Unable to create System Topic in Event Grid due to Unable to verify access to resource

Question

Unable to create System Topic in Event Grid due to Unable to verify access to resource

Mathieu Isabel 20

Trying to create a system topic for Azure Communication Service either from the portal or using az cli using this:

az eventgrid system-topic create -g <rg name> --name inboundcalls --location global --topic-type Microsoft.Communication.CommunicationServices --source <acs resource id>

but it always fails with:

Code: InternalServerError

Message: Unable to verify access to resource <resource id of acs instance>

Doing az eventgrid system-topic list just returns an empty array

[]

which seems odd.

Rakesh Mishra 2,265 Reputation points Microsoft External Staff Moderator

2025-10-06T04:28:30.6866667+00:00
Hi @Mathieu Isabel ,

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

One of major causes for this is access. Could you please try below and share your findings.

Do you have contributor access while creating. Please try creating with Owner access and see if it gets created.

If Owner is not possible, please try with roles - EventGrid Contributor and EventGrid EventSubscription Contributor

Could you please check and allow access to ACS resource on Event Grid. Add Role - EventGrid Contributor. ACS can be configured with private endpoints. If the resource blocks platform services, Event Grid’s validation will fail.
Mathieu Isabel 20 Reputation points

2025-10-06T11:53:35.6133333+00:00

I've tried with an elevated account that has Service Administrator and it's still the same issue. On the last point, I'm not sure how I can add Event Grid access to ACS while creating the topic as its managed identity doesn't exist yet.

I've also tried creating a system topic for a storage account and same issue happens.
Pashikanti Kumar 1,160 Reputation points Microsoft External Staff Moderator

2025-10-06T18:45:17.6433333+00:00

Hi Mathieu Isabel,

Could you please review the role assignments listed below

Assign built-in role "EventGrid Contributor" or "EventGrid EventSubscription Contributor" on the ACS resource.

This permission is needed for Event Grid to verify and subscribe to the ACS(Azure Communication Service) events.
Mathieu Isabel 20 Reputation points

2025-10-07T11:53:45.86+00:00

To clarify, who exactly should be granted EventGrid Contributor? The user creating the System Topic? I cannot give access to an EventGrid managed identity as the EventGrid resource hasn't been created yet.

If I go in IAM in the portal, I can see that particular role under the ACS resource.

But if I try to assign a user/identity to that role, it's not showing up in the list of roles.

Is it normal that running doesn't return anything?
az eventgrid system-topic list
returns

[]
Sandhya Kommineni 2,040 Reputation points Microsoft External Staff Moderator

2025-10-08T03:36:22.2533333+00:00
Hi Mathieu Isabel, Thanks for sharing details and patience

1.The EventGrid Contributor role isn’t meant for the user who’s creating the system topic. Instead, it’s intended for the managed identity that Event Grid automatically creates once the system topic is successfully provisioned.Here’s how it works.

As the creator, you only need Contributor permissions on the resource group where you’re creating the system topic, and Reader access on the source resource (for example, Azure Communication Services).

The Event Grid system topic’s managed identity will later need the EventGrid Contributor (or EventGrid Data Sender) role on the source resource.

However, this managed identity does not exist until the system topic is created, so you can’t assign the role beforehand. Once the topic is created successfully, you can then grant the necessary permissions to its managed identity.

2.If az eventgrid system-topic list returns nothing, that’s expected in some cases:

You haven’t successfully created any system topics yet in that subscription or region.

You’re listing in the wrong scope (for example, not specifying the correct resource group).

Once a system topic is successfully created, it will appear in the az eventgrid system-topic list output, and a managed identity will automatically be linked to it. At that point, you can assign the necessary Event Grid roles to that identity.

The system topic creation fails if you set up Azure policies in such a way that the Event Grid service can't create it. For example, you can have a policy that allows creation of only certain types of resources (for example: Azure Storage, Azure Event Hubs, and so on) in the subscription. In such cases, event flow functionality is preserved. However, metrics and diagnostic functionalities of system topics are unavailable. If you require this functionality, allow creation of resources of the system topic type, and create the missing system topic as described in the Lifecycle of system topics section.

Refer document: https://free.blessedness.top/en-us/azure/event-grid/system-topics

Could you please provide answers to the following questions? This will help us investigate the issue more efficiently.

could you please confirm that the Event Grid resource provider is fully registered?

confirm you have contributor access at resource group and least reader access at ACS resources?

Have you checked if there are any restrictions set by Azure Policies at the subscription or resource group level?

For Azure event sources in a specific region, are you trying to create the system topic created in the same location as the event source?

Have you checked any event logs for specific error logs?
Mathieu Isabel 20 Reputation points

2025-10-08T17:09:29.32+00:00
Yes the Event Grid resource provide is registered, I triggered a re-register just in case

Yes I have access to the ACS resources

No restrictions set by Azure Policies

ACS data is in Canada, Event Grid is a global resource as far as I know

The only error thrown is the one I shared earlier in the thread which is this:

Creation of System Topic has failed with error: Unable to verify access to resource <acs resource id>. Please try again in a few minutes. Event Subscription will not be created.

So as the Event Grid resource creation fails, no managed identity is available to add to the ACS resource role.
Sandhya Kommineni 2,040 Reputation points Microsoft External Staff Moderator

2025-10-09T03:01:46.0933333+00:00

Hello Mathieu Isabel, Thanks for sharing details

and also, could you please share required information in private messaging
Mathieu Isabel 20 Reputation points

2025-10-16T01:08:50.7233333+00:00

By creating a custom role with the permission Microsoft.EventGrid/eventSubscriptions/Write and adding my user to it, I was able to create the system topic.
Sandhya Kommineni 2,040 Reputation points Microsoft External Staff Moderator

2025-10-16T06:21:50.8+00:00

Hello Mathieu Isabel,
Thanks for confirming! Glad to hear that you were able to create the system topic successfully. Please mark the answer as Accepted and give it an upvote so it can help others in the community as well.

Answer accepted by question author

0 additional answers

Your answer

Rakesh Mishra 2,265 Reputation points Microsoft External Staff Moderator

2025-10-06T04:28:30.6866667+00:00

Hi @Mathieu Isabel ,

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

One of major causes for this is access. Could you please try below and share your findings.

Do you have contributor access while creating. Please try creating with Owner access and see if it gets created.

If Owner is not possible, please try with roles - EventGrid Contributor and EventGrid EventSubscription Contributor

Could you please check and allow access to ACS resource on Event Grid. Add Role - EventGrid Contributor. ACS can be configured with private endpoints. If the resource blocks platform services, Event Grid’s validation will fail.
Mathieu Isabel 20 Reputation points

2025-10-06T11:53:35.6133333+00:00

I've tried with an elevated account that has Service Administrator and it's still the same issue. On the last point, I'm not sure how I can add Event Grid access to ACS while creating the topic as its managed identity doesn't exist yet.

I've also tried creating a system topic for a storage account and same issue happens.
Pashikanti Kumar 1,160 Reputation points Microsoft External Staff Moderator

2025-10-06T18:45:17.6433333+00:00

Hi Mathieu Isabel,

Could you please review the role assignments listed below

Assign built-in role "EventGrid Contributor" or "EventGrid EventSubscription Contributor" on the ACS resource.

This permission is needed for Event Grid to verify and subscribe to the ACS(Azure Communication Service) events.
Mathieu Isabel 20 Reputation points

2025-10-07T11:53:45.86+00:00

To clarify, who exactly should be granted EventGrid Contributor? The user creating the System Topic? I cannot give access to an EventGrid managed identity as the EventGrid resource hasn't been created yet.

If I go in IAM in the portal, I can see that particular role under the ACS resource.

But if I try to assign a user/identity to that role, it's not showing up in the list of roles.

Is it normal that running doesn't return anything?
az eventgrid system-topic list
returns

[]
Mathieu Isabel 20 Reputation points

2025-10-08T17:09:29.32+00:00

Yes the Event Grid resource provide is registered, I triggered a re-register just in case

Yes I have access to the ACS resources

No restrictions set by Azure Policies

ACS data is in Canada, Event Grid is a global resource as far as I know

The only error thrown is the one I shared earlier in the thread which is this:

Creation of System Topic has failed with error: Unable to verify access to resource <acs resource id>. Please try again in a few minutes. Event Subscription will not be created.

So as the Event Grid resource creation fails, no managed identity is available to add to the ACS resource role.
Sandhya Kommineni 2,040 Reputation points Microsoft External Staff Moderator

2025-10-09T03:01:46.0933333+00:00

Hello Mathieu Isabel, Thanks for sharing details

and also, could you please share required information in private messaging
Mathieu Isabel 20 Reputation points

2025-10-16T01:08:50.7233333+00:00

By creating a custom role with the permission Microsoft.EventGrid/eventSubscriptions/Write and adding my user to it, I was able to create the system topic.
Sandhya Kommineni 2,040 Reputation points Microsoft External Staff Moderator

2025-10-16T06:21:50.8+00:00

Hello Mathieu Isabel,
Thanks for confirming! Glad to hear that you were able to create the system topic successfully. Please mark the answer as Accepted and give it an upvote so it can help others in the community as well.

Answer 1

Hi Mathieu Isabel, Thank you for your patience. To help us investigate this issue further, could you please share a few additional details?

1.Are you creating the resources using your own user authentication?

If yes, please ensure your account has the Microsoft.EventGrid/eventSubscriptions/Write permission assigned at the resource, resource group, or subscription level.

2.Or are you creating the resources using a Managed Identity (MI)?

If yes, please verify that the same Microsoft.EventGrid/eventSubscriptions/Write permission has been granted to that identity.

3.Could you also try running the same az eventgrid system-topic create command with the --debug parameter and share the relevant error details or exception messages that appear?

4.Lastly, please confirm whether you are able to successfully create system topics for other resource types (for example, Storage Account or Event Hub). This will help us isolate whether the issue is specific to the Azure Communication Services resource type.

As suggested above by creating a custom role with the permission Microsoft.EventGrid/eventSubscriptions/Write and adding user to it, you are able to create the system topic.

I hope the provided answer is helpful, please accept as Yes and upvote so that it can help others in the community.

Share via

Unable to create System Topic in Event Grid due to Unable to verify access to resource

0 additional answers

Your answer