Event Grid Security and Access Control
Azure Event Grid has security at three levels: publishing security (who can send events to a topic), subscription management security (who can create and manage subscriptions), and delivery security (how events are delivered securely to handlers). Each level has dedicated authentication and authorization mechanisms.
Security Level Overview
+──────────────────────────────────────────────────────────────────────────+ | EVENT GRID SECURITY LAYERS | | | | Layer 1: Publishing Security | | Publisher --> [SAS Key or AAD Token] --> Topic Endpoint | | | | Layer 2: Subscription Management Security | | Admin/Dev --> [Azure RBAC] --> Create/Update/Delete Subscriptions | | | | Layer 3: Delivery Security | | Event Grid --> [HTTPS + AAD Token or Managed Identity] --> Handler | +──────────────────────────────────────────────────────────────────────────+
Layer 1: Publishing Security (Custom Topics)
Custom Topics expose an HTTPS endpoint for publishers. Any publisher that sends events to a Custom Topic must authenticate. Two authentication methods are available.
Method 1: Access Keys (SAS Keys)
Each Custom Topic has two access keys (key1 and key2). Publishers include one of these keys in the HTTP request header as aeg-sas-key. Two keys exist so one can be rotated without disrupting the other.
HTTP POST https://myorders.eastus-1.eventgrid.azure.net/api/events
Headers:
Content-Type: application/json
aeg-sas-key: ABcd1234EfGH5678ijklMNOP90qrSTUVwxyz==
Body: [ { ...event... } ]
Access keys are simple to use but carry security risks. The key is a shared secret. If the key leaks, any application can publish events to the topic. Rotate keys regularly and store them in Azure Key Vault rather than in code or config files.
Method 2: SAS Tokens (Shared Access Signature Tokens)
A SAS token is a time-limited token derived from the access key. It includes an expiry time and is scoped to a specific resource URL. Publishers generate a SAS token programmatically and include it in the HTTP header as aeg-sas-token.
SAS Token Header: aeg-sas-token: r=https%3A%2F%2Fmytopic...%2Fapi%2Fevents&e=1719820800&s=abcDEF... Advantages over raw access key: - Expires automatically - Scoped to a specific topic URL - Does not expose the raw access key to the publisher
Method 3: Azure Active Directory (Recommended)
Azure Active Directory (AAD) authentication is the most secure method. Publishers authenticate using an AAD identity (service principal or managed identity) and obtain a Bearer token. The token is included in the Authorization header.
HTTP POST https://myorders.eastus-1.eventgrid.azure.net/api/events Headers: Content-Type: application/json Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9... The publisher needs the RBAC role: "EventGrid Data Sender" on the topic resource
Comparison of Publishing Authentication Methods
| Method | Security Level | Best For | Rotation |
|---|---|---|---|
| Access Key | Basic | Quick testing and dev environments | Manual rotation needed |
| SAS Token | Medium | Short-lived publisher scenarios | Expires automatically |
| Azure AD (AAD) | High | Production workloads | Automatic via AAD token refresh |
Layer 2: Subscription Management Security (Azure RBAC)
Azure Role-Based Access Control (RBAC) governs who can create, read, update, and delete Event Grid topics and event subscriptions. RBAC roles are assigned at the subscription, resource group, or resource level.
Built-in Event Grid RBAC Roles
| Role | Permissions | Use Case |
|---|---|---|
| EventGrid Contributor | Full management of Event Grid resources | Event Grid administrators |
| EventGrid Data Sender | Publish events to topics | Applications that publish events |
| EventGrid EventSubscription Contributor | Create, update, delete event subscriptions | Developers managing subscriptions |
| EventGrid EventSubscription Reader | Read event subscriptions only | Read-only access for auditing |
Assigning an RBAC Role in Azure Portal
- Navigate to the Event Grid Topic or Resource Group in the Azure Portal
- Click Access control (IAM) in the left menu
- Click + Add and select Add role assignment
- Search for and select the desired Event Grid role
- Select the member (user, group, or service principal/managed identity)
- Click Review + Assign
Layer 3: Delivery Security
Event Grid delivers events to handlers over HTTPS. All delivery traffic is encrypted in transit using TLS. Additional security mechanisms control how Event Grid authenticates with handlers during delivery.
Webhook Delivery Security
When delivering to webhooks, Event Grid validates endpoint ownership through the subscription validation handshake. This confirms the webhook URL belongs to the intended recipient before sending real events.
Additional webhook security options:
- Azure AD authentication for webhooks: Event Grid can include an AAD Bearer token in the webhook delivery HTTP headers. The webhook server validates this token to confirm the request came from Event Grid.
- Allowed sender AAD app IDs: Webhooks can be configured to only accept delivery tokens from specific Azure AD application IDs.
Managed Identity for Event Delivery
Event Grid supports system-assigned and user-assigned managed identities for delivery to Azure services such as Service Bus, Event Hubs, and Storage Queues. A managed identity removes the need to store credentials in Event Grid configuration.
Setup Flow: 1. Enable managed identity on the Event Grid Topic (System-assigned: Azure creates automatically) 2. Assign RBAC role to the managed identity: - Service Bus: "Azure Service Bus Data Sender" - Event Hubs: "Azure Event Hubs Data Sender" - Storage Queue: "Storage Queue Data Message Sender" 3. Configure the event subscription to use managed identity for authentication Result: Event Grid uses the managed identity token when delivering events. No keys or passwords are stored.
Managed Identity vs Connection String Delivery
| Aspect | Connection String | Managed Identity |
|---|---|---|
| Credential storage | Stored in Event Grid configuration | No credentials stored anywhere |
| Key rotation | Manual — must update Event Grid config | Automatic — managed by Azure AD |
| Security risk if config leaked | High — connection string gives access | None — no credentials to leak |
| Recommended for production | No | Yes |
Network Security – IP Filtering and Private Endpoints
IP Filtering
Custom Topics can be configured to accept publishing requests only from specific IP address ranges. All other requests are rejected with HTTP 403 Forbidden. This limits who can publish events to the topic at the network level.
IP Filtering Example: Allowed IP ranges: 10.0.0.0/24, 203.0.113.50/32 Any HTTP POST from 10.0.0.5 --> Accepted Any HTTP POST from 192.168.1.1 --> Rejected (HTTP 403)
Private Endpoints
Private Endpoints allow Event Grid topics to receive publishing requests through Azure Private Link. The topic endpoint is accessible only within a Virtual Network using a private IP address. All traffic stays within the Azure backbone network and never traverses the public internet.
Without Private Endpoint: Publisher App --> Public Internet --> Event Grid Topic Endpoint (public IP) With Private Endpoint: Publisher App (in VNet) --> Private Link --> Event Grid Topic (private IP in VNet) (No public internet exposure)
Event Domain Security
An Event Domain groups hundreds of related Custom Topics under a single endpoint. Each tenant or customer in a multi-tenant application gets their own topic within the domain. Domain-level access control allows assigning the EventGrid Data Sender role scoped to a single topic within the domain, so each tenant can only publish to their own topic.
Security Best Practices Summary
| Area | Best Practice |
|---|---|
| Publishing authentication | Use Azure AD managed identities, not access keys, in production |
| Key storage | Store access keys in Azure Key Vault, never in source code |
| Delivery authentication | Use managed identity for delivery to Service Bus, Event Hubs, Storage |
| Webhook security | Enable AAD token validation on webhook endpoints |
| Network security | Use IP filtering or Private Endpoints to restrict topic access |
| RBAC | Follow least privilege — assign minimum permissions needed |
| Monitoring | Enable Azure Monitor diagnostic logs to audit topic publishing and delivery |
Summary
Azure Event Grid provides security at every layer: AAD-based authentication for publishing, RBAC for management, managed identities for delivery, and network isolation through IP filtering and Private Endpoints. Applying all these layers together produces a hardened, production-ready Event Grid deployment.