azuremicrosoft-graph-apiazure-eventgridgraph-explorer

MS Graph Subscription for Event Grid is failing with 400 Invalid Request


Background

I'm trying to create a graph subscription that will send notifications to my event grid that I have created in Azure. I want to track any changes to Entra Groups.

I've been trying to following the documentation here: https://learn.microsoft.com/en-ca/azure/event-grid/subscribe-to-partner-events#high-level-steps and here: https://learn.microsoft.com/en-ca/azure/event-grid/subscribe-to-graph-api-events?WT.mc_id=Portal-Microsoft_Azure_EventGrid&tabs=http&tryIt=true&source=docs#code-try-9

Problem

I'm using Graph Explorer to create the subscription request. I'm getting a 400 Invalid Request - Specified Resource is not supported for MSA requests".
Here's a screenshot showing what's happening in graph:

enter image description here

Here's a screenshot showing that I do have EventGrid enabled for my subscription:

enter image description here

And lastly, this shows you that I have added GraphAPI as a partner, and associated with the right resource group: enter image description here

Questions/Additional Comments

  1. Why am i getting this error? I've tried to follow all the steps outlined in the documentation. The expectation is that this subscription request will create the topic I have requested in the subscription.

  2. I have tried both the 1.0 version and the beta Graph subscription API. I get the same error message.

  3. I actually want to subscribe to group changes so I originally had "groups" as the resource type in the POST request. But when i tried it returned

    "error": { "code": "InternalServerError", "message": "Unable to find target address"

So that's when I just tried the sample POST in the docs for "users".

Any suggestions or tips would be appreciated.

Edit 1

I've tried to add permissions to a specific user like this: enter image description here

And then when i sign in to MS Graph with that user account and retry this is what I get:

enter image description here

Edit 2

When I sign into graph with the new user I created, I see this:

enter image description here

In order to consent, it prompts me to sign in as ad admin, which I do. I go through the entire list, and I grant consent to everything I think I need:

enter image description here

And i do it for the Users, and Groups category as well. But once I'm done, I'm noticing that I'm now signed into Graph with the admin account instead of the new user1.mydomain.onmicrosoft.com.

When I sign out and sign back into graph with the correct account, the consent prompt is still there.

EDIT 3

Additional artifacts that might be related to my issue:

When I sign into graph using the new user, i see this notice: enter image description here

I go through the prompts and set up authenicator, and then I end up with this: enter image description here

Lastly, in case it helps, I've tried to add the permissions using the Entra Admin Center for this new user but I can't find user.read.all. I'm pretty new to the Azure Platform so I imagine I'm not in the right spot. But here's what I've tried:

enter image description here


Solution

  • The error occurs if you are trying to create MS Graph Subscription by signing with personal Microsoft accounts to Graph Explorer.

    I created one Partner configuration for Sri resource group by authorizing Microsoft Graph API to create resources like this:

    enter image description here

    Initially, I too same error when I tried to create MS Graph subscription by signing with personal Microsoft account like Outlook as below:

    enter image description here

    To resolve the error, sign in with tenant admin user account ending with .onmicrosoft.com and make sure to grant either User.Read.All or Group.Read.All permission based on resource type.

    In my case, I logged in with tenant user account with User.Read.All permission and created subscription successfully for users resource like this:

    POST https://graph.microsoft.com/beta/subscriptions
    {
    "changeType": "Updated, Deleted, Created",
    "notificationUrl": "EventGrid: ?azuresubscriptionid=subId&resourcegroup=Sri&partnertopic=EntraGroupChanges&location=eastus",
    "lifecycleNotificationUrl": "EventGrid: ?azuresubscriptionid=subId&resourcegroup=Sri&partnertopic=EntraGroupChanges&location=eastus",
    "resource": "users",
    "expirationDateTime": "2024-11-08T00:00:00Z",
    "clientState": "secretClientValue"
    }
    

    Response:

    enter image description here

    To create MS Graph Subscription for groups resource, make sure to grant Group.Read.All permissions and "resource" value to groups as below:

    POST https://graph.microsoft.com/beta/subscriptions
    {
    "changeType": "Updated, Deleted, Created",
    "notificationUrl": "EventGrid: ?azuresubscriptionid=subId&resourcegroup=Sri&partnertopic=EntraGroupChanges&location=eastus",
    "lifecycleNotificationUrl": "EventGrid: ?azuresubscriptionid=subId&resourcegroup=Sri&partnertopic=EntraGroupChanges&location=eastus",
    "resource": "groups",
    "expirationDateTime": "2024-11-08T00:00:00Z",
    "clientState": "secretClientValue"
    }
    

    Response:

    enter image description here

    When I checked the same in Portal, Partner Topic created successfully as below:

    enter image description here