Does MSAppProxy work for SharePoint (on-prem) webhooks

Question

Does MSAppProxy work for SharePoint (on-prem) webhooks

Kenzo De Ridder 80

We're currently developing for a SharePoint Server Subscription instance.
We want/need to use SharePoint list webhooks.
These work when I use ngrok as a proxy for my development environment.
When I publish my backend app to our webserver, it is unable to successfully create webhook subscriptions.
This webserver is not reachable from outside our company's network, unless the MS app proxy('s URL) (https://learn.microsoft.com/en-us/entra/identity/app-proxy/application-proxy) is used.
When I run ngrok on that same webserver (and use that url to create a subscription), it is able to create subscriptions.
In the same backend app, webhook subscriptions for users' email accounts are created/used (via Microsoft Graph), and those do work.
So we have Microsoft Graph that's able to reach our application behind the MSAppProxy and SharePoint that's isn't able to reach our application behind the MSAppProxy.
I've checked the incoming traffic on that webserver and it never receives a request from SharePoint when the MSAppProxy url is being used, so it's like it's being blocked at the MSAppProxy level.

0 comments

1 answer

Your answer

Answer 1

Anonymous

Hi @Kenzo De Ridder , yes, MSAP can be used to publish SharePoint Server Subscription webhooks to the internet. However, there are some considerations to keep in mind.

Make sure that your SharePoint Server Subscription instance is configured to use MSAP as a reverse proxy. This involves configuring the SharePoint Server Subscription instance to trust the MSAP certificate and configuring the MSAP connector to forward traffic to the SharePoint Server Subscription instance.

Once you have configured the SharePoint Server Subscription instance to use MSAP, you should be able to create webhook subscriptions using the MSAP URL as the endpoint. However, there are some limitations to keep in mind:

MSAP does not support long-lived connections, so SharePoint webhooks with a long expiration time may not work properly.
MSAP may introduce additional latency and network overhead, which can impact the performance of your webhook notifications.
MSAP may not support all SharePoint webhook scenarios, such as webhooks that require custom headers or authentication schemes.

If you are experiencing issues with creating webhook subscriptions using MSAP, you may want to check the MSAP logs to see if there are any errors or warnings related to the incoming traffic from SharePoint. You may also want to check the SharePoint logs to see if there are any errors or warnings related to the outgoing traffic to MSAP.

Please let me know if you have any questions and I can help you further.

If this answer helps you please mark "Accept Answer" so other users can reference it.

Thank you,

James

Kenzo De Ridder 80 Reputation points

2023-11-23T12:30:01.9233333+00:00

Hello James,

We are not trying to make our on-premise SharePoint instance accessible from the outside, which is what you are explaining, if I understood you correctly.

Our MSAP is purely set up in such a way that only our WebAPI is accessible from outside our network, so Microsoft Graph/SharePoint is able to forward change notifications to that endpoint.

As I've explained, this currently works for Microsoft Graph - the endpoint gets successfully validated and notifications are posted to that endpoint.
For SharePoint webhooks, this does not work. The endpoint never gets successfully validated.
The validation requests never reach our MSAP.

Looking at the flow of things, when we ask our on-premise SP instance to create a subscription (example), our on-premise instance actually sends another request to some remote (O365/SPOnline?) server, which then sends a request to our endpoint url, which is protected by the MSAP. This is visible by looking at our webAPI's logs; the requests are not coming from the server where our on-prem SP is running, but from an external server.

Again, when we run ngrok to expose that very same webAPI to the outside world, and use that as the endpoint URL, it all works, so the combination of SharePoint and MSAP is giving issues.
Kenzo De Ridder 80 Reputation points

2023-11-23T12:34:48.4333333+00:00

When we simulate an endpoint validation request via postman (using their website, so the request is coming from outside our internal network as well), while using the MSAP url as the endpoint url, it also works.
So it's like the communication between some external SharePoint server and the MSAP is giving issues.
Anonymous

2023-12-06T21:48:54.62+00:00

Hi @Kenzo De Ridder , based on your description, it's possible that the issue is related to the network configuration between SharePoint and your MSAP. SharePoint may not be able to reach your WebAPI due to network restrictions or firewall rules. You may need to check your network configuration and ensure that SharePoint is able to reach your WebAPI.

Another possibility is that SharePoint is not able to validate your WebAPI endpoint due to SSL certificate issues. SharePoint requires that the endpoint URL be secured with a valid SSL certificate. You may need to check your SSL certificate configuration and ensure that it's valid and trusted by SharePoint.

If you have already checked these configurations and are still experiencing issues, it may be helpful to enable logging and tracing in your MSAP to see if there are any errors or issues that are preventing SharePoint from reaching your WebAPI. You can also check the SharePoint logs to see if there are any errors or issues related to the webhook subscription or validation process.

If you're still having issues, can you please send me an email at "azcommunity@microsoft.com" with subject "ATTN: James Hamil" and your subscription ID? I can open a free support ticket for you.

Best,

James

Share via

Does MSAppProxy work for SharePoint (on-prem) webhooks

1 answer

Your answer