I'm using Microsoft Graph API to build and integration with OneDrive. Everything has worked well and I have been able to register my App, get a token, navigate the OneDrive items and download files.
I started creating subscriptions to receive notifications from OneDrive when user does something. This works without any problem when user signs in with their "personal account" but when they use "work or school" account I get the following error message:
{
"error": {
"code": "ExtensionError",
"message": "Operation: Create; Exception: [Status Code: Forbidden; Reason: The caller does not have permission to perform the action.]",
"innerError": {
"request-id": "ffaf7fae-e0b0-4cd8-b911-bac4c2fb290a",
"date": "2019-09-18T00:18:40"
}
}
}
And this is the call I make to create the subscription:
curl -X POST \
https://graph.microsoft.com/v1.0/subscriptions \
-H 'Authorization: Bearer [access_token]' \
-H 'Content-Type: application/json' \
-H 'Host: graph.microsoft.com' \
-d ' {
"resource": "me/drive/root",
"changeType": "updated",
"clientState": "[email_Address]",
"notificationUrl": "https://webhook_url",
"expirationDateTime": "2019-09-19T04:43:47.6099364+00:00"
}'
The user has Files.ReadWrite.All permission which based on the documentation should be enough.
I had this same problem. The only difference is I am trying to setup a driveItem subscription on a business OneDrive path /users/<id>/drive/root but getting the same error as you on the response.
So, using the same access token, I did a GET /v1.0/users/<id>/drive/root and fetched the driveId of the parent from the response. Then I attempted to create the subscription at /drives/<driveId>/root and it worked. All requests were using the same access token and the previous way used to work for months.
So you might try doing a GET for your /me/drive/root and see if you can set it up with the driveId.
As a bonus, the subscription is now sending web-hooks like I expect.