Azure Event Grid
An Azure event routing service designed for high availability, consistent performance, and dynamic scale.
Event Grid cross-tenant delivery using Managed Identity fails with “Internal error” when creating Event Subscription
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 4%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EE%3C/text%3E%3C/svg%3E)
EliT
0
Reputation points
Hi,
I’m implementing cross-tenant Event Grid delivery using Managed Identity, following this official Microsoft doc:
https://learn.microsoft.com/azure/event-grid/cross-tenant-delivery-using-managed-identity
I have two tenants:
- Customer tenant (Tenant A)
- Contains the Storage Account
- Has the Event Grid system topic
- Created a user-assigned managed identity (UAMI) and assigned it to the system topic
- Trying to create a cross-tenant event subscription
Contains a **multi-tenant application** with a **Federated Identity Credential (FIC)** Issuer = Customer tenant Subject = clientId of the UAMI Audience = `api://AzureADTokenExchange` The Vega app’s service principal has **Azure Service Bus Data Sender** role on the queue
This matches the steps described in the documentation exactly.
Problem
When I try to create the Event Grid subscription in the customer tenant using cross-tenant delivery:
Endpoint type: Service Bus Queue
Cross-tenant delivery: Enabled
Managed identity type: User Assigned
Managed identity: the UAMI assigned to the system topic
Federated identity credentials (multitenant application ID): the Vega appId
The deployment fails immediately with:
Deployment has failed with the following error:
{"code":"Internal error","message":"The operation failed due to an internal server error.
The initial state of the impacted resources (if any) are restored.
Please try again in few minutes. If error still persists, report
12471e63-0fca-4eec-bc39-6d75375764cb:11/27/2025 8:59:39 AM (UTC)
to our forums for assistance or raise a support ticket ."}
There are no additional details in Activity Log.
Operation ID shown in the error:
12471e63-0fca-4eec-bc39-6d75375764cb Timestamp: 2025-11-27 08:59:39 UTCHi,
I’m implementing cross-tenant Event Grid delivery using Managed Identity, following this official Microsoft doc:
https://learn.microsoft.com/azure/event-grid/cross-tenant-delivery-using-managed-identity
I have two tenants:
Customer tenant (Tenant A)
Contains the Storage Account
Has the **Event Grid system topic**
Created a **user-assigned managed identity (UAMI)** and assigned it to the system topic
Trying to create a cross-tenant event subscription
**Vega (SaaS) tenant** (Tenant B)
Contains a **Service Bus namespace + queue**
Contains a **multi-tenant application** with a **Federated Identity Credential (FIC)**
Issuer = Customer tenant
Subject = clientId of the UAMI
Audience = `api://AzureADTokenExchange`
The Vega app’s service principal has **Azure Service Bus Data Sender** role on the queue
This matches the steps described in the documentation exactly.
Problem
When I try to create the Event Grid subscription in the customer tenant using cross-tenant delivery:
Endpoint type: Service Bus Queue
Cross-tenant delivery: Enabled
Managed identity type: User Assigned
Managed identity: the UAMI assigned to the system topic
Federated identity credentials (multitenant application ID): the Vega appId
The deployment fails immediately with:
Deployment has failed with the following error:
{
There are no additional details in Activity Log.
Operation ID shown in the error:
12471e63-0fca-4eec-bc39-6d75375764cb
Timestamp: 2025-11-27 08:59:39 UTC
Azure Event Grid
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 14.000000000000002%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
Siddhesh Desai 650 Reputation points Microsoft External Staff Moderator2025-11-27T11:37:35.4766667+00:00 Hi
Thank you for reaching out to Microsoft Q&A
Can you check if you have added your multi-tenant app the appropriate role so that the app can send events to the storage account. For example: Storage Account Contributor, Storage Queue Data Contributor, Storage Queue Data Message Sender.
And also check the following:
Tick the Cross Tenant Delivery checkmark and also add the Endpoint to the Target Tenant's Subscription Id, Resource Group, Storage Account Name, Queue Name.
-
EliT 0 Reputation points
2025-11-27T11:43:45.4566667+00:00 Hi, thanks for your response,
Yes, the multi-tenant app exists on the dest account - where the service bus is
and have data sender on the described service bus
Iv'e tick the multi-tenant and used the multi-tenant app id
Also Ive added federated credentials to the multi-tenant app with the second tenant as issuer
and the event grid user identity as client id - all as on the docs iv'e provided which Ive followed -
Siddhesh Desai 650 Reputation points Microsoft External Staff Moderator
2025-11-27T11:50:49.2733333+00:00 Hi,
I have messaged you in a Private Conversation, Let's have a discussion there.
Sign in to comment
Sign in to answer