authentication azure-functions azure-eventgrid

EventGrid Trigger on Authenticated Azure Function App

I have an Azure Function App with several different functions. Some of which with an HTTP trigger and one with an Event Grid Trigger.

I want to force authentication on the HTTP triggers but when I enable that, my Event Grid can't trigger the function that should be triggered. This is the error I get in Log Analytics:

outcome=Unauthorized
latencyInMs=1600
id=0f82d947-028f-4fda-8f02-ff2b5b91997d
outputEventSystemId=61e3220c-ca44-42d3-a747-42ed44104871
state=FilteredFailingDelivery
deliveryTime=12/6/2024 3:13:39 PM
deliveryCount=0
probationCount=1
deliverySchema=EventGridEvent
trackedSystemTopicState=CreatedExplicitlyByUser
eventSubscriptionDeliverySchema=EventGridEvent
outputEventFields=InputEvent| EventSubscriptionId| DeliveryTime| State| Id| ProbationCount| LastHttpStatusCode| LastDeliveryOutcome| DeliverySchema| LastDeliveryAttemptTime| SystemId| UseMappedResourceArmIdForBilling| TrackedSystemTopicState
outputEventFieldCount=12
dedicatedQueueDeliveryQueueId=
requestExpiration=1/1/0001 12:00:00 AM
delivered=False id=40706be1-9f96-4b99-9fda-7a940e8cf1b7
inputEventSystemId=d11146fa-4136-4fad-9388-097739fa3b0c publishTime=12/6/2024 3:13:38 PM
eventTime=12/6/2024 3:13:37 PM
eventType=Microsoft.AppConfiguration.KeyValueModified
deliveryTime=1/1/0001 12:00:00 AM
filteringState=FilteringPending
inputSchema=EventGridEvent
publisher=MICROSOFT-APPCONFIGURATION-CONFIGURATIONSTORES.WESTEUROPE-1.EVENTGRID.AZURE.NET
size=682
subject=https://appconfiguration.azconfig.io/kv/qwerty?label=apmgroup-Group1&api-version=2023-10-01
inputEventFields=Id| PublishTime| SerializedBody| EventType| Topic| Subject| FilteringHashCode| SystemId| Publisher| FilteringTopic| TopicCategory| DataVersion| MetadataVersion| InputSchema| EventTime| FilteringPolicy
inputEventFieldCount=16
type=AzureFunction
subType=NotApplicable
supportsBatching=False
aadIntegration=False
managedIdentityType=None
armId=/subscriptions/<subid>/resourceGroups/<rgname>/providers/Microsoft.Web/sites/<function app name>/functions/<function name>
deliveryResponse=Unauthorized
errorCode=Unauthorized
HttpRequestMessage: httpVersion=1.1
HttpResponseMessage: HttpVersion=1.1
StatusCode=Unauthorized(Unauthorized)
StatusDescription=Unauthorized
IsRedirected=False
RedirectUrl=

Is there a way to exclude the Event Grid from having to authorize? Or is there another possible solution?

Solution

As Sampath said, I have to set up webhooks to get this to work. I needed a whole day to get this to work with the authentication but eventually, the key settings were

The app registration being used in the EventGrid subscription (in the Event Subscription settings: Additional Features > Microsoft Entra Auth) needs to be a different app registration than the one used for authentication in the Azure Function App settings
Microsoft Identity provider in the Function App Authentication Settings should be configured with:
- Allowed token audiences = App Id used in the EventGrid Subscription (see first bullet point)
- Client application requirement = Allow requests from specific client applications
  - App Id for the identity provider itself (to be found on the same page)
  - 4962773b-9cdb-44cf-a8bf-237846a00ab7 (= Microsoft.EventGrid Enterprise Application App Id, don't change this - this was missing from the Microsoft example scripts to be found here)

edit: should have read this article better. It tells you to go find the Microsoft.EventGrid Enterprise Application App Id...