4,159 questions
I am getting Unauthorised error without reason while subscribing to email notification using graph API
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 74%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYL%3C/text%3E%3C/svg%3E)
Yamin Lawar
0
Reputation points
We're developing an application that needs to read clients' Outlook emails for internal use. We've created an application in Azure AD and configured all required permissions to fetch emails and receive notifications.
Our implementation uses client credentials flow (not OAuth), passing secrets, tokens, tenantId, and clientId to call the Graph API. We successfully tested this with our personal Azure accounts - we're able to receive notifications when emails arrive in the subscribed inbox and also fetch emails.
However, after migrating to our enterprise Azure account for company use, the same code is failing with authorization errors specifically when calling the create subscription API though I am able to fetch all the users in my enterprise app with the same token but could not create subscriptions for them.
Microsoft Teams | Development
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 30%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)
Goutam Pratti 6,170 Reputation points Microsoft External Staff Moderator2025-04-16T14:55:34.9233333+00:00 Hello @Yamin Lawar ,
I understand that you have an application registered in Entra ID with all the required permissions configured to fetch emails and receive notifications. You've implemented the client credentials flow and successfully tested it using your personal Azure accounts — you were able to fetch emails and receive notifications when new emails arrived in the subscribed inbox.
However, after migrating to your enterprise Azure account, the same code is now failing with authorization errors.
There is a maximum limit of 1000 active subscriptions for Outlook resources per mailbox for all applications. You can subscribe to changes in contacts, events, or messages in the mailbox.
Depending on the resource, use the least privileged permission specified in the following table to call this API
Note the following limitations:
- Delegated permission supports subscribing to items in folders in only the signed-in user's mailbox. For example, you can't use the delegated permission, Calendars.Read to subscribe to events in another user’s mailbox.
- To subscribe to change notifications of Outlook contacts, events, or messages in shared or delegated folders:
- Use the corresponding application permission to subscribe to changes of items in a folder or mailbox of any user in the tenant.
- Don't use the Outlook sharing permissions (Contacts.Read.Shared, Calendars.Read.Shared, Mail.Read.Shared, and their read/write counterparts), as they do not support subscribing to change notifications on items in shared or delegated folders.
Make sure to extend a subscription before it expires. The maximum lifetime for a subscription without Outlook resource data can be found in the subscription lifetime table.
If you lose the permission granted earlier for a subscription and the subscription expires meanwhile, request permission again to create a new subscription.
Subscriptions have a limited lifetime. Apps need to renew their subscriptions before the expiration time; Otherwise, they need to create a new subscription. Apps can also unsubscribe at any time to stop getting change notifications.
The following table shows the maximum expiration times for subscriptions per resource in Microsoft Graph.
Note: Existing applications and new applications should not exceed the supported value. In the future, any requests to create or renew a subscription beyond the maximum value will fail.
For detailed information follow the documents: https://learn.microsoft.com/en-us/graph/outlook-change-notifications-overview#create-a-subscription , https://learn.microsoft.com/en-us/graph/change-notifications-overview#subscription-lifetime
Hope the above Information helps. If you are still facing the issues. Provide me the screen shot error that you are getting.
-
Goutam Pratti 6,170 Reputation points Microsoft External Staff Moderator
2025-04-17T12:57:44.5733333+00:00 Hello @Yamin Lawar ,
Following up to see if the above information in helpful. Let us know if you have any additional queries. Happy to assist you further.
-
Yamin Lawar 0 Reputation points
2025-04-21T07:16:51.1533333+00:00 Hello @Goutam Pratti
On the detail answers you suggested, here is more information
- There is a maximum limit of 1000 active subscriptions for Outlook resources per mailbox for all applications. You can subscribe to changes in contacts, events, or messages in the mailbox.
There is no subscription yet made on current application so this points is checked and doesn't apply here.
- Regarding limitation:
I have already checked all the limitations and I am using application permission already not a delegate permission and just for information I am subscribing to email (i.e messages only)
- Extending subscription:
I already have to renew subscription 24 hours before it expire but please understand even we are not able to create subscription so there is no point of looking at this.
Sorry but your above information is very general and we follow all the instruction listed in documents please can you help us to guide what exactly going wrong here, if we can get any developer or technical person support?
-
Goutam Pratti 6,170 Reputation points Microsoft External Staff Moderator
2025-04-21T12:56:36.8166667+00:00 Hello @Yamin Lawar ,
As you mentioned that you're encountering an "Unauthorized" error, could you please share a screenshot of the error? This will help us troubleshoot the issue more effectively.
-
Yamin Lawar 0 Reputation points
2025-04-22T04:18:09.62+00:00 Here I am attaching screenshot for your reference
For more context this user is part of our organisation and I can able to fetch users list and this user is available in response of users list which I fetched through same code base and credential using Microsoft Graph API
-
Goutam Pratti 6,170 Reputation points Microsoft External Staff Moderator
2025-04-23T12:50:37.0433333+00:00 Hello @Yamin Lawar ,
I Understand from the screen shot you are getting unauthorized error but for subscribing to email notification using Microsoft Graph API Mail.Read application type API permission is required. Can you confirm what API permissions did you granted with the help of screen shot.
You can check this document: https://learn.microsoft.com/en-us/graph/api/subscription-post-subscriptions?view=graph-rest-1.0&tabs=http#permissions
-
Goutam Pratti 6,170 Reputation points Microsoft External Staff Moderator
2025-04-24T10:52:55.0433333+00:00 Hello @Yamin Lawar ,
Following up to see if the above information in helpful. Let us know if you have any additional queries. Happy to assist you further.
-
Yamin Lawar 0 Reputation points
2025-04-24T12:26:45.2833333+00:00 I already have right permissions for this please check attached screenshots
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 77%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Rukmini 3,841 Reputation points Microsoft External Staff Moderator2025-04-25T06:09:18.2566667+00:00 Hello @Yamin Lawar,
I understand that after migrating to Enterprise Azure account for company, you are getting Unauthorized error to create while subscribing to email notification.
It might be due to access policies, or missing configurations specific to your enterprise environment.
- If RestrictAccess is enabled within your enterprise Azure environment, your application may not have the necessary permissions to access the mailboxes of users within the organization.
Hence, to resolve the issue create an Application Access Policy that grants explicit access to the mailboxes you want to subscribe to. This is necessary if the RestrictAccess policy is blocking access to users' mailboxes.
Connect-ExchangeOnline New-ApplicationAccessPolicy -AccessRight RestrictAccess -AppId "MicrosoftEntraAppID" -PolicyScopeGroupId ******@xxx.onmicrosoft.com -Description "Test" Test-ApplicationAccessPolicy -Identity ******@xxx.onmicrosoft.com -AppId "MicrosoftEntraAppID"
API permissions in Microsoft Entra ID application:
Generated access token using Client credential flow:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token client_id: ClientID client_secret: Secret scope: https://graph.microsoft.com/.default grant_type:client_credentials
Also make sure to decode the token and check if the role
Mail.Readis present:
Passing the above token,I am able to create subscription for email notification change successfully:
POST https://graph.microsoft.com/v1.0/subscriptions { "changeType": "created", "notificationUrl": "https://rukemailappnotification.azurewebsites.net/api/http_trigger1?code=pvhhoxxx", "resource": "users/******@xxx.onmicrosoft.com/mailFolders('Inbox')/messages", "expirationDateTime": "2025-04-26T18:23:45.935Z", "clientState": "1234", "latestSupportedTlsVersion": "v1_2" }
Received notification details when mail is received:
Reference:
New-ApplicationAccessPolicy (ExchangePowerShell) | Microsoft
Hope this helps!
Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.
If any further queries - feel free to reach out!
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 6%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
Phong 0 Reputation points2025-04-25T20:51:32.81+00:00 I'm hitting the same issue. I have a new app with
Mail.Readpermission for both the delegated user and the application.I'm able to get OAuth2.0 refresh and access tokens via the OIDC flow.
I can use this token to query
https://graph.microsoft.com/v1.0/meand get my profile information.However, when I try to create a subscription using
POST https://graph.microsoft.com/v1.0/subscriptions, it fails with the error:'{"error":{"code":"ExtensionError","message":"Operation: Create; Exception: [Status Code: Unauthorized; Reason: ]","innerError":{"date":"2025-04-25T20:44:39","request-id":"c49daa40-9631-4fed-91f7-186a4e870514","client-request-id":"c49daa40-9631-4fed-91f7-186a4e870514"}}}'The weird thing is that I can successfully list subscriptions using the
GET https://graph.microsoft.com/v1.0/subscriptionsendpoint, it won't fail, but an empty list is returned.What's even weirder is that I can go to the Graph Explorer, consent to just the user-level
Mail.Readpermissions, and am able to create a subscription there.If I do this, the
GET https://graph.microsoft.com/v1.0/subscriptionsstill returns an empty list. -
Rukmini 3,841 Reputation points Microsoft External Staff Moderator
2025-04-28T03:27:54.4733333+00:00 Hello @Yamin Lawar , We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, please respond with more details and we will try to help.
-
Yamin Lawar 0 Reputation points
2025-04-28T06:43:38.4733333+00:00 Hey thanks Rukmini, I will try what you suggested in tomorrow and will update here. Thanks
-
Rukmini 3,841 Reputation points Microsoft External Staff Moderator
2025-04-29T05:40:04.1866667+00:00 Hello @Yamin Lawar , We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, please respond with more details and we will try to help.
-
Rukmini 3,841 Reputation points Microsoft External Staff Moderator
2025-04-30T03:53:12.8766667+00:00 Hello @Yamin Lawar , We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, please respond with more details and we will try to help.
Sign in to comment
Sign in to answer