Overview​
Publishing access management events to Azure Event Grid offers numerous advantages to your organisation. By publishing these events to Azure Event Grid, Apporetum enables other processes and systems within your organisation to subscribe to the changes and trigger non-IAM automations. Apporetum publishes events to the Event Grid, and multiple subscribers can consume the events independently.
Azure Event Grid​
Azure Event Grid is a cloud-based event routing service provided by Microsoft Azure. It enables developers to build reactive, event-driven applications by simplifying the process of handling and reacting to events that occur within Azure services or custom applications. You can learn more details by clicking here (from Microsoft help documentation website).
Values​
Event Grid provides a highly reliable and scalable event routing service that simplifies the development and the management of event-driven applications. Azure Event Grid enables the decoupling of the Apporetum Access Manager from other systems, promoting loose coupling and flexibility in systems architecture. This decoupling allows for better scalability and extensibility, as new subscribers can be easily added without affecting the operation of the Apporetum Access Manager.
Additionally, Event Grid supports event filtering and advanced routing capabilities, enabling precise event delivery to specific subscribers based on their interests, sensitivity or event content. This flexibility allows applications to optimise event processing and avoid unnecessary resource consumption.
Apporetum Events​
Apporetum publishes five different events across two event topics. The two topics are Access Events and Membership Events.
Access Events​
Access Events are published when someone adds or removes an account to/from an App role. This is the event that is triggered in the Apporetum interface.
- Apporetum.Access.Add
- Apporetum.Access.Remove
Apporetum access events have the following structure:
{
"id": "8ee50f72-91de-4d6e-9112-f6cd82d8bc74",
"subject": "DataSource/860403b6-4685-4ebe-9a96-baffffc3adce/App/f8ac4912-2c3e-4128-c347-08db191854c1/Role/3cc77341-a9ee-488b-ba39-08db1919d4bc",
"data": {
"App": {
"Id": "f8ac4912-2c3e-4128-c347-08db191854c1",
"DisplayName": "AWS"
},
"User": {
"Id": "f56f90a4-5d86-42b5-8dba-08db07dfbe8d",
"DisplayName": "Zachary Denesik"
},
"DataSource": {
"Id": "860403b6-4685-4ebe-9a96-baffffc3adce",
"DisplayName": "Entra ID (formerly Azure Active Directory)"
},
"Role": {
"Id": "3cc77341-a9ee-488b-ba39-08db1919d4bc",
"DisplayName": "Power User"
},
"Group": {
"Id": "eb232d40-e196-4973-b8f7-b610a80f9631",
"DisplayName": "AzUser-AWS-PowerUser"
},
"FirstName": "Zachary",
"LastName": "Denesik",
"ExpiryDate": "2023-06-03T13:59:59+00:00"
},
"eventType": "Apporetum.Access.Add",
"dataVersion": "1.0",
"metadataVersion": "1",
"eventTime": "2023-05-27T13:14:16.0590552Z",
"topic": "/subscriptions/eba964ba-bfb7-4f65-a3a9-6b978b23bc1e/resourceGroups/apporetum-test-rg/providers/Microsoft.EventGrid/domains/apporetum-test-eventgrid/topics/Access"
}
Membership Events​
Membership Events are published when the entitlement is added, removed or updated to the directory. These can immediately follow an access event or can be delayed if the request needs approval or other workflows before the membership is added to the directory. These events indicate that the user has been allocated the entitlement.
- Apporetum.Membership.Create
- Apporetum.Membership.Update
- Apporetum.Membership.Delete
Apporetum membership events have the following structure:
{
"id": "f94f2085-2527-4e1e-b136-c7b24efdbf37",
"subject": "DataSource/860403b6-4685-4ebe-9a96-baffffc3adce/App/f8ac4912-2c3e-4128-c347-08db191854c1/Role/3cc77341-a9ee-488b-ba39-08db1919d4bc",
"data": {
"App": {
"Id": "f8ac4912-2c3e-4128-c347-08db191854c1",
"DisplayName": "AWS"
},
"User": {
"Id": "f56f90a4-5d86-42b5-8dba-08db07dfbe8d",
"DisplayName": "Zachary Denesik"
},
"DataSource": {
"Id": "860403b6-4685-4ebe-9a96-baffffc3adce",
"DisplayName": "Entra ID (formerly Azure Active Directory)"
},
"Role": {
"Id": "3cc77341-a9ee-488b-ba39-08db1919d4bc",
"DisplayName": "Power User"
},
"Group": {
"Id": "eb232d40-e196-4973-b8f7-b610a80f9631",
"DisplayName": "AzUser-AWS-PowerUser"
},
"MembershipEvent": "Create",
"FirstName": "Zachary",
"LastName": "Denesik",
"ExpiryDate": "2023-06-03T13:59:59+00:00"
},
"eventType": "Apporetum.Membership.Create",
"dataVersion": "1.0",
"metadataVersion": "1",
"eventTime": "2023-05-27T13:14:16.0587761Z",
"topic": "/subscriptions/eba964ba-bfb7-4f65-a3a9-6b978b23bc1e/resourceGroups/apporetum-test-rg/providers/Microsoft.EventGrid/domains/apporetum-test-eventgrid/topics/Membership"
}
How to Setup Event Grid​
Configure Event Grid and Apporetum API App Service​
- Create Event Grid Domain
- Once deployed you need to allow the api service to publish events
- Click on the Access Controls (IAM) option in the menu options
- Setup the access control to the Event Grid Domain so the Apporetum managed identity can publish events
- Click + Add
- The Add role assignment pane will open
- From the Role tab select EventGrid Data Sender then click Next
- Add role > Select Managed Identity
- Click + Select members
- The Select managed Identities drawer will open
- Drop down the Managed Identity menu and select App Service
- Select the management identity for the Apporetum api service
- Click Select button
- Summary screen will be shown
- Click Review + assign
- Go to the overview page of the Event Grid Domain resource
- Copy the Domain Endpoint for the next step
- Configure Apporetum to publish events to the Event Grid Domain
- Open the Apporetum API app service blade
- From the menu select Configuration and then the Application settings tab
- Check if there is an Application setting named EventGrid:DomainUrl
- If it does not exist click on the +New application setting
- Enter EventGrid:DomainUrl (it is case sensitive) in the Name field
- Paste the Event Grid endpoint url you copied from the step sabove into the Value field
- Click OK
- Click Save. This will restart the app service and the environment setting will be set
- Once restarted Apporetum will automatically configure the event grid topics