Event Grid Subscription Validation Handler
An HTTP-triggered flow acts as an Event Grid webhook endpoint, correctly handling the subscription validation handshake, verifying the event schema, and then dispatching validated events to downstream logic. Provides a reusable, compliant Event Grid webhook receiver for custom endpoints.
Provided as-is, without warranty of any kind. Review and test each pattern in a non-production environment before deploying it to live automations. See our Terms.
Overview
This flow is a reusable, compliant Azure Event Grid webhook receiver, deployed as a Power Automate cloud flow. An HTTP-triggered flow acts as the endpoint: it completes the Event Grid subscription validation handshake (echoing the validationCode), enforces a topic allowlist, logs every validated event to a Dataverse audit table with a correlation id, resolves a per-eventType downstream handler, and returns HTTP 200.
Why it matters: Event Grid requires a one-time validation handshake before it will deliver to any webhook endpoint. Getting the handshake, schema parsing, and acknowledgement right once gives you a robust, portable receiver for any custom Event Grid integration.
Ships Off (demo).
Use Case
A developer or IT admin needs a Power Automate endpoint that Azure Event Grid can deliver to directly via webhook - for example, to react to Azure resource changes, Blob events, or custom topic events without standing up an Azure Function. This flow provides the compliant receiver: it answers the validation challenge, screens events against a trusted-topic allowlist, persists an auditable record of each accepted event, and routes events to named handlers.
Flow Architecture
When a HTTP Request Is Received
Request (HTTP)Public webhook URL that Event Grid validates and delivers event batches to; schema is the Event Grid event array.
Initialize Trace & Config
Initialize variableMints a correlation id and loads the topic allowlist, eventType-to-handler map, and audit table name from env vars.
Handle Validation Handshake
Condition + Response 200Detects SubscriptionValidationEvent on the first event and echoes validationResponse with the validationCode, then terminates.
Dispatch Validated Events
Apply to eachFor each event: checks the topic allowlist, resolves the downstream handler from the map (default fallback), and writes a Validated record to Dataverse; untrusted topics are noted and skipped.
Respond With Acceptance
Response 200Acknowledges the batch with status, correlation id, and event count.
Environment Variables
| Schema name | Type | Default | Description |
|---|---|---|---|
| flowlibs_AllowedTopics | String | — | Comma-separated allowlist of trusted Event Grid topic resource scopes. Empty = accept all topics. |
| flowlibs_HandlerMap | String | {} | JSON map of eventType to downstream handler name, used to route validated events. |
| flowlibs_EventLogTable | String | flowlibs_eventlogs | Dataverse entity-set name for the validated-event audit log. |
Connectors & Connections
| Connector | API name | Actions used |
|---|---|---|
| Request | request | When a HTTP request is received Response |
| Microsoft Dataverse | shared_commondataserviceforapps | CreateRecord |
Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.
Customization Guide
Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.
- Topic allowlist
- Set the allowed topics to a comma-separated list of trusted topic scopes to reject events from any other source. Leave empty to accept all.
- Handler routing
- Populate the handler map with JSON like {"Microsoft.Storage.BlobCreated":"ingest"} and replace the Resolve Handler Route Compose with a Switch to branch into real downstream actions.
- CloudEvents v1.0
- To support the CloudEvents schema, detect the OPTIONS/Webhook-Request-Origin handshake and parse type/source/subject instead of eventType/topic/subject.
- Shared-secret auth
- Require a secret header on the trigger (e.g. aeg-sas-key or a custom header) and validate it before processing.
- Downstream dispatch
- Replace the Compose handlers with real connector actions (Teams post, queue message, child-flow call) keyed off the resolved route.
Key Expressions
The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.
EXPR.01Detect validation event
True when Event Grid sends the one-time validation handshake.
EXPR.02Validation code echo
Echoed back as validationResponse to complete the handshake.
EXPR.03Resolve handler
Maps the eventType to a downstream handler, defaulting to default.
Comments
Sign in to join the conversation.
Sign inNo comments yet. Be the first to share your experience with this flow.