This chapter covers Event Grid Domains and Topics, a critical feature for managing event routing at scale in Azure. Event Grid Domains allow you to group thousands of related topics under a single endpoint, simplifying event publishing and authorization. On the AZ-204 exam, this topic appears in roughly 5-8% of questions, often in scenario-based questions about multi-tenant applications or large-scale event-driven architectures. Mastering domains and topics will help you design scalable, secure eventing solutions that meet exam objectives for integration and event handling.
Jump to a section
Think of Event Grid as a corporate mailroom. In a small office, all mail goes to one bin and anyone can pick through it. But as the company grows, this becomes chaos. Event Grid Domains are like adding a mailroom with 100 labeled slots — one per department. Each slot has its own sorter (topic) and a log of who gets what. A sender (publisher) drops a package (event) into the mailroom, but instead of tossing it into a general bin, they write the department name on it (topic). The mailroom clerk (domain endpoint) reads the label and places the package in that department’s slot. Each slot has a list of recipients (subscribers) — for example, the HR slot might notify payroll, benefits, and recruiting. The mailroom also enforces rules: only authorized senders can use certain slots (topic-level authentication), and each slot can have its own access policy (role-based access control). If a sender tries to drop a package into a slot they don’t have permission for, the clerk rejects it. This way, the mailroom scales from a single bin to hundreds of organized slots, each with its own subscribers, without anyone having to sort through everything. The domain provides a single endpoint for all senders, but internally routes each event to the correct topic and then to the correct subscribers. This is exactly how Event Grid Domains work: a single publishing endpoint with multiple topics, each topic having its own set of subscribers and authorization rules.
What Are Event Grid Domains and Topics?
Event Grid is Azure's fully managed event routing service that uses a publish-subscribe model. A topic is an endpoint where publishers send events. Event Grid supports three types of topics: system topics (Azure service events), custom topics (user-defined), and partner topics (third-party SaaS). An Event Grid Domain is a management construct that groups multiple topics (called domain topics) under a single endpoint. The domain provides a shared publishing endpoint (e.g., https://mydomain.westus-1.eventgrid.azure.net/api/events) and allows you to manage authorization, authentication, and routing for all topics within it. This is especially useful for multi-tenant applications where each tenant gets its own topic, but you want a single place to manage event ingress and security.
Why Domains Exist
Without domains, each custom topic gets its own endpoint. For a multi-tenant app with 1,000 tenants, you'd need 1,000 separate endpoints, each with its own keys or tokens. This becomes unmanageable. Domains solve this by providing a single endpoint for all tenants. The publisher includes a topic field in each event to specify which domain topic the event belongs to. The domain then routes the event to the correct topic and subsequently to subscribers of that topic. This drastically simplifies client configuration and centralizes security.
How It Works Internally
Publishing: A publisher sends an HTTP POST request to the domain endpoint with a JSON array of events. Each event object must include a topic property specifying the domain topic name. For example:
[
{
"topic": "orders",
"subject": "new-order/123",
"eventType": "order.created",
"eventTime": "2025-03-15T10:00:00Z",
"id": "guid",
"data": { ... }
}
]Authentication: The request must include either an SAS key (in header aeg-sas-key) or a JWT token (in header aeg-sas-token). The domain validates the credential. If the credential is valid, the domain checks if the publisher has permission to publish to the specified topic. This is controlled by topic-level authentication — you can assign a separate SAS key per domain topic or use a domain-wide key with a topic filter.
Routing: The domain reads the topic field from each event. It looks up the domain topic by name. If the topic exists and the publisher is authorized, the event is placed into the topic's internal queue. If the topic does not exist, the domain returns an HTTP 400 error.
Subscriber Delivery: Each domain topic can have multiple event subscriptions (subscribers). Subscribers can be Azure Functions, WebHooks, Service Bus queues/topics, Storage Queues, Hybrid Connections, or other Event Grid topics. The domain delivers events to each subscriber according to the subscription's filter and retry policy. The delivery is done via HTTPS POST (or AMQP for Service Bus). The domain expects an HTTP 200 OK response within 30 seconds (default timeout). If not, it retries with exponential backoff (up to 30 times over 24 hours).
Dead-Lettering: If delivery fails after all retries, the event can be sent to a dead-letter storage blob container. This is configured at the subscription level.
Key Components and Defaults
Domain Topics: Up to 100,000 domain topics per domain. Each domain topic is a logical entity; it does not have its own endpoint. The topic name must be 3-50 characters, alphanumeric and hyphens.
Domain Endpoint: The single HTTPS endpoint for all publishing.
Authentication: SAS keys (primary and secondary) at domain level, plus optional SAS keys per topic. Also supports Azure AD authentication (managed identity).
Authorization: Role-based access control (RBAC) with built-in roles like EventGrid EventSubscription Contributor and EventGrid Data Sender. For domain topics, you can use Azure AD to restrict which identities can publish to specific topics.
Retry Policy: Exponential backoff with 30-second initial timeout. Max retries: 30. Max event time to live: 24 hours.
Dead-Letter: Maximum 5 attempts before dead-lettering (configurable).
Event Schema: Event Grid event schema (default) or CloudEvents v1.0 schema.
Input Schema: When publishing to a domain, you must use the Event Grid schema (not CloudEvents) because the topic field is required. However, the domain can output events in CloudEvents schema to subscribers if configured.
Filtering: Subscribers can filter by event type, subject, and data fields. For domain topics, filtering is per subscription.
Throughput: Up to 5,000 events per second per domain (soft limit, can be increased by support).
Configuration and Verification
To create a domain using Azure CLI:
az eventgrid domain create \
--name mydomain \
--resource-group myrg \
--location westus \
--input-schema eventgridschema \
--sku BasicTo add a domain topic:
az eventgrid domain topic create \
--domain-name mydomain \
--name orders \
--resource-group myrgTo subscribe to a domain topic:
az eventgrid event-subscription create \
--source-resource-id /subscriptions/.../resourceGroups/.../providers/Microsoft.EventGrid/domains/mydomain/topics/orders \
--name orders-sub \
--endpoint https://myfunction.azurewebsites.net/api/orders \
--endpoint-type webhookTo publish an event to the domain:
az eventgrid domain topic event publish \
--domain-name mydomain \
--topic-name orders \
--resource-group myrg \
--events '[{"topic":"orders","subject":"new-order/123","eventType":"order.created","eventTime":"2025-03-15T10:00:00Z","id":"guid","data":{"orderId":"123"}}]'Verification: Check the subscription's delivery status via Azure Monitor metrics like MatchedEventCount, DeliverySuccessCount, and DeadLetteredCount.
Interaction with Related Technologies
Azure Functions: Most common subscriber. The function receives the event as JSON payload. Use Event Grid trigger for functions.
Service Bus: Can be a subscriber. Events are sent to a queue or topic. Useful for reliable queuing.
Storage Queues: Another subscriber option for simple queueing.
Logic Apps: Can subscribe to domain topics via connector.
Azure AD: For fine-grained access control, use managed identity and RBAC to allow only specific apps to publish to certain domain topics.
Private Endpoints: Domains support private endpoints for secure ingress from VNets. Subscribers can also use private endpoints.
Advanced: Topic-Level Authentication
By default, the domain SAS key allows publishing to any topic within the domain. To restrict, you can generate a SAS key per topic:
az eventgrid domain topic key regenerate \
--domain-name mydomain \
--topic-name orders \
--resource-group myrg \
--key-name key1Then provide that key to the tenant. The domain will validate that the key matches the topic. This is crucial for multi-tenant isolation.
Limits and Quotas
Domain topics: 100,000 per domain
Event subscriptions per topic: 500
Event subscriptions per domain: 500,000
Event size: 1 MB per event (per event, not batch)
Batch size: up to 1 MB per request, up to 5,000 events per batch
Ingress per domain: 5,000 events/second (default)
Egress per domain: 5,000 events/second (default)
Retry: 30 times, exponential backoff, max 24 hours
Common Exam Scenarios
Multi-tenant SaaS: Use a domain with one topic per tenant. Each tenant gets a SAS key scoped to their topic. The domain endpoint is shared. This simplifies client configuration.
Event filtering by tenant: Subscribers can filter by subject pattern (e.g., /tenants/{tenantId}/...) to receive only relevant events.
Cross-region routing: Domains are regional. For global scenarios, use domain with multiple topics and forward events to topics in other regions via custom logic.
Compliance: Use domain topic-level authentication to ensure tenant isolation. Dead-letter for failed deliveries.
Trap Patterns on the Exam
Confusing domain topics with custom topics: A domain topic is not a separate endpoint; it's a logical grouping within a domain. The exam may ask how to route events to specific tenants — the answer is to use a domain with topic-level keys.
Assuming CloudEvents schema for publishing to domain: The domain input schema must be Event Grid schema because the topic field is required. CloudEvents schema does not have a topic field. However, subscribers can receive CloudEvents.
Forgetting retry policy: The exam may test the default retry count (30) and time-to-live (24 hours). Also, dead-letter is configured at subscription level, not topic level.
Thinking domains are for high availability: Domains are regional. For HA, you need multiple domains in different regions with custom failover logic.
Create an Event Grid Domain
Use Azure portal, CLI, or PowerShell to create a domain resource. Specify name, region, and input schema (must be Event Grid schema for publishing). The domain gets a unique HTTPS endpoint. This step sets up the container for all topics. Consider resource group organization and RBAC for domain management.
Create Domain Topics
Within the domain, create domain topics. Each topic represents a logical channel (e.g., per tenant). Up to 100,000 topics per domain. Topics are created via CLI or ARM template. They do not have separate endpoints; they are identified by name. Ensure naming conventions align with tenant IDs or event categories.
Configure Subscriptions per Topic
For each domain topic, create one or more event subscriptions. Each subscription defines a filter (event type, subject, data) and a destination endpoint (e.g., Azure Function, WebHook, Service Bus). Also configure retry policy and dead-letter settings. Subscriptions are independent per topic.
Configure Authentication and Authorization
Generate SAS keys at domain level or per topic. For fine-grained control, use Azure AD with RBAC. Assign the 'EventGrid Data Sender' role to publishers scoped to the domain or specific topic. This ensures only authorized publishers can send to specific topics. Use managed identities for Azure resources.
Publish Events to Domain Endpoint
Publishers send HTTP POST to the domain endpoint with a JSON array of events. Each event must include the 'topic' property set to the domain topic name. The request must include authentication (SAS key or token). The domain validates and routes each event to the correct topic. Events are then delivered to all matching subscriptions.
Enterprise Scenario 1: Multi-Tenant E-Commerce Platform
A SaaS company provides an e-commerce platform to hundreds of retailers. Each retailer is a tenant. The platform emits events like order.created, payment.processed, and shipment.tracked. Using Event Grid Domains, they create one domain topic per tenant (e.g., 'retailer-123', 'retailer-456'). The domain endpoint is used by all tenant services. Each tenant's backend service subscribes to its own topic. Authentication: each tenant receives a SAS key scoped to their topic. This ensures Tenant A cannot publish to Tenant B's topic. In production, the domain handles 10,000 events/second across 2,000 topics. They monitor delivery failures via Azure Monitor and dead-letter storage for troubleshooting. Misconfiguration: If the SAS key is not scoped per topic, a compromised key could allow cross-tenant publishing. Solution: always generate per-topic keys.
Enterprise Scenario 2: Internal Event Bus for Microservices
A large enterprise uses microservices that need to communicate asynchronously. They create an Event Grid Domain with topics per service (e.g., 'inventory', 'shipping', 'billing'). Each service publishes events to its topic. Other services subscribe to relevant topics. The domain provides a single endpoint, simplifying network configuration. They use Azure AD authentication with managed identities for services running on Azure Kubernetes Service (AKS). This eliminates SAS key management. Scale: 50 topics, 500 events/second. Common issue: subscribers not acknowledging events within 30 seconds, causing retries and duplicate processing. Solution: Ensure subscriber processing is fast or use idempotent handlers.
Enterprise Scenario 3: IoT Telemetry with Tenant Isolation
An IoT solution collects telemetry from devices across multiple customers. Each customer is a tenant. Devices publish to a domain topic named after the tenant. The domain endpoint is used by all devices. Each tenant's analytics service subscribes to its topic. Domain topic-level authentication ensures device credentials are scoped. Dead-lettering captures failed events for replay. Misconfiguration: If the domain is deleted accidentally, all topics and subscriptions are lost. Mitigation: use resource locks and backups of domain configuration via ARM templates.
What AZ-204 Tests
Objective 5.3: Implement event handling. Specifically, the exam tests your ability to design and configure Event Grid domains for multi-tenant scenarios. You need to know:
How to create a domain and domain topics.
How to configure topic-level authentication using SAS keys or Azure AD.
The difference between a custom topic and a domain topic.
The required schema for publishing to a domain (Event Grid schema with 'topic' field).
Retry policy defaults: 30 retries, 24-hour TTL, exponential backoff.
Dead-letter configuration at subscription level.
Limits: 100,000 topics per domain, 500 subscriptions per topic, 5,000 events/second ingress.
Common Wrong Answers
Using CloudEvents schema for publishing to domain: Candidates think CloudEvents is always allowed, but the domain input schema must include 'topic', which CloudEvents lacks. The exam may present a scenario where the publisher uses CloudEvents and fails. The correct answer is to use Event Grid schema.
Creating separate custom topics instead of domain topics for multi-tenant: Candidates may create 100 custom topics, each with its own endpoint. This is management overhead. The exam expects you to recognize that domains simplify this.
Setting dead-letter at domain level: Dead-letter is configured per subscription, not per topic or domain. The exam may ask where to configure dead-letter; answer: subscription.
Assuming domain topics have separate endpoints: Domain topics do not have their own endpoints; the domain endpoint is shared. The exam may ask how to route events to different tenants; answer: include 'topic' in the event payload.
Specific Numbers and Terms to Memorize
Domain topics: up to 100,000
Subscriptions per topic: up to 500
Retry: 30 times, 24 hours TTL
Event size: 1 MB
Batch: up to 5,000 events or 1 MB
Ingress/egress: 5,000 events/second (default)
Required field in event: 'topic'
Authentication headers: aeg-sas-key, aeg-sas-token
Edge Cases
Publishing to a non-existent topic returns 400 Bad Request.
If the domain is in a different region than the subscriber, cross-region latency can cause timeouts.
Domain topics are not automatically created upon first publish; they must be created explicitly.
SAS keys can be regenerated; this breaks existing publishers until they update their keys.
How to Eliminate Wrong Answers
If a question involves multiple tenants, look for 'domain' as the answer. If the scenario mentions a single endpoint for many publishers, it's likely a domain.
If the question mentions 'topic' in the event payload, it's a domain.
If the question asks about per-tenant security, look for 'topic-level SAS key' or 'Azure AD role assignment scoped to topic'.
If the question involves CloudEvents, check if publishing to domain — if so, the answer is that CloudEvents is not supported for input; use Event Grid schema.
Event Grid Domains provide a single publishing endpoint for multiple topics, simplifying multi-tenant event routing.
Domain topics require the 'topic' field in the Event Grid schema; CloudEvents input is not supported.
Topic-level authentication uses per-topic SAS keys or Azure AD roles scoped to the topic.
Default retry: 30 attempts over 24 hours with exponential backoff; dead-letter per subscription.
Maximum 100,000 domain topics per domain, 500 subscriptions per topic, 5,000 events/second ingress.
Domains are regional; for cross-region HA, use multiple domains with custom forwarding.
Domain topics must be created explicitly before publishing; publishing to a non-existent topic returns 400.
Dead-letter configuration is at the subscription level, not topic or domain level.
These come up on the exam all the time. Here's how to tell them apart.
Event Grid Custom Topic
Has its own dedicated HTTPS endpoint.
No built-in multi-tenant isolation; each topic needs separate keys.
Publishing endpoint is unique per topic.
Best for single-tenant or simple event routing.
No limit on number of custom topics (but each has overhead).
Event Grid Domain Topic
Shares the domain's single endpoint.
Supports topic-level authentication for per-tenant isolation.
Publisher includes 'topic' field in event payload to specify target.
Ideal for multi-tenant scenarios with many logical topics.
Up to 100,000 domain topics per domain.
Mistake
Event Grid Domains provide high availability across regions.
Correct
Domains are regional resources. They do not automatically replicate events across regions. For cross-region HA, you must implement custom replication using multiple domains and forwarding logic.
Mistake
Domain topics are just custom topics with a different name.
Correct
Domain topics are not separate endpoints; they are logical entities within a domain. Custom topics have their own endpoints and can be used independently. Domain topics share the domain's endpoint.
Mistake
You can publish CloudEvents directly to a domain.
Correct
The domain input schema must be Event Grid schema because the 'topic' field is required. CloudEvents v1.0 does not have a standard 'topic' field, so you cannot use CloudEvents for publishing. However, subscribers can receive events in CloudEvents format if the domain is configured for it.
Mistake
Dead-lettering is configured at the topic level.
Correct
Dead-lettering is configured per event subscription, not per topic. Each subscription can have its own dead-letter destination (storage blob container). The topic itself has no dead-letter setting.
Mistake
Domain topic names are case-insensitive.
Correct
Domain topic names are case-sensitive. 'Orders' and 'orders' are different topics. The 'topic' field in the event must match exactly.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A custom topic has its own endpoint and is independent. A domain topic is a logical topic within a domain; it shares the domain's endpoint and requires the 'topic' field in the event payload to route. Domain topics are designed for multi-tenant scenarios where you need a single ingress point with per-topic isolation.
No. The domain input schema must be the Event Grid schema because the event must include a 'topic' field. CloudEvents v1.0 does not have a standard 'topic' field. However, you can configure the domain to deliver events to subscribers in CloudEvents format.
You can generate a SAS key scoped to that topic using the Azure CLI or portal. Alternatively, use Azure AD authentication and assign the 'EventGrid Data Sender' role at the topic scope. This ensures the publisher can only publish to that topic.
The domain returns an HTTP 400 Bad Request error. Domain topics must be created before publishing. They are not auto-created.
Up to 100,000 domain topics per domain. This is a hard limit. Each topic can have up to 500 event subscriptions.
Yes. Event Grid Domains support Azure Private Link. You can create a private endpoint for the domain to restrict ingress traffic to a virtual network. Subscribers can also use private endpoints.
The default retry policy uses exponential backoff with an initial timeout of 30 seconds. Up to 30 retry attempts are made over a period of 24 hours. Dead-lettering can be configured after a specified number of failed delivery attempts (default 5).
You've just covered Event Grid Domains and Topics — now see how well it sticks with free AZ-204 practice questions. Full explanations included, no account needed.
Done with this chapter?