How to use AAD authenticated notificationUrl to Create subscription for MS graph notifications?

Shashikant Sharma 85 Reputation points
2023-10-03T09:54:15.4733333+00:00

In my Client App, I am using Graph API to create subscriptions as follows to get the status of the TEAMS users:

const subscription = await client.api('/subscriptions').create({
           changeType: 'updated',
           notificationUrl: `my own API endpoint to azure app service that Graph will send the notification to`,
           resource: `/communications/presences?$filter=id in(${list of users})`,
           clientState: process.env.SUBSCRIPTION_CLIENT_STATE,
           includeResourceData: false,
         });

It works like a charm if 'notificationUrl' is a public url. But to secure it, I register the url's app service to AAD and provided authentication to it with 'user_impersonation' for my client application.

Now how do I send user behalf authentication token in the api so that app is accesses securely and returns a 200 to the API am calling? Like we do send headers information as follows

headers: {
        Authorization: `Bearer ${authToken}`,
        Token: `Token ${accessToken}`,
      }
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,455 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,414 questions
{count} votes

Accepted answer
  1. Danstan Onyango 3,821 Reputation points Microsoft Employee
    2023-12-19T07:38:25.33+00:00

    You should not use the user impersonation token as its not secure to pass tokens. For validating the notification URL, its up to Graph API and the docs hare

    Ideal solution is to just validate the change notification tokens. which Graph API will include with each request.

    See Validation tokens in the change notification which explains how to validate the change notification so that your app is not spoofed.

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.