Document Details
Powershell Webhook Secure Delivery Microsoft Entra App
This page contains Windows bias
About This Page
This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
Bias Analysis
Detected Bias Types
powershell_heavy
windows_first
missing_linux_example
windows_tools
Summary
The documentation page exclusively provides a PowerShell script for configuring secure webhook delivery with Microsoft Entra Application in Azure Event Grid. All examples and instructions are tailored to PowerShell, which is traditionally a Windows-centric tool, and there are no equivalent Bash, CLI, or Linux-native examples or guidance. The use of PowerShell modules and cmdlets (e.g., Get-MgServicePrincipal, New-MgServicePrincipal) further reinforces the Windows bias, and there is no mention of how to perform these steps using cross-platform tools or on Linux/macOS environments.
Recommendations
- Provide equivalent examples using Azure CLI (az) and Microsoft Graph CLI or REST API, which are cross-platform and commonly used on Linux/macOS.
- Explicitly mention that PowerShell Core is available cross-platform, if PowerShell must be used, and provide installation instructions for Linux/macOS.
- Add Bash script examples or step-by-step instructions for Linux users.
- Include a section comparing the different approaches (PowerShell, CLI, REST API) and when to use each.
- Ensure screenshots and portal instructions are not Windows-specific, and clarify that the Azure Portal is web-based and OS-agnostic.
Create Pull Request
Scan History
| Date | Scan | Status | Result |
|---|---|---|---|
| 2026-01-14 00:00 | #250 | in_progress |
Biased
|
| 2026-01-13 00:00 | #246 | completed |
Biased
|
| 2026-01-11 00:00 | #240 | completed |
Biased
|
| 2026-01-10 00:00 | #237 | completed |
Biased
|
| 2026-01-09 00:34 | #234 | completed |
Biased
|
| 2026-01-08 00:53 | #231 | completed |
Biased
|
| 2026-01-06 18:15 | #225 | cancelled |
 Clean
|
| 2025-08-17 00:01 | #83 | cancelled |
Clean
|
| 2025-07-13 21:37 | #48 | completed |
Biased
|
Flagged Code Snippets
# NOTE: Before run this script ensure you are logged in Azure by using "az login" command.
$eventGridAppId = "[REPLACE_WITH_EVENT_GRID_APP_ID]"
$webhookAppObjectId = "[REPLACE_WITH_YOUR_ID]"
$eventSubscriptionWriterAppId = "[REPLACE_WITH_YOUR_ID]"
# Start execution
try {
# Creates an application role of given name and description
Function CreateAppRole([string] $Name, [string] $Description)
{
$appRole = New-Object Microsoft.Graph.PowerShell.Models.MicrosoftGraphAppRole
$appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
$appRole.AllowedMemberTypes += "Application";
$appRole.AllowedMemberTypes += "User";
$appRole.DisplayName = $Name
$appRole.Id = New-Guid
$appRole.IsEnabled = $true
$appRole.Description = $Description
$appRole.Value = $Name;
return $appRole
}
# Creates Azure Event Grid Microsoft Entra Application if not exists
# You don't need to modify this id
# But Azure Event Grid Entra Application Id is different for different clouds
$eventGridSP = Get-MgServicePrincipal -Filter ("appId eq '" + $eventGridAppId + "'")
if ($eventGridSP.DisplayName -match "Microsoft.EventGrid")
{
Write-Host "The Event Grid Microsoft Entra Application is already defined.`n"
} else {
Write-Host "Creating the Azure Event Grid Microsoft Entra Application"
$eventGridSP = New-MgServicePrincipal -AppId $eventGridAppId
}
# Creates the Azure app role for the webhook Microsoft Entra application
$eventGridRoleName = "AzureEventGridSecureWebhookSubscriber" # You don't need to modify this role name
$app = Get-MgApplication -ApplicationId $webhookAppObjectId
$appRoles = $app.AppRoles
Write-Host "Microsoft Entra App roles before addition of the new role..."
Write-Host $appRoles.DisplayName
if ($appRoles.DisplayName -match $eventGridRoleName)
{
Write-Host "The Azure Event Grid role is already defined.`n"
} else {
Write-Host "Creating the Azure Event Grid role in Microsoft Entra Application: " $webhookAppObjectId
$newRole = CreateAppRole -Name $eventGridRoleName -Description "Azure Event Grid Role"
$appRoles += $newRole
Update-MgApplication -ApplicationId $webhookAppObjectId -AppRoles $appRoles
}
Write-Host "Microsoft Entra App roles after addition of the new role..."
Write-Host $appRoles.DisplayName
# Creates the user role assignment for the app that will create event subscription
$servicePrincipal = Get-MgServicePrincipal -Filter ("appId eq '" + $app.AppId + "'")
$eventSubscriptionWriterSP = Get-MgServicePrincipal -Filter ("appId eq '" + $eventSubscriptionWriterAppId + "'")
if ($null -eq $eventSubscriptionWriterSP)
{
Write-Host "Create new Microsoft Entra Application"
$eventSubscriptionWriterSP = New-MgServicePrincipal -AppId $eventSubscriptionWriterAppId
}
try
{
Write-Host "Creating the Microsoft Entra Application role assignment: " $eventSubscriptionWriterAppId
$eventGridAppRole = $app.AppRoles | Where-Object -Property "DisplayName" -eq -Value $eventGridRoleName
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $eventSubscriptionWriterSP.Id -PrincipalId $eventSubscriptionWriterSP.Id -ResourceId $servicePrincipal.Id -AppRoleId $eventGridAppRole.Id
}
catch
{
if( $_.Exception.Message -like '*Permission being assigned already exists on the object*')
{
Write-Host "The Microsoft Entra Application role is already defined.`n"
}
else
{
Write-Error $_.Exception.Message
}
Break
}
# Creates the service app role assignment for Event Grid Microsoft Entra Application
$eventGridAppRole = $app.AppRoles | Where-Object -Property "DisplayName" -eq -Value $eventGridRoleName
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $eventGridSP.Id -PrincipalId $eventGridSP.Id -ResourceId $servicePrincipal.Id -AppRoleId $eventGridAppRole.Id
# Print output references for backup
Write-Host ">> Webhook's Microsoft Entra Application Id: $($app.AppId)"
Write-Host ">> Webhook's Microsoft Entra Application ObjectId Id: $($app.ObjectId)"
}
catch {
Write-Host ">> Exception:"
Write-Host $_
Write-Host ">> StackTrace:"
Write-Host $_.ScriptStackTrace
}