As Sampath said, I have to set up webhooks to get this to work. I needed a whole day to get this to work with the authentication but eventually, the key settings were
- The app registration being used in the EventGrid subscription (in the Event Subscription settings: Additional Features > Microsoft Entra Auth) needs to be a different app registration than the one used for authentication in the Azure Function App settings
- Microsoft Identity provider in the Function App Authentication Settings should be configured with:
- Allowed token audiences = App Id used in the EventGrid Subscription (see first bullet point)
- Client application requirement = Allow requests from specific client applications
- App Id for the identity provider itself (to be found on the same page)
- 4962773b-9cdb-44cf-a8bf-237846a00ab7 (= Microsoft.EventGrid Enterprise Application App Id, don't change this - this was missing from the Microsoft example scripts to be found here)