Proposed Pull Request Change

📄 Document Links

View on GitHub View on Microsoft Learn

--- title: Azure subscription as Event Grid source description: Describes the properties that are provided for subscription events with Azure Event Grid ms.topic: reference ms.date: 12/02/2022 --- # Azure subscription as an Event Grid source This article provides the properties and schema for Azure subscription events. For an introduction to event schemas, see [Azure Event Grid event schema](event-schema.md). Azure subscriptions and resource groups emit the same event types. The event types are related to resource changes or actions. The primary difference is that resource groups emit events for resources within the resource group, and Azure subscriptions emit events for resources across the subscription. Resource events are created for PUT, PATCH, POST, and DELETE operations that are sent to `management.azure.com`. GET operations don't create events. Operations sent to the data plane (like `myaccount.blob.core.windows.net`) don't create events. The action events provide event data for operations like listing the keys for a resource. When you subscribe to events for an Azure subscription, your endpoint receives all events for that subscription. The events can include event you want to see, such as updating a virtual machine, but also events that aren't important to you, such as writing a new entry in the deployment history. You can receive all events at your endpoint and write code that processes the events you want to handle. Or, you can set a filter when creating the event subscription. To programmatically handle events, you can sort events by looking at the `operationName` value. For example, your event endpoint might only process events for operations that are equal to `Microsoft.Compute/virtualMachines/write` or `Microsoft.Storage/storageAccounts/write`. The event subject is the resource ID of the resource that is the target of the operation. To filter events for a resource, provide that resource ID when creating the event subscription. To filter by a resource type, use a value in following format: `/subscriptions/<subscription-id>/resourcegroups/<resource-group>/providers/Microsoft.Compute/virtualMachines` ## Available event types Azure subscriptions emit management events from Azure Resource Manager, such as when a VM is created or a storage account is deleted. | Event type | Description | | ---------- | ----------- | | Microsoft.Resources.ResourceActionCancel | Raised when action on resource is canceled. | | Microsoft.Resources.ResourceActionFailure | Raised when action on resource fails. | | Microsoft.Resources.ResourceActionSuccess | Raised when action on resource succeeds. | | Microsoft.Resources.ResourceDeleteCancel | Raised when delete operation is canceled. This event happens when a template deployment is canceled. | | Microsoft.Resources.ResourceDeleteFailure | Raised when delete operation fails. | | Microsoft.Resources.ResourceDeleteSuccess | Raised when delete operation succeeds. | | Microsoft.Resources.ResourceWriteCancel | Raised when create or update operation is canceled. | | Microsoft.Resources.ResourceWriteFailure | Raised when create or update operation fails. | | Microsoft.Resources.ResourceWriteSuccess | Raised when create or update operation succeeds. | ## Example event # [Cloud event schema](#tab/cloud-event-schema) The following example shows the schema for a **ResourceWriteSuccess** event. The same schema is used for **ResourceWriteFailure** and **ResourceWriteCancel** events with different values for `eventType`. ```json [{ "subject": "/subscriptions/{subscription-id}/resourcegroups/{resource-group}/providers/Microsoft.Storage/storageAccounts/{storage-name}", "topic": "/subscriptions/{subscription-id}", "type": "Microsoft.Resources.ResourceWriteSuccess", "time": "2018-07-19T18:38:04.6117357Z", "id": "4db48cba-50a2-455a-93b4-de41a3b5b7f6", "data": { "authorization": { "scope": "/subscriptions/{subscription-id}/resourcegroups/{resource-group}/providers/Microsoft.Storage/storageAccounts/{storage-name}", "action": "Microsoft.Storage/storageAccounts/write", "evidence": { "role": "Subscription Admin" } }, "claims": { "aud": "{audience-claim}", "iss": "{issuer-claim}", "iat": "{issued-at-claim}", "nbf": "{not-before-claim}", "exp": "{expiration-claim}", "_claim_names": "{\"groups\":\"src1\"}", "_claim_sources": "{\"src1\":{\"endpoint\":\"{URI}\"}}", "http://schemas.microsoft.com/claims/authnclassreference": "1", "aio": "{token}", "http://schemas.microsoft.com/claims/authnmethodsreferences": "rsa,mfa", "appid": "{ID}", "appidacr": "2", "http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier": "{ID}", "e_exp": "{expiration}", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "{last-name}", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "{first-name}", "ipaddr": "{IP-address}", "name": "{full-name}", "http://schemas.microsoft.com/identity/claims/objectidentifier": "{ID}", "onprem_sid": "{ID}", "puid": "{ID}", "http://schemas.microsoft.com/identity/claims/scope": "user_impersonation", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "{ID}", "http://schemas.microsoft.com/identity/claims/tenantid": "{ID}", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "{user-name}", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "{user-name}", "uti": "{ID}", "ver": "1.0" }, "correlationId": "{ID}", "resourceProvider": "Microsoft.Storage", "resourceUri": "/subscriptions/{subscription-id}/resourcegroups/{resource-group}/providers/Microsoft.Storage/storageAccounts/{storage-name}", "operationName": "Microsoft.Storage/storageAccounts/write", "status": "Succeeded", "subscriptionId": "{subscription-id}", "tenantId": "{tenant-id}" }, "specversion": "`1.0" }] ``` The following example shows the schema for a **ResourceDeleteSuccess** event. The same schema is used for **ResourceDeleteFailure** and **ResourceDeleteCancel** events with different values for `eventType`. ```json [{ "subject": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.Storage/storageAccounts/{storage-name}", "source": "/subscriptions/{subscription-id}", "type": "Microsoft.Resources.ResourceDeleteSuccess", "time": "2018-07-19T19:24:12.763881Z", "id": "19a69642-1aad-4a96-a5ab-8d05494513ce", "data": { "authorization": { "scope": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.Storage/storageAccounts/{storage-name}", "action": "Microsoft.Storage/storageAccounts/delete", "evidence": { "role": "Subscription Admin" } }, "claims": { "aud": "{audience-claim}", "iss": "{issuer-claim}", "iat": "{issued-at-claim}", "nbf": "{not-before-claim}", "exp": "{expiration-claim}", "_claim_names": "{\"groups\":\"src1\"}", "_claim_sources": "{\"src1\":{\"endpoint\":\"{URI}\"}}", "http://schemas.microsoft.com/claims/authnclassreference": "1", "aio": "{token}", "http://schemas.microsoft.com/claims/authnmethodsreferences": "rsa,mfa", "appid": "{ID}", "appidacr": "2", "http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier": "{ID}", "e_exp": "262800", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "{last-name}", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "{first-name}", "ipaddr": "{IP-address}", "name": "{full-name}", "http://schemas.microsoft.com/identity/claims/objectidentifier": "{ID}", "onprem_sid": "{ID}", "puid": "{ID}", "http://schemas.microsoft.com/identity/claims/scope": "user_impersonation", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "{ID}", "http://schemas.microsoft.com/identity/claims/tenantid": "{ID}", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "{user-name}", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "{user-name}", "uti": "{ID}", "ver": "1.0" }, "correlationId": "{ID}", "httpRequest": { "clientRequestId": "{ID}", "clientIpAddress": "{IP-address}", "method": "DELETE", "url": "https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.Storage/storageAccounts/{storage-name}?api-version=2018-02-01" }, "resourceProvider": "Microsoft.Storage", "resourceUri": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.Storage/storageAccounts/{storage-name}", "operationName": "Microsoft.Storage/storageAccounts/delete", "status": "Succeeded", "subscriptionId": "{subscription-id}", "tenantId": "{tenant-id}" }, "specversion": "1.0" }] ``` The following example shows the schema for a **ResourceActionSuccess** event. The same schema is used for **ResourceActionFailure** and **ResourceActionCancel** events with different values for `eventType`. ```json [{ "subject": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.EventHub/namespaces/{namespace}/AuthorizationRules/RootManageSharedAccessKey", "source": "/subscriptions/{subscription-id}", "type": "Microsoft.Resources.ResourceActionSuccess", "time": "2018-10-08T22:46:22.6022559Z", "id": "{ID}", "data": { "authorization": { "scope": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.EventHub/namespaces/{namespace}/AuthorizationRules/RootManageSharedAccessKey", "action": "Microsoft.EventHub/namespaces/AuthorizationRules/listKeys/action", "evidence": { "role": "Contributor", "roleAssignmentScope": "/subscriptions/{subscription-id}", "roleAssignmentId": "{ID}", "roleDefinitionId": "{ID}", "principalId": "{ID}", "principalType": "ServicePrincipal" } }, "claims": { "aud": "{audience-claim}", "iss": "{issuer-claim}", "iat": "{issued-at-claim}", "nbf": "{not-before-claim}", "exp": "{expiration-claim}", "aio": "{token}", "appid": "{ID}", "appidacr": "2", "http://schemas.microsoft.com/identity/claims/identityprovider": "{URL}", "http://schemas.microsoft.com/identity/claims/objectidentifier": "{ID}", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "{ID}", "http://schemas.microsoft.com/identity/claims/tenantid": "{ID}", "uti": "{ID}", "ver": "1.0" }, "correlationId": "{ID}", "httpRequest": { "clientRequestId": "{ID}", "clientIpAddress": "{IP-address}", "method": "POST", "url": "https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.EventHub/namespaces/{namespace}/AuthorizationRules/RootManageSharedAccessKey/listKeys?api-version=2017-04-01" }, "resourceProvider": "Microsoft.EventHub", "resourceUri": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.EventHub/namespaces/{namespace}/AuthorizationRules/RootManageSharedAccessKey", "operationName": "Microsoft.EventHub/namespaces/AuthorizationRules/listKeys/action", "status": "Succeeded", "subscriptionId": "{subscription-id}", "tenantId": "{tenant-id}" }, "specversion": "1.0" }] ``` # [Event Grid event schema](#tab/event-grid-event-schema) The following example shows the schema for a **ResourceWriteSuccess** event. The same schema is used for **ResourceWriteFailure** and **ResourceWriteCancel** events with different values for `eventType`. ```json [{ "subject": "/subscriptions/{subscription-id}/resourcegroups/{resource-group}/providers/Microsoft.Storage/storageAccounts/{storage-name}", "eventType": "Microsoft.Resources.ResourceWriteSuccess", "eventTime": "2018-07-19T18:38:04.6117357Z", "id": "4db48cba-50a2-455a-93b4-de41a3b5b7f6", "data": { "authorization": { "scope": "/subscriptions/{subscription-id}/resourcegroups/{resource-group}/providers/Microsoft.Storage/storageAccounts/{storage-name}", "action": "Microsoft.Storage/storageAccounts/write", "evidence": { "role": "Subscription Admin" } }, "claims": { "aud": "{audience-claim}", "iss": "{issuer-claim}", "iat": "{issued-at-claim}", "nbf": "{not-before-claim}", "exp": "{expiration-claim}", "_claim_names": "{\"groups\":\"src1\"}", "_claim_sources": "{\"src1\":{\"endpoint\":\"{URI}\"}}", "http://schemas.microsoft.com/claims/authnclassreference": "1", "aio": "{token}", "http://schemas.microsoft.com/claims/authnmethodsreferences": "rsa,mfa", "appid": "{ID}", "appidacr": "2", "http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier": "{ID}", "e_exp": "{expiration}", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "{last-name}", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "{first-name}", "ipaddr": "{IP-address}", "name": "{full-name}", "http://schemas.microsoft.com/identity/claims/objectidentifier": "{ID}", "onprem_sid": "{ID}", "puid": "{ID}", "http://schemas.microsoft.com/identity/claims/scope": "user_impersonation", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "{ID}", "http://schemas.microsoft.com/identity/claims/tenantid": "{ID}", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "{user-name}", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "{user-name}", "uti": "{ID}", "ver": "1.0" }, "correlationId": "{ID}", "resourceProvider": "Microsoft.Storage", "resourceUri": "/subscriptions/{subscription-id}/resourcegroups/{resource-group}/providers/Microsoft.Storage/storageAccounts/{storage-name}", "operationName": "Microsoft.Storage/storageAccounts/write", "status": "Succeeded", "subscriptionId": "{subscription-id}", "tenantId": "{tenant-id}" }, "dataVersion": "2", "metadataVersion": "1", "topic": "/subscriptions/{subscription-id}" }] ``` The following example shows the schema for a **ResourceDeleteSuccess** event. The same schema is used for **ResourceDeleteFailure** and **ResourceDeleteCancel** events with different values for `eventType`. ```json [{ "subject": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.Storage/storageAccounts/{storage-name}", "eventType": "Microsoft.Resources.ResourceDeleteSuccess", "eventTime": "2018-07-19T19:24:12.763881Z", "id": "19a69642-1aad-4a96-a5ab-8d05494513ce", "data": { "authorization": { "scope": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.Storage/storageAccounts/{storage-name}", "action": "Microsoft.Storage/storageAccounts/delete", "evidence": { "role": "Subscription Admin" } }, "claims": { "aud": "{audience-claim}", "iss": "{issuer-claim}", "iat": "{issued-at-claim}", "nbf": "{not-before-claim}", "exp": "{expiration-claim}", "_claim_names": "{\"groups\":\"src1\"}", "_claim_sources": "{\"src1\":{\"endpoint\":\"{URI}\"}}", "http://schemas.microsoft.com/claims/authnclassreference": "1", "aio": "{token}", "http://schemas.microsoft.com/claims/authnmethodsreferences": "rsa,mfa", "appid": "{ID}", "appidacr": "2", "http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier": "{ID}", "e_exp": "262800", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "{last-name}", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "{first-name}", "ipaddr": "{IP-address}", "name": "{full-name}", "http://schemas.microsoft.com/identity/claims/objectidentifier": "{ID}", "onprem_sid": "{ID}", "puid": "{ID}", "http://schemas.microsoft.com/identity/claims/scope": "user_impersonation", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "{ID}", "http://schemas.microsoft.com/identity/claims/tenantid": "{ID}", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "{user-name}", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "{user-name}", "uti": "{ID}", "ver": "1.0" }, "correlationId": "{ID}", "httpRequest": { "clientRequestId": "{ID}", "clientIpAddress": "{IP-address}", "method": "DELETE", "url": "https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.Storage/storageAccounts/{storage-name}?api-version=2018-02-01" }, "resourceProvider": "Microsoft.Storage", "resourceUri": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.Storage/storageAccounts/{storage-name}", "operationName": "Microsoft.Storage/storageAccounts/delete", "status": "Succeeded", "subscriptionId": "{subscription-id}", "tenantId": "{tenant-id}" }, "dataVersion": "2", "metadataVersion": "1", "topic": "/subscriptions/{subscription-id}" }] ``` The following example shows the schema for a **ResourceActionSuccess** event. The same schema is used for **ResourceActionFailure** and **ResourceActionCancel** events with different values for `eventType`. ```json [{ "subject": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.EventHub/namespaces/{namespace}/AuthorizationRules/RootManageSharedAccessKey", "eventType": "Microsoft.Resources.ResourceActionSuccess", "eventTime": "2018-10-08T22:46:22.6022559Z", "id": "{ID}", "data": { "authorization": { "scope": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.EventHub/namespaces/{namespace}/AuthorizationRules/RootManageSharedAccessKey", "action": "Microsoft.EventHub/namespaces/AuthorizationRules/listKeys/action", "evidence": { "role": "Contributor", "roleAssignmentScope": "/subscriptions/{subscription-id}", "roleAssignmentId": "{ID}", "roleDefinitionId": "{ID}", "principalId": "{ID}", "principalType": "ServicePrincipal" } }, "claims": { "aud": "{audience-claim}", "iss": "{issuer-claim}", "iat": "{issued-at-claim}", "nbf": "{not-before-claim}", "exp": "{expiration-claim}", "aio": "{token}", "appid": "{ID}", "appidacr": "2", "http://schemas.microsoft.com/identity/claims/identityprovider": "{URL}", "http://schemas.microsoft.com/identity/claims/objectidentifier": "{ID}", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "{ID}", "http://schemas.microsoft.com/identity/claims/tenantid": "{ID}", "uti": "{ID}", "ver": "1.0" }, "correlationId": "{ID}", "httpRequest": { "clientRequestId": "{ID}", "clientIpAddress": "{IP-address}", "method": "POST", "url": "https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.EventHub/namespaces/{namespace}/AuthorizationRules/RootManageSharedAccessKey/listKeys?api-version=2017-04-01" }, "resourceProvider": "Microsoft.EventHub", "resourceUri": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.EventHub/namespaces/{namespace}/AuthorizationRules/RootManageSharedAccessKey", "operationName": "Microsoft.EventHub/namespaces/AuthorizationRules/listKeys/action", "status": "Succeeded", "subscriptionId": "{subscription-id}", "tenantId": "{tenant-id}" }, "dataVersion": "2", "metadataVersion": "1", "topic": "/subscriptions/{subscription-id}" }] ``` --- ### Event properties # [Cloud event schema](#tab/cloud-event-schema) An event has the following top-level data: | Property | Type | Description | | -------- | ---- | ----------- | | `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | | `subject` | string | Publisher-defined path to the event subject. | | `type` | string | One of the registered event types for this event source. | | `time` | string | The time the event is generated based on the provider's UTC time. | | `id` | string | Unique identifier for the event. | | `data` | object | Subscription event data. | | `specversion` | string | CloudEvents schema specification version. | # [Event Grid event schema](#tab/event-grid-event-schema) An event has the following top-level data: | Property | Type | Description | | -------- | ---- | ----------- | | `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | | `subject` | string | Publisher-defined path to the event subject. | | `eventType` | string | One of the registered event types for this event source. | | `eventTime` | string | The time the event is generated based on the provider's UTC time. | | `id` | string | Unique identifier for the event. | | `data` | object | Subscription event data. | | `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. | | `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. | --- The data object has the following properties: | Property | Type | Description | | -------- | ---- | ----------- | | `authorization` | object | The requested authorization for the operation. | | `claims` | object | The properties of the claims. For more information, see [JWT specification](https://self-issued.info/docs/draft-ietf-oauth-json-web-token.html). | | `correlationId` | string | An operation ID for troubleshooting. | | `httpRequest` | object | The details of the operation. This object is only included when updating an existing resource or deleting a resource. | | `resourceProvider` | string | The resource provider for the operation. | | `resourceUri` | string | The URI of the resource in the operation. | | `operationName` | string | The operation that was taken. | | `status` | string | The status of the operation. | | `subscriptionId` | string | The subscription ID of the resource. | | `tenantId` | string | The tenant ID of the resource. | ## Tutorials and how-tos |Title |Description | |---------|---------| | [Tutorial: Azure Automation with Event Grid and Microsoft Teams](ensure-tags-exists-on-new-virtual-machines.md) |Create a virtual machine, which sends an event. The event triggers an Automation runbook that tags the virtual machine, and triggers a message that is sent to a Microsoft Teams channel. | | [How to: subscribe to events through portal](subscribe-through-portal.md) | Use the portal to subscribe to events for an Azure subscription. | | [Azure CLI: subscribe to events for an Azure subscription](./scripts/event-grid-cli-azure-subscription.md) |Sample script that creates an Event Grid subscription to an Azure subscription and sends events to a WebHook. | | [PowerShell: subscribe to events for an Azure subscription](./scripts/powershell-azure-subscription.md)| Sample script that creates an Event Grid subscription to an Azure subscription and sends events to a WebHook. | ## Next steps * For an introduction to Azure Event Grid, see [What is Event Grid?](overview.md) * For more information about creating an Azure Event Grid subscription, see [Event Grid subscription schema](subscription-creation-schema.md).