Document Details

Powershell Webhook Secure Delivery Microsoft Entra App
Home / Scan 48 / Powershell Webhook Secure Delivery Microsoft Entra App
This page contains Windows bias

About This Page

This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
GitHub View on GitHub 📚 View on Microsoft Learn

Bias Analysis

Bias Types:
⚠️ powershell_heavy
⚠️ windows_first
⚠️ missing_linux_example
⚠️ windows_tools
Summary:
The documentation page exclusively provides a PowerShell script for configuring secure webhook delivery with Microsoft Entra Application in Azure Event Grid. All examples and instructions are tailored to PowerShell, which is traditionally a Windows-centric tool, and there are no equivalent Bash, CLI, or Linux-native examples or guidance. The use of PowerShell modules and cmdlets (e.g., Get-MgServicePrincipal, New-MgServicePrincipal) further reinforces the Windows bias, and there is no mention of how to perform these steps using cross-platform tools or on Linux/macOS environments.
Recommendations:
  • Provide equivalent examples using Azure CLI (az) and Microsoft Graph CLI or REST API, which are cross-platform and commonly used on Linux/macOS.
  • Explicitly mention that PowerShell Core is available cross-platform, if PowerShell must be used, and provide installation instructions for Linux/macOS.
  • Add Bash script examples or step-by-step instructions for Linux users.
  • Include a section comparing the different approaches (PowerShell, CLI, REST API) and when to use each.
  • Ensure screenshots and portal instructions are not Windows-specific, and clarify that the Azure Portal is web-based and OS-agnostic.
GitHub Create pull request

Scan History

Date Scan ID Status Bias Status
2025-08-17 00:01 #83 in_progress ✅ Clean
2025-07-13 21:37 #48 completed ❌ Biased

Flagged Code Snippets

# NOTE: Before run this script ensure you are logged in Azure by using "az login" command. $eventGridAppId = "[REPLACE_WITH_EVENT_GRID_APP_ID]" $webhookAppObjectId = "[REPLACE_WITH_YOUR_ID]" $eventSubscriptionWriterAppId = "[REPLACE_WITH_YOUR_ID]" # Start execution try { # Creates an application role of given name and description Function CreateAppRole([string] $Name, [string] $Description) { $appRole = New-Object Microsoft.Graph.PowerShell.Models.MicrosoftGraphAppRole $appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string] $appRole.AllowedMemberTypes += "Application"; $appRole.AllowedMemberTypes += "User"; $appRole.DisplayName = $Name $appRole.Id = New-Guid $appRole.IsEnabled = $true $appRole.Description = $Description $appRole.Value = $Name; return $appRole } # Creates Azure Event Grid Microsoft Entra Application if not exists # You don't need to modify this id # But Azure Event Grid Entra Application Id is different for different clouds $eventGridSP = Get-MgServicePrincipal -Filter ("appId eq '" + $eventGridAppId + "'") if ($eventGridSP.DisplayName -match "Microsoft.EventGrid") { Write-Host "The Event Grid Microsoft Entra Application is already defined.`n" } else { Write-Host "Creating the Azure Event Grid Microsoft Entra Application" $eventGridSP = New-MgServicePrincipal -AppId $eventGridAppId } # Creates the Azure app role for the webhook Microsoft Entra application $eventGridRoleName = "AzureEventGridSecureWebhookSubscriber" # You don't need to modify this role name $app = Get-MgApplication -ApplicationId $webhookAppObjectId $appRoles = $app.AppRoles Write-Host "Microsoft Entra App roles before addition of the new role..." Write-Host $appRoles.DisplayName if ($appRoles.DisplayName -match $eventGridRoleName) { Write-Host "The Azure Event Grid role is already defined.`n" } else { Write-Host "Creating the Azure Event Grid role in Microsoft Entra Application: " $webhookAppObjectId $newRole = CreateAppRole -Name $eventGridRoleName -Description "Azure Event Grid Role" $appRoles += $newRole Update-MgApplication -ApplicationId $webhookAppObjectId -AppRoles $appRoles } Write-Host "Microsoft Entra App roles after addition of the new role..." Write-Host $appRoles.DisplayName # Creates the user role assignment for the app that will create event subscription $servicePrincipal = Get-MgServicePrincipal -Filter ("appId eq '" + $app.AppId + "'") $eventSubscriptionWriterSP = Get-MgServicePrincipal -Filter ("appId eq '" + $eventSubscriptionWriterAppId + "'") if ($null -eq $eventSubscriptionWriterSP) { Write-Host "Create new Microsoft Entra Application" $eventSubscriptionWriterSP = New-MgServicePrincipal -AppId $eventSubscriptionWriterAppId } try { Write-Host "Creating the Microsoft Entra Application role assignment: " $eventSubscriptionWriterAppId $eventGridAppRole = $app.AppRoles | Where-Object -Property "DisplayName" -eq -Value $eventGridRoleName New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $eventSubscriptionWriterSP.Id -PrincipalId $eventSubscriptionWriterSP.Id -ResourceId $servicePrincipal.Id -AppRoleId $eventGridAppRole.Id } catch { if( $_.Exception.Message -like '*Permission being assigned already exists on the object*') { Write-Host "The Microsoft Entra Application role is already defined.`n" } else { Write-Error $_.Exception.Message } Break } # Creates the service app role assignment for Event Grid Microsoft Entra Application $eventGridAppRole = $app.AppRoles | Where-Object -Property "DisplayName" -eq -Value $eventGridRoleName New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $eventGridSP.Id -PrincipalId $eventGridSP.Id -ResourceId $servicePrincipal.Id -AppRoleId $eventGridAppRole.Id # Print output references for backup Write-Host ">> Webhook's Microsoft Entra Application Id: $($app.AppId)" Write-Host ">> Webhook's Microsoft Entra Application ObjectId Id: $($app.ObjectId)" } catch { Write-Host ">> Exception:" Write-Host $_ Write-Host ">> StackTrace:" Write-Host $_.ScriptStackTrace }