-managed-identity/storage-role.png":::
+
+
+## Enable cross-tenant delivery and configure the endpoint
+Create an event subscription on the topic with federated client credential information passed to deliver to the destination storage account. 
+
+1. While creating an event subscription, enable **cross-tenant delivery** and select **Configure an endpoint**. 
+
+    :::image type="content" source="./media/cross-tenant-delivery-using-managed-identity/create-subscription-cross-tenant.png" alt-text="Screenshot that shows the Create Event Subscription page with Cross-tenant delivery option enabled." lightbox="./media/cross-tenant-delivery-using-managed-identity/create-subscription-cross-tenant.png":::
+1. On the **Endpoint** page, specify the subscription ID, resource group, storage account name, and the queue name in Tenant B. 
+
+    :::image type="content" source="./media/cross-tenant-delivery-using-managed-identity/endpoint.png" alt-text="Screenshot that shows the Endpoint page." lightbox="./media/cross-tenant-delivery-using-managed-identity/endpoint.png":::
+1. Now, in the **Managed Identity for Delivery** section, do these steps:
+    1. For **Managed identity type**, select **User Assigned**. 
+    1. Select the **user-assigned identity** from the drop-down list. 
+    1. For **Federated identity credentials**, enter the multitenant application ID. 
+
+        :::image type="content" source="./media/cross-tenant-delivery-using-managed-identity/managed-identity-for-delivery.png" alt-text="Screenshot that shows the Create Event Subscription page with the managed identity specified." lightbox="./media/cross-tenant-delivery-using-managed-identity/managed-identity-for-delivery.png":::
+1. Select **Create** at the bottom of the page to create the event subscription. 
+
+    Now, publish event to topic and verify event is delivered successfully to destination storage account. 
@@ -2,9 +2,7 @@
 title: Custom domains for Azure Event Grid hostnames
 description: This article describes how custom domain names can be assigned to your Event Grid namespace's MQTT and HTTP host names along with the default host names.
 ms.topic: how-to
-ms.custom:
-  - build-2024
-ms.date: 05/21/2024
+ms.date: 11/18/2024
 author: george-guirguis
 ms.author: geguirgu
 ---
@@ -14,8 +12,6 @@ The Event Grid namespace is automatically assigned an HTTP hostname at the time
 
 You can assign your custom domain names to your Event Grid namespace’s MQTT and HTTP host names, along with the default host names. Custom domain configurations not only help you to meet your security and compliance requirements, but also eliminates the need to modify your clients that are already linked to your domain. 
 
-> [!NOTE]
-> This feature is currently in preview. 
 
 ## High-level steps