This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 32%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
According to the resources: https://learn.microsoft.com/en-us/graph/api/subscription-post-subscriptions?view=graph-rest-beta&tabs=http https://github.com/microsoftgraph/java-spring-webhooks-sample I've created the notification endpoints in my MS Teams bot, created two subscriptions for two different organizations, using the access token received by the client credentials flow for corresponding tenantId. And I could receive the notification of adding new messages in channels of two organization. Regarding to the documentation https://learn.microsoft.com/en-us/graph/teams-protected-apis I need to request the access for the protected API of subscription creating, but everything works well for two different organizations without such request. Why is such request required? And why is Creating subscription for new channel messages is protected?
@Maxim : Taking this for internal discussion with team, I will update you with resolution.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 95%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
Hi @Maxim I have raised a bug and concern team is working on it.
Microsoft Teams APIs in Microsoft Graph that access sensitive data are considered protected APIs. So these APIs require that you have additional validation, beyond permissions and consent, before you can use them. For more info, refer and the list of APIs.
"Create subscription for new channel messages" is protected API according to your documentation link. And we have to request access to this protected API:
To request access to these protected APIs, complete the following request form. We review access requests every Wednesday and deploy approvals every Friday, except during major holiday weeks in the U.S. Submissions during those weeks will be processed the following non-holiday week.
As I described above, I could create sush subscription without creating the access request for this protected API. Why should I complete the following request form if everything works without it?