Share via

Exchange setup in connection event_grid - storage account queue

Janczewski, Michal 20 Reputation points
2026-01-22T14:36:36.63+00:00

Hi all,

I have a question, currently we have setup where we have Azure event grid topic, where we have event grid subscriptions created (3 subscriptions) which are sending messages to the queues created on storage account. Currently this setup is working because of exception in storage account "Allow Trusted Microsoft Services to access this resource". We want to change this setup because of security. So how can I replace this setting (untick mentioned exception above) to have this setup working. Any help is appreciated.

Thanks in advance,

Michal

Azure Event Grid
Azure Event Grid

An Azure event routing service designed for high availability, consistent performance, and dynamic scale.

0 comments
Answer accepted by question author
  1. Pravallika KV 12,730 Reputation points Microsoft External Staff Moderator
    2026-01-23T01:41:11.0066667+00:00

    Hi @Janczewski, Michal ,

    Thanks for reaching out to Microsoft Q&A.

    Here’s how you can enhance the security of your Azure storage setup by removing the "Allow Trusted Microsoft Services to access this resource" checkbox.

    1. Instead of allowing all Microsoft services unrestricted access, configure a managed identity for your Event Grid. This identity will authenticate with your Storage Account securely without compromising security.
    2. Set up an access policy in your Storage Account that allows your Event Grid's system-assigned managed identity to have the necessary permissions (like Read, Write) on the specific queues.
    3. If your Storage Account has firewall rules, ensure that the managed identity can access the account by adding the necessary permissions for its service endpoint.
    4. Once you have configured the managed identity and permissions properly and confirmed that everything is functioning, you can safely disable the "Allow Trusted Microsoft Services to access this resource" option.
    5. Finally, monitor your Event Grid subscriptions to ensure events are being successfully sent to the Storage Queues.

    Reference Actions:

    • Go to your Storage Account in the Azure portal.
    • Navigate to the "Access Control (IAM)" section and add a role assignment for your Event Grid's managed identity.
    • Review the "Networking" tab to manage firewall and virtual network settings.

    This setup should allow you to maintain the necessary integration without relying on broader permissions that could introduce security risks.

    Hope this helps! If you have any further questions or need more assistance, feel free to ask!

    References:

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-01-22T14:37:18.43+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    To maintain the functionality of your Azure Event Grid setup while enhancing security by disabling the "Allow Trusted Microsoft Services to access this resource" setting, you can implement managed identities for your Event Grid subscriptions. Here are the steps you can follow:

    1. Assign a Managed Identity: Enable a system-assigned managed identity for the Event Grid system topic associated with your storage account. This allows the Event Grid to authenticate securely without relying on the trusted services exception.
    2. Grant Permissions: Assign the managed identity the necessary permissions. Specifically, you will need to grant it the Azure Event Hubs Data Sender role on the event hub that your subscriptions are using. This ensures that the managed identity has the rights to send messages to the queues in your storage account.
    3. Update Event Grid Subscription: Ensure that your Event Grid subscriptions are configured to use the managed identity for event delivery. This can be done by creating or updating the subscriptions to specify the managed identity.

    By following these steps, you can untick the exception setting while still allowing your Event Grid subscriptions to function correctly with the storage account queues. This approach enhances security by eliminating reliance on the broad access granted to trusted Microsoft services.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.