Search code examples
azurepowershellazure-active-directorymicrosoft-graph-apimicrosoft-graph-notifications

Can't create Microsoft Graph API subscription

I want to have some logic executing after user creation event is pushed, so i decided to go into event grid and create subscription for Microsoft Graph API

Connect-MgGraph 

Import-Module Microsoft.Graph.ChangeNotifications
    
$params = @{
           changeType = "updated,deleted,created"
           notificationUrl = "EventGrid:?azuresubscriptionid=MyID&resourcegroup=Test&partnertopic=Test&location=eastus"
           lifecycleNotificationUrl = "EventGrid:?azuresubscriptionid=MyID&resourcegroup=Test&partnertopic=Test&location=eastus"
           resource = "users"
           expirationDateTime = (Get-Date).AddMinutes(4000)
        }
    
New-MgSubscription -BodyParameter $params

And I'm getting this error, i don't know how to fix it and didn't find any solution to fix it

New-MgSubscription_Create: Operation: Create; Exception: [Status Code: Unauthorized; Reason: ]

Status: 401 (Unauthorized)
ErrorCode: ExtensionError
Date: 2024-02-26T11:01:41

Headers:
Cache-Control                 : no-cache
Transfer-Encoding             : chunked
Vary                          : Accept-Encoding
Strict-Transport-Security     : max-age=31536000
request-id                    : c9bb98e5-6c35-43a7-abbe-665e9724ead1
client-request-id             : a3ba1c36-7716-456f-b36d-c54bda198962
x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"West Europe","Slice":"E","Ring":"5","ScaleUnit":"003","RoleInstance":"AM1PEPF0003006E"}}
Date                          : Mon, 26 Feb 2024 11:01:41 GM
Solution

  • I created one Partner configuration for Sri resource group by authorizing Microsoft Graph API to create resources:

    enter image description here

    Initially, I too got same error when I ran your script to create subscription with user not having User.Read.All permission under tenant:

    Connect-MgGraph 

Import-Module Microsoft.Graph.ChangeNotifications
    
$params = @{
           changeType = "updated,deleted,created"
           notificationUrl = "EventGrid:?azuresubscriptionid=MyID&resourcegroup=Sri&partnertopic=Demo&location=eastus"
           lifecycleNotificationUrl = "EventGrid:?azuresubscriptionid=MyID&resourcegroup=Sri&partnertopic=Demo&location=eastus"
           resource = "users"
           expirationDateTime = (Get-Date).AddMinutes(4000)
        }
    
New-MgSubscription -BodyParameter $params

    Response:

    enter image description here

    To resolve the error, make sure to grant User.Read.All permission to signed-in user that differs based on resource value or login with user having Admin role under tenant.

    Now, I ran below PowerShell script by including -Scopes parameter and got the response successfully like this:

    Connect-MgGraph -Scopes "User.Read.All"

Import-Module Microsoft.Graph.ChangeNotifications
    
$params = @{
           changeType = "updated,deleted,created"
           notificationUrl = "EventGrid:?azuresubscriptionid=MyID&resourcegroup=Sri&partnertopic=Test01&location=eastus"
           lifecycleNotificationUrl = "EventGrid:?azuresubscriptionid=MyID&resourcegroup=Sri&partnertopic=Test01&location=eastus"
           resource = "users"
           expirationDateTime = (Get-Date).AddMinutes(4000)
        }
    
New-MgSubscription -BodyParameter $params

    Response:

    enter image description here

    You can also retrieve the created subscription details by running below command:

    Import-Module Microsoft.Graph.ChangeNotifications

Get-MgSubscription -SubscriptionId <aboveIDvalue> | fl

    Response:

    enter image description here

    When I checked the same in Portal, Event Grid Partner Topic named Test01 created successfully as below:

    enter image description here

    Reference: Create subscription - Microsoft Graph