Azure defender for cloud malware scanning event grid topic with private endpoint doesn't work

Question

I would like to trigger an Azure function when Defender for Storage has completed a malware scan for a file. I have successfully achieved this using a custom Event Grid topic. However, the issue arises when attempting to utilize a private endpoint connection.

Upon trying to add a private endpoint, I encountered the following error message:

Publishing to XXXX-MALWARE-SCANNED.WESTEUROPE-1.EVENTGRID.AZURE.NET by client 192.168.1.100 is rejected due to IpAddress filtering rules. For troubleshooting, visit https://aka.ms/egpublisherrorcode403.

The provided link suggests adding the IP address (192.168.1.100) to the address range field. However, upon adding it (with public networks selected), another error occurred:

The principal associated with access token presented with the incoming request does not have permission to send data to /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myResourceGroupName/providers/Microsoft.EventGrid/topics/xxxx-malware-scanned.

I am not well-versed in private endpoints. How should it be configured for this purpose? Alternatively, if I can configure IP restriction, how can it be done? The error message for it ("The principal associated with...") is unclear to me.

How can I either enable a private endpoint or IP restriction for this purpose?

Answer 1

The principal associated with access token presented with the incoming request does not have permission to send data to /subscriptions/xxxxxxxx-xxxxxxxxxxxx/resourceGroups/myResourceGroupName/providers/Microsoft.EventGrid/topics/xxxx-malware-scanned.

In order to resolve this error, Make sure you add Function App managed identity Event Grid Data sender role or Custom role at the Event Grid topic level like below:-

Enable Function App managed identity:-

Assigned the Function app managed identity, EventGrid Data Sender role:-

If EventGrid Data Sender role does not work, Make sure you create a Custom Role to send data to the EventGrid Topic at a Data plane operation level by referring to this SO answer by Gaurav mantri.

If you are using an Azure AD service principal or User principal to send data to EventGrid Topic make sure you add the EventGrid Data Sender role to that service principal.

Also, enable the SAS authentication for your storage account while creating the Topics:-

References:-

Event delivery, managed service identity, and private link - Azure Event Grid | Microsoft Learn

Authenticate Event Grid publishing clients using Microsoft Entra ID - Azure Event Grid | Microsoft Learn