I struggle to make app with ClientCredential auth flow to create subscription on SharePoint List.
Request:
var subscription = new Subscription
{
ChangeType = "updated",
NotificationUrl = "{validNotificationUrl}",
Resource = "sites/root/lists/{listId}",
ExpirationDateTime = DateTime.UtcNow.AddDays(2),
ClientState = "{clientState}"
};
subscription = await _graphClient.Subscriptions.Request().AddAsync(subscription);
Response:
Unauthorized 403
{
"error": {
"code": "ExtensionError",
"message": "Operation: Create; Exception: [Status Code: Forbidden; Reason: Access denied. You do not have permission to perform this action or access this resource.]",
"innerError": {
"date": "2020-08-04T13:01:27",
"request-id": "c480fa5d-4bbd-44a1-9f86-587548a29a19"
}
}
I've checked request access_token, and it has required permissions (Sites.ReadWrite.All, Sites.Manage.All according to documentation should be enough). Reading Subscriptions and creating lists works fine for app.
I started to play around with different configurations, trying to isolate the problem, and managed to:
I feel quite lost, since I've given app more permissions than delegated user, and it still gets Unauthorized 403, and response error doesn't tell much how to resolve this issue.
Are there any configurations for SharePoint List subscriptions that need to be taken care of for app authentication only?
The service is currently experiencing an issue where app-only lists and drive subscriptions are getting an access denied when it shouldn't. The team is currently working to solve the issue. I suggest you follow this issue as we investigate the problem or that you open a support ticket asking to link your ticket to the ICM 200246697.