Azure Event Grid
An Azure event routing service designed for high availability, consistent performance, and dynamic scale.
439 questions
How to set Bearer token authentication between system topic and B2 service with Event as webhook
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 94%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELH%3C/text%3E%3C/svg%3E)
Liangjun Hu
20
Reputation points Microsoft Employee
I want to set the push delivery mode by using system grid, the flow will be like: event hub ->system topic->webhook, so when new data ingested into eventhub, it will be pushed to the webhook directly. I will set microsoft B2 service as the webhook endpoint. I already created an enterprise application, and enabled microsoft identity auth when create the system topic, but the token received by the B2 service only contain basic info like below, so the question is:
- How to set the token with the right permission like, mail.ReadWrite?
I already set the api permission with it, but not working
The fficial doc I followed: https://learn.microsoft.com/en-us/azure/event-grid/security-authentication#authenticate-event-delivery-to-webhook-endpoints
https://learn.microsoft.com/en-us/azure/event-grid/secure-webhook-delivery#deliver-events-to-a-webhook-in-a-different-azure-ad-tenant
Azure Event Grid
{count} votes
-
Vinodh247 32,531 Reputation points MVP2025-04-01T05:02:19.09+00:00 Hi ,
Thanks for reaching out to Microsoft Q&A.
Thanks for the detailed context and the screenshot. You are essentially trying to secure webhook delivery from Azure Event Grid System Topic to a Microsoft B2 service using Bearer token (OAuth 2.0), but the access token only contains default/basic claims and does not include delegated/scoped permissions like
Mail.ReadWrite, despite configuring API permissions.Here is a breakdown of the issue and what you need to do:
What is happening?
The token being sent is a client credentials token (
client_credentialsflow), used for app-to-app authentication which only gives app roles (application permissions) and does not support delegated permissions likeMail.ReadWrite(which requires user context).This is evident from the token structure you posted (no
scp, onlyrolesorazp,oidetc.), meaning it is app-only.
Why
Mail.ReadWriteis missingMail.ReadWriteis a delegated permission — it requires a signed-in user.When Event Grid delivers events, it uses Managed Identity or App Registration in client credentials flow — user context is not involved, so delegated permissions are ignored.
Even if you grant delegated permissions like
Mail.ReadWritein Azure AD, they will not appear in access tokens unless the user logs in and consents.
Solution Path
If your B2 service (webhook) needs delegated permissions like
Mail.ReadWrite, you must redesign the flow. You have two possible options:
Option 1: Use Application Permissions Instead
Grant
Mail.ReadWriteapplication permission (not delegated) to the app registration used by Event Grid.Consent it (admin consent required).
In the webhook, accept application token and ensure it uses Microsoft Graph API with app permissions.
Note:
Mail.ReadWriteapplication permission can only be used for shared mailboxes or service accounts — not per-user mailboxes unless granted tenant-wide.
Option 2: Proxy Pattern with User Delegation
- Create a middle tier API (proxy webhook) between Event Grid and B2 service.
The proxy authenticates with delegated permissions (via user login or refresh token) and calls the B2 service with
Mail.ReadWriteon behalf of a user.Event Grid sends the event to the proxy. Proxy does the user-authenticated action.
🔒 Bonus: Secure System Topic Token Setup (for webhook delivery)
- In the System Topic, configure AAD authentication with either: Managed Identity (preferred) or App Registration In the webhook/B2 API:
Validate the token by verifying `aud`, `iss`, `appid`, etc. Optionally validate roles or appid for authorization.
This will give you a valid access token with app identity, but no delegated scopes.
- Event Grid delivers using app identity, not a user.
Delegated scopes like
Mail.ReadWriteare ignored unless a user is involved.- Use application permissions instead, or redesign with a proxy that can handle delegated flows.
Please feel free to click the 'Upvote' (Thumbs-up) button and 'Accept as Answer'. This helps the community by allowing others with similar queries to easily find the solution.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 22%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESE%3C/text%3E%3C/svg%3E)
Shireesha Eeraboina 2,815 Reputation points Microsoft External Staff2025-04-03T05:15:36.18+00:00 Hello Liangjun Hu,
Just checking in to see if the above information provided by @Vinodh247 helped.
if you have any further query do let us know.
-
Shireesha Eeraboina 2,815 Reputation points Microsoft External Staff
2025-04-04T04:17:00.9666667+00:00 Hello Liangjun Hu,
Just checking in to see if the information below was helpful. If you have any further updates on this issue, please feel free to post them here.
-
Liangjun Hu 20 Reputation points Microsoft Employee
2025-04-07T04:33:29.42+00:00 Thanks for the answer, I have not taken a deep look of the answer below yet.
-
Shireesha Eeraboina 2,815 Reputation points Microsoft External Staff
2025-04-09T03:45:07.65+00:00 Hello Liangjun Hu,
Can you please confirm are you still facing the issue?
-
Shireesha Eeraboina 2,815 Reputation points Microsoft External Staff
2025-04-10T05:15:41.8933333+00:00 Hello Liangjun Hu,
Following up to see if you had a chance to review the above response. If you have any further updates on this issue, please feel free to post them here.
-
Liangjun Hu 20 Reputation points Microsoft Employee
2025-04-10T05:33:30.0833333+00:00 Yes, I used the test subscription and follow the solution 1, but it still no permission from the token.
-
Shireesha Eeraboina 2,815 Reputation points Microsoft External Staff
2025-04-11T05:12:20.4466667+00:00 Hi Liangjun Hu,
Thanks for the detailed explanation. You’ve already set the right API permissions (like
Mail.ReadWrite), but the issue is that Event Grid system topics use a managed identity to authenticate, not a service principal with custom permissions.Even though you've added the correct API permissions like
Mail.ReadWrite, these need to be explicitly assigned to the managed identity of the system topic.To resolve this, go to Azure Active Directory > Enterprise applications, locate the system topic’s managed identity, and add the required Microsoft Graph API permissions.
Then make sure to grant admin consent for those permissions. This will ensure the token sent to your B2 service includes the proper access rights.
For your reference, please review the following documentations for further clarification:
I hope this helps! Let me know if you have any further questions or need additional assistance.
-
Shireesha Eeraboina 2,815 Reputation points Microsoft External Staff
2025-04-14T04:51:34.9+00:00 Hello Liangjun Hu,
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
-
Shireesha Eeraboina 2,815 Reputation points Microsoft External Staff
2025-04-16T06:40:18.94+00:00 Hi Liangjun Hu,
I apologize for the delay in my response and thank you for your understanding.
Thank you for the update during the offline discussion. I understand your confusion.
The reason you can’t add Mail.ReadWrite permission to the system topic is because managed identities (like the one used by system topics) don’t support adding Microsoft Graph API permissions directly.
What you can do:
To get a token with
Mail.ReadWrite, you need to:- Use a separate App Registration (not the system topic identity).
- Assign Mail.ReadWrite (Application permission) to it.
- Use that app in a proxy/middleware service (like Azure Function or API App) between Event Grid and your B2 service (Event Grid → Proxy App (with right token) → B2 service).
This way, the proxy gets the correct token and permissions, and Event Grid sends events securely.
To help you better understand, kindly refer to the documentation below :
Secure webhook delivery in Event Grid
I hope this addresses your query. Please let me know if you need any further assistance or clarification.
-
Liangjun Hu 20 Reputation points Microsoft Employee
2025-04-16T06:53:00.2466667+00:00 Hi @Shireesha Eeraboina thanks for the info, so it means the only way is to use the proxy service to make the token with graph permission. But I still have another question: can I use a customized permission to make the request token with permission in it?
-
Shireesha Eeraboina 2,815 Reputation points Microsoft External Staff
2025-04-17T06:05:06.23+00:00 Hello Liangjun Hu,
Yes, you can use custom permissions, but only if you’re calling your own API, not Microsoft Graph.
To do this:
- You’ll need to expose an API through your App Registration.
- Define your custom scopes/permissions there.
Then, another app (or service) can request tokens with those custom permissions.
But just to clarify — custom permissions won't work with Microsoft Graph. For Graph permissions like
Mail.ReadWrite, you'll still need to use the proxy service with an App Registration that has the proper Graph API permissions.I hope this addresses your query. Please let me know if you need any further assistance or clarification.
-
Liangjun Hu 20 Reputation points Microsoft Employee
2025-04-23T15:03:58.43+00:00 Since I want the application level permission within the request token, so I used the App roles for aad app, but it still can't generate token with permission from the aad app
Sign in to comment
Sign in to answer