How to use AAD authenticated notificationUrl to Create subscription for MS graph notifications?

Question

In my Client App, I am using Graph API to create subscriptions as follows to get the status of the TEAMS users:

const subscription = await client.api('/subscriptions').create({
           changeType: 'updated',
           notificationUrl: `my own API endpoint to azure app service that Graph will send the notification to`,
           resource: `/communications/presences?$filter=id in(${list of users})`,
           clientState: process.env.SUBSCRIPTION_CLIENT_STATE,
           includeResourceData: false,
         });

It works like a charm if 'notificationUrl' is a public url. But to secure it, I register the url's app service to AAD and provided authentication to it with 'user_impersonation' for my client application.

Now how do I send user behalf authentication token in the api so that app is accesses securely and returns a 200 to the API am calling? Like we do send headers information as follows

headers: {
        Authorization: `Bearer ${authToken}`,
        Token: `Token ${accessToken}`,
      }

Answer 1

You should not use the user impersonation token as its not secure to pass tokens. For validating the notification URL, its up to Graph API and the docs hare

Ideal solution is to just validate the change notification tokens. which Graph API will include with each request.

See Validation tokens in the change notification which explains how to validate the change notification so that your app is not spoofed.