Share via

Internal Server Error while creating a EventGrid Namespace subscription in Push delivery mode

Guru Pasupathy 20 Reputation points
2025-08-26T06:20:34.56+00:00

I’m trying to create an EventGrid Namespace subscription in Push delivery mode, but I encountered the following error. However, I can create a subscription in Queue mode without any issues. Could you help me understand what’s causing this error?

│`` RESPONSE 500: 500 Internal Server Error

│`` ERROR CODE: InternalServerError

│`` {

│`` "error": {

│`` "code": "InternalServerError",

│`` "message": "The operation failed due to an internal server error. The initial state of the impacted resources (if any) are restored. Please try again in few minutes. If error still persists, report a0e84731-1198-49ae-99f9-6dde59726a93:8/26/2025 6:13:38 AM (UTC) to our forums for assistance or raise a support ticket ."

│`` }

│`` }

│`` --------------------------------------------------------------------------------

│`` RESPONSE 500: 500 Internal Server Error

│`` ERROR CODE: InternalServerError

│`` --------------------------------------------------------------------------------

│`` {

│`` "error": {

│`` "code": "InternalServerError",

│`` "message": "The operation failed due to an internal server error. The initial state of the impacted resources (if any) are restored. Please try again in few minutes. If error still persists, report 0652ede7-3a61-4c20-a8dc-b77443ef102d:8/26/2025 8:09:11 AM (UTC) to our forums for assistance or raise a support ticket ."

│`` }

│`` }

│`` --------------------------------------------------------------------------------

Azure Event Grid
Azure Event Grid
An Azure event routing service designed for high availability, consistent performance, and dynamic scale.
Answer accepted by question author
  1. Rakesh Mishra 2,265 Reputation points Microsoft External Staff Moderator
    2025-09-03T14:50:07.0966667+00:00

    Hi Guru Pasupathy,

    For Consumption Logic Apps the easiest, supported workaround is to use the Logic App workflow callback URL (the full URL that includes the sig SAS token) as the webhook endpointUrl when creating Event Grid subscriptions, rather than trying to use deliveryWithResourceIdentity / managed-identity authentication.

    • Logic Apps expose a workflow trigger callback URL that contains a SAS signature (sig=) and the REST API / CLI / PowerShell can return that URL (listCallbackUrl / Get-AzLogicAppTriggerCallbackUrl).

    Why this helps: the callback URL already supplies the secret that the Consumption trigger expects (the sig), so Event Grid can complete the subscription validation and deliver events without an extra auth handshake that may not map cleanly to the Consumption trigger URL format.

    Quick Terraform / azapi change (high level)

    Replace your deliveryWithResourceIdentity block and identity with a plain webhook endpointUrl set to the workflow callback URL you get from Logic Apps:

    # obtain the callback URL (programmatically) and insert it here
locals {
  logicapp_callback = "<PUT_YOUR_WORKFLOW_CALLBACK_URL_WITH_SIG_HERE>"
}

resource "azapi_resource" "egns_internal_topic_logicapp_push_subscription" {
  type      = "Microsoft.EventGrid/namespaces/topics/eventSubscriptions@2025-04-01-preview"
  name      = "internal-topic-logicapp-sub-msi"
  parent_id = "/subscriptions/${var.subscription_id}/resourceGroups/${var.resource_group_name}/providers/Microsoft.EventGrid/namespaces/${var.event_grid_namespace}/topics/internal-topic"

  body = {
    properties = {
      deliveryConfiguration = {
        deliveryMode = "Push"
        push = {
          destination = {
            endpointType = "WebHook"
            properties = {
              endpointUrl = local.logicapp_callback
              maxEventsPerBatch = 100
              preferredBatchSizeInKilobytes = 64
            }
          }
          eventTimeToLive  = "P7D"
          maxDeliveryCount = 10
        }
      }
      eventDeliverySchema = "CloudEventSchemaV1_0"
    }
  }
}

    How to get the workflow callback URL programmatically (use in automation)

    • REST API: POST https://management.azure.com/subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Logic/workflows/{workflow}/triggers/{trigger}/listCallbackUrl?api-version=2016-06-01 — response contains value (the full URL with sig).
    • or PowerShell: Get-AzLogicAppTriggerCallbackUrl returns the trigger callback URL for a Logic App.

    When creating multiple subscriptions, script these steps:

    1. fetch the callback URL for each workflow
    2. populate the endpointUrl in your azapi/ARM/Terraform body
    3. create the Event Grid subscription.

    This avoids intermittent control-plane validation/auth issues and scales cleanly.

    References:

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Suwarna S Kale 4,501 Reputation points
    2025-08-28T02:12:39.2533333+00:00

    Hello Guru Pasupathy,

    Thank you for posting your question in the Microsoft Q&A forum. 

    You cannot create an Azure Event Grid Namespace topic subscription in push delivery mode for a WebHook endpoint that points to a Logic App (Consumption) using its default trigger URL. 

    Here’s the detailed explanation of why and what the correct approach is - The Core Problem is Authentication 

    The primary reason is the authentication requirement for WebHook endpoints with the new Event Grid Namespace (the GA/released version of the service, not the classic "Event Grid" resource). 

    When you create an event subscription on a Namespace topic and select WebHook as the endpoint type, it mandatorily requires you to select an authentication method (e.g., Azure Active Directory, SAS Token). You cannot proceed without it. 

    The default HTTP request trigger URL for a Logic App (Consumption) looks like this: ***https://prod-07.westus.logic.azure.com:443/workflows/{GUID}/triggers/manual/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig={SAS_KEY}*** 

    This URL contains a SAS (Shared Access Signature) token (sig={SAS_KEY}) for authentication. However, the Event Grid Namespace WebHook configuration does not support the specific SAS token format used by the Logic App's built-in trigger. There is no field to configure the sig parameter in the way the Logic App expects it. 

    The Recommended Solution: Use the "Azure Logic Apps" Endpoint Type 

    Instead of fighting the WebHook configuration, you should use the dedicated endpoint type built specifically for this purpose. 

    • When creating your event subscription, in the "Endpoint Details" section, do not select "WebHook". 
    • Select "Azure Logic Apps" from the dropdown menu of endpoint types. 
    • Azure will then allow you to browse and select your specific Logic App (Consumption) from your subscription. 

    Why this works perfectly: 

    • Automatic Authentication: Behind the scenes, Azure automatically handles the authentication between Event Grid and your Logic App using a managed identity. You don't have to worry about SAS tokens or keys. 
    • Simplified Setup: The connection is established with a few clicks, eliminating configuration errors. 
    • Native Integration: It represents the officially supported path for this integration, making it more reliable and future-proof. 

    Please, let me know the response helps answer your question? If the above answer helped, please do not forget to "Accept Answer" as this may help other community members to refer the info if facing a similar issue. 🙂 

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.