MS Graph Subscription for Event Grid is failing with 400 Invalid Request
Background
I'm trying to create a graph subscription that will send notifications to my event grid that I have created in Azure. I want to track any changes to Entra Groups.
I've been trying to following the documentation here: https://learn.microsoft.com/en-ca/azure/event-grid/subscribe-to-partner-events#high-level-steps and here: https://learn.microsoft.com/en-ca/azure/event-grid/subscribe-to-graph-api-events?WT.mc_id=Portal-Microsoft_Azure_EventGrid&tabs=http&tryIt=true&source=docs#code-try-9
Problem
I'm using Graph Explorer to create the subscription request. I'm getting a 400 Invalid Request - Specified Resource is not supported for MSA requests".
Here's a screenshot showing what's happening in graph:
Here's a screenshot showing that I do have EventGrid enabled for my subscription:
And lastly, this shows you that I have added GraphAPI as a partner, and associated with the right resource group:
Questions/Additional Comments
Why am i getting this error? I've tried to follow all the steps outlined in the documentation. The expectation is that this subscription request will create the topic I have requested in the subscription.
I have tried both the 1.0 version and the beta Graph subscription API. I get the same error message.
I actually want to subscribe to group changes so I originally had "groups" as the resource type in the POST request. But when i tried it returned
"error": { "code": "InternalServerError", "message": "Unable to find target address"
So that's when I just tried the sample POST in the docs for "users".
Any suggestions or tips would be appreciated.
Edit 1
I've tried to add permissions to a specific user like this:
And then when i sign in to MS Graph with that user account and retry this is what I get:
Edit 2
When I sign into graph with the new user I created, I see this:
In order to consent, it prompts me to sign in as ad admin, which I do. I go through the entire list, and I grant consent to everything I think I need:
And i do it for the Users, and Groups category as well. But once I'm done, I'm noticing that I'm now signed into Graph with the admin account instead of the new user1.mydomain.onmicrosoft.com.
When I sign out and sign back into graph with the correct account, the consent prompt is still there.
EDIT 3
Additional artifacts that might be related to my issue:
When I sign into graph using the new user, i see this notice:
I go through the prompts and set up authenicator, and then I end up with this:
Lastly, in case it helps, I've tried to add the permissions using the Entra Admin Center for this new user but I can't find user.read.all. I'm pretty new to the Azure Platform so I imagine I'm not in the right spot. But here's what I've tried:
The error occurs if you are trying to create MS Graph Subscription by signing with personal Microsoft accounts to Graph Explorer.
I created one Partner configuration for Sri resource group by authorizing Microsoft Graph API to create resources like this:
Initially, I too same error when I tried to create MS Graph subscription by signing with personal Microsoft account like Outlook as below:
To resolve the error, sign in with tenant admin user account ending with .onmicrosoft.com and make sure to grant either User.Read.All or Group.Read.All permission based on resource type.
In my case, I logged in with tenant user account with User.Read.All permission and created subscription successfully for users resource like this:
POST https://graph.microsoft.com/beta/subscriptions
{
"changeType": "Updated, Deleted, Created",
"notificationUrl": "EventGrid: ?azuresubscriptionid=subId&resourcegroup=Sri&partnertopic=EntraGroupChanges&location=eastus",
"lifecycleNotificationUrl": "EventGrid: ?azuresubscriptionid=subId&resourcegroup=Sri&partnertopic=EntraGroupChanges&location=eastus",
"resource": "users",
"expirationDateTime": "2024-11-08T00:00:00Z",
"clientState": "secretClientValue"
}
Response:
To create MS Graph Subscription for groups resource, make sure to grant Group.Read.All permissions and "resource" value to groups as below:
POST https://graph.microsoft.com/beta/subscriptions
{
"changeType": "Updated, Deleted, Created",
"notificationUrl": "EventGrid: ?azuresubscriptionid=subId&resourcegroup=Sri&partnertopic=EntraGroupChanges&location=eastus",
"lifecycleNotificationUrl": "EventGrid: ?azuresubscriptionid=subId&resourcegroup=Sri&partnertopic=EntraGroupChanges&location=eastus",
"resource": "groups",
"expirationDateTime": "2024-11-08T00:00:00Z",
"clientState": "secretClientValue"
}
Response:
When I checked the same in Portal, Partner Topic created successfully as below:
- Implementing SSO for Azure AD B2C
- Implementing Microsoft SSO with passport-azure-ad and without msal
- Why must "force_change_password_next_sign_in" be set to false for MS External ID Local Accounts?
- S/MIME Email Sent via Python and Microsoft Graph Works in Gmail but Not in Outlook
- File upload to SharePoint is not working and is not throwing any errors
- Is it possible to manually construct a skiptoken to paginate search results in Microsoft Graph API?
- How to setup Microsoft authentication in a django based project
- Graph JSON response seldom contains raw HTML
- Microsoft Graph API: How to get url for Task in Planner?
- How to Use MS Graph Beta API for Recalling Sent Emails?
- Java - ODataError "The mailbox is either inactive, soft-deleted, or is hosted on-premise."
- How to subscribe to updates to the root drive of a SharePoint Site using Microsoft Graph
- How to assign Entra user User.Read.All and Group.Read.All from Graph Explorer
- How to create event by MS Graph with room as location?
- MS Graph Subscription for Event Grid is failing with 400 Invalid Request
- GraphServiceClient filter issue
- Read 'Attribute & Claims' from SAML Entra application configuration using PowerShell
- Upload drive files via MS Graph API
- how to list ExternalItems from a graph-connector
- Retrieve all Users from all Groups?
- Microsoft Graph SDK v5.61 : Ordering Mail List by Size
- How to access response header in Graph v5.0 SDK?
- Attempting to set DisableCustomAppAuthentication to false for Azure not working from Powershell
- Unable to call Graph API using an on-behalf-of flow from ASP.NET Core Web API
- Access Microsoft Todo List via Rest API
- SharePoint REST API returns invalidRequest apiNotFound when registering Container Type
- Microsoft Graph User last modified field
- How can I call the /servicePrincipals(appId='{appId}') endpoint using the Microsoft Graph .NET SDK?
- Getting two acces tokens using single login prompt for sharpoint api and graph api
- Change the content of a powerpoint using MS add-ins