Background
I'm trying to create a graph subscription that will send notifications to my event grid that I have created in Azure. I want to track any changes to Entra Groups.
I've been trying to following the documentation here: https://learn.microsoft.com/en-ca/azure/event-grid/subscribe-to-partner-events#high-level-steps and here: https://learn.microsoft.com/en-ca/azure/event-grid/subscribe-to-graph-api-events?WT.mc_id=Portal-Microsoft_Azure_EventGrid&tabs=http&tryIt=true&source=docs#code-try-9
Problem
I'm using Graph Explorer to create the subscription request. I'm getting a 400 Invalid Request - Specified Resource is not supported for MSA requests".
Here's a screenshot showing what's happening in graph:
Here's a screenshot showing that I do have EventGrid enabled for my subscription:
And lastly, this shows you that I have added GraphAPI as a partner, and associated with the right resource group:
Questions/Additional Comments
Why am i getting this error? I've tried to follow all the steps outlined in the documentation. The expectation is that this subscription request will create the topic I have requested in the subscription.
I have tried both the 1.0 version and the beta Graph subscription API. I get the same error message.
I actually want to subscribe to group changes so I originally had "groups" as the resource type in the POST request. But when i tried it returned
"error": { "code": "InternalServerError", "message": "Unable to find target address"
So that's when I just tried the sample POST in the docs for "users".
Any suggestions or tips would be appreciated.
Edit 1
I've tried to add permissions to a specific user like this:
And then when i sign in to MS Graph with that user account and retry this is what I get:
Edit 2
When I sign into graph with the new user I created, I see this:
In order to consent, it prompts me to sign in as ad admin, which I do. I go through the entire list, and I grant consent to everything I think I need:
And i do it for the Users, and Groups category as well. But once I'm done, I'm noticing that I'm now signed into Graph with the admin account instead of the new user1.mydomain.onmicrosoft.com.
When I sign out and sign back into graph with the correct account, the consent prompt is still there.
EDIT 3
Additional artifacts that might be related to my issue:
When I sign into graph using the new user, i see this notice:
I go through the prompts and set up authenicator, and then I end up with this:
Lastly, in case it helps, I've tried to add the permissions using the Entra Admin Center for this new user but I can't find user.read.all. I'm pretty new to the Azure Platform so I imagine I'm not in the right spot. But here's what I've tried:
The error occurs if you are trying to create MS Graph Subscription by signing with personal Microsoft accounts to Graph Explorer.
I created one Partner configuration for Sri resource group by authorizing Microsoft Graph API to create resources like this:
Initially, I too same error when I tried to create MS Graph subscription by signing with personal Microsoft account like Outlook as below:
To resolve the error, sign in with tenant admin user account ending with .onmicrosoft.com
and make sure to grant either User.Read.All or Group.Read.All permission based on resource type.
In my case, I logged in with tenant user account with User.Read.All permission and created subscription successfully for users resource like this:
POST https://graph.microsoft.com/beta/subscriptions
{
"changeType": "Updated, Deleted, Created",
"notificationUrl": "EventGrid: ?azuresubscriptionid=subId&resourcegroup=Sri&partnertopic=EntraGroupChanges&location=eastus",
"lifecycleNotificationUrl": "EventGrid: ?azuresubscriptionid=subId&resourcegroup=Sri&partnertopic=EntraGroupChanges&location=eastus",
"resource": "users",
"expirationDateTime": "2024-11-08T00:00:00Z",
"clientState": "secretClientValue"
}
Response:
To create MS Graph Subscription for groups resource, make sure to grant Group.Read.All permissions and "resource" value to groups as below:
POST https://graph.microsoft.com/beta/subscriptions
{
"changeType": "Updated, Deleted, Created",
"notificationUrl": "EventGrid: ?azuresubscriptionid=subId&resourcegroup=Sri&partnertopic=EntraGroupChanges&location=eastus",
"lifecycleNotificationUrl": "EventGrid: ?azuresubscriptionid=subId&resourcegroup=Sri&partnertopic=EntraGroupChanges&location=eastus",
"resource": "groups",
"expirationDateTime": "2024-11-08T00:00:00Z",
"clientState": "secretClientValue"
}
Response:
When I checked the same in Portal, Partner Topic created successfully as below: