Merge pull request #306359 from bachuv/vabachu/durable-event-grid-mi

Add Durable Functions managed identity config instructions for event grid publishing

Author: AnnaMHuff

articles/azure-functions/durable/durable-functions-event-publishing.md

@@ -1,7 +1,7 @@
 ---
 title: Durable Functions publishing to Azure Event Grid
 description: Learn how to configure automatic Azure Event Grid publishing for Durable Functions.
-ms.topic: conceptual
+ms.topic: article
 ms.date: 05/11/2020
 ms.devlang: csharp
 # ms.devlang: csharp, javascript
@@ -54,15 +54,15 @@ Get the endpoint of the topic. Replace `<topic_name>` with the name you chose.
 az eventgrid topic show --name <topic_name> -g eventResourceGroup --query "endpoint" --output tsv
 ```
 
-Get the topic key. Replace `<topic_name>` with the name you chose.
+Get the topic key if you're using key based authentication. Replace `<topic_name>` with the name you chose.
 
 ```azurecli
 az eventgrid topic key list --name <topic_name> -g eventResourceGroup --query "key1" --output tsv
 ```
 
 Now you can send events to the topic.
 
-## Configure Event Grid publishing
+## Configure Event Grid publishing with key based authentication
 
 In your Durable Functions project, find the `host.json` file.
 
@@ -117,6 +117,94 @@ If you're using the [Storage Emulator](../../storage/common/storage-use-emulator
 
 If you're using a real Azure Storage account, replace `UseDevelopmentStorage=true` in `local.settings.json` with its connection string.
 
+## Configure Event Grid publishing with Managed Identity
+
+Managed identities in Azure allow resources to authenticate to Azure services without storing credentials, simplifying security and identity management. _System-assigned_ managed identity is automatically created when you enable it on an Azure resource and is tied to that resource’s lifecycle. If the resource is deleted, the identity is also removed. _User-assigned_ managed identity is created as a standalone Azure resource and can be assigned to multiple resources. It persists independently of any resource, offering flexibility for shared access and centralized identity management. It's recommended that you use user-assigned identity because it's not attached to the lifecycle of the app.
+
+For more information, visit [Use managed identities for App Service and Azure Functions](../../app-service/overview-managed-identity.md).
+
+### System Assigned Identity
+To configure system assigned identity follow the instructions below:
+
+#### Configuration
+1. Turn on system assigned identity for the function app
+    - Go to the function app's **Identity** section and in the **System Assigned** tab, toggle the **Status** switch to on.
+
+      :::image type="content" source="./media/durable-functions-event-publishing/enable-system-assigned-identity.png" alt-text="Screenshot of enabling system assigned identity in the function app." border="true":::
+
+2. In the Event Grid topic resource, give the function app the EventGrid Data Sender role.
+    - Go to the **Access Control (IAM)** section, click **+ Add**.
+
+      :::image type="content" source="./media/durable-functions-event-publishing/add-role.png" alt-text="Screenshot of adding a role to event grid topic resource." border="true":::
+
+    - Select the **EventGrid Data Sender** role, click **Next**.
+
+      :::image type="content" source="./media/durable-functions-event-publishing/event-grid-data-sender.png" alt-text="Screenshot of selecting the EventGrid Data Sender Role." border="true":::
+
+    - Choose **Managed Identity** in the **Assign access to** section, click **+ Select Members** in the **Members** section, select the managed identity, then click **Review + Assign**.
+
+      :::image type="content" source="./media/durable-functions-event-publishing/select-managed-identity.png" alt-text="Screenshot of selecting a managed identity." border="true":::
+
+
+#### App Settings
+Add an `EventGrid__topicEndpoint` app setting with the value as the Event Grid topic endpoint.
+
+You can use the following command:
+`az functionapp config appsettings set --name <function app name> --resource-group <resource group name> --settings EventGrid__topicEndpoint="<topic endpoint>"`
+
+### User Assigned Identity
+To configure user assigned managed identity follow the instructions below:
+
+#### Configuration
+1. Create a user assigned managed identity.
+    - In the Azure portal, search for _Managed Identities_ in the global search bar. 
+
+    - Create a user assigned managed identity (UAMI) and select **Review + create**.
+  
+      :::image type="content" source="./media/durable-functions-event-publishing/create-user-assigned-managed-identity.png" alt-text="Screenshot of creating user assigned managed identity." border="true":::
+
+2. Attach the UAMI to the function app resource
+     - Go to the function app, **Identity** section, click **Add +**.
+  
+       :::image type="content" source="./media/durable-functions-event-publishing/function-app-add-user-assigned-managed-identity.png" alt-text="Screenshot of the function app identity section for user assigned managed identity." border="true":::
+
+    - Choose the UAMI created above, then click **Add**.
+
+       :::image type="content" source="./media/durable-functions-event-publishing/function-app-add-specific-user-assigned-managed-identity.png" alt-text="Screenshot of selecting specific user assigned managed identity." border="true":::
+
+3. Attach the UAMI to the event grid topic resource.
+    - Go to the event grid topic resource, **Identity** section, choose the **User assigned** tab, then click **Add +**. Choose the user assigned managed identity, then click **Add**.
+
+      :::image type="content" source="./media/durable-functions-event-publishing/add-user-assigned-managed-identity-to-event-grid-topic.png" alt-text="Screenshot of adding a user assigned managed identity to event grid topic." border="true":::
+
+4. Create an Event Grid subscription and select an endpoint.
+    - In the **Overview** tab of the Event Grid Topic resource, select **+ Event Subscription**, and create the event subscription.
+  
+      :::image type="content" source="./media/durable-functions-event-publishing/event-subscription.png" alt-text="Screenshot of the + Event Subscription button." border="true":::
+
+    - Based on the endpoint you choose in **Endpoint Details**, you will see a **Managed Identity for Delivery** section. Choose **User Assigned** for the **Managed Identity** type and select the UAMI.
+  
+      :::image type="content" source="./media/durable-functions-event-publishing/event-subscription-managed-identity.png" alt-text="Screenshot of adding a user assigned managed identity to event grid subscription." border="true":::
+
+6. In the Event Grid topic resource, assign the **EventGrid Data Sender** role to the UAMI.
+
+    - Go to the **Access Control (IAM)** section, click **+ Add**.
+
+      :::image type="content" source="./media/durable-functions-event-publishing/add-role.png" alt-text="Screenshot of adding a role to an event grid topic resource." border="true":::
+
+    - Select the **EventGrid Data Sender** role, click **Next**.
+
+      :::image type="content" source="./media/durable-functions-event-publishing/event-grid-data-sender.png" alt-text="Screenshot of selecting the EventGrid Data Sender Role." border="true":::
+
+    - Choose **Managed Identity** in the **Assign access to** section, click **+ Select Members** in the **Members** section, select the UAMI, then click **Review + Assign**.
+
+      :::image type="content" source="./media/durable-functions-event-publishing/select-managed-identity.png" alt-text="Screenshot of selecting a managed identity." border="true":::
+
+#### App Settings
+- Add an `EventGrid__topicEndpoint` app setting with the value as the Event Grid topic endpoint.
+- Add an `EventGrid__credential` app setting with the value `managedidentity`.
+- Add an `EventGrid__clientId` app setting with the value of the user assigned managed identity client ID.
+
 ## Create functions that listen for events
 
 Using the Azure portal, create another function app to listen for events published by your Durable Functions app. It's best to locate it in the same region as the Event Grid topic.