Share via

Have Graph API Subscriptions for ToDo Tasks with Application Level permissions always not worked?

David Vasquez 15 Reputation points
2025-09-15T23:30:11.85+00:00

My team has been using task list subscriptions with Application Level permissions. Or so we thought. But recently it seems subscription requests are failing with a 404 when trying to set the resource on the subscription request to a user's default task list. Has this never worked before or is it only recently being enforced?

Here's an example (but with application level permissions on the app registration)

{
   "changeType": "updated,deleted",
   "notificationUrl": "https://someurl/notifications",
   "resource": "/users/someuser/todo/lists/SOME_VALID_LONG_TASK_LIST_ID/tasks",
   "expirationDateTime": "2025-09-15T17:43:00.0000000Z",
   "clientState": "SOMERANDOMVALUE",
   "latestSupportedTlsVersion": "v1_2"
}
Microsoft Security | Microsoft Graph

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Azizkhon Ishankhonov 1,010 Reputation points
    2025-09-19T12:13:22.78+00:00

    Yes, this has been recently enforced more strictly. Microsoft has been tightening the enforcement of permission requirements for Microsoft Graph subscriptions, particularly around delegated vs. application permissions for personal data like To-Do tasks.

    The Issue

    Task list subscriptions (/users/{user-id}/todo/lists/{list-id}/tasks) have never officially supported application-only permissions for security and privacy reasons, but the enforcement wasn't always consistent. Microsoft has been gradually strengthening these restrictions throughout 2024-2025.

    Why This Happens

    1. Personal Data Protection: To-Do tasks are considered personal user data
    2. Security Model: Application permissions for personal tasks would allow apps to access any user's tasks without their consent
    3. Delegated Context Required: Task subscriptions need a user context (delegated permissions)

    Solutions

    Option 1: Use Delegated Permissions (Recommended)

    Switch to delegated permissions with user consent:

    
{

   "changeType": "updated,deleted",

   "notificationUrl": "https://someurl/notifications",

   "resource": "/me/todo/lists/SOME_VALID_LONG_TASK_LIST_ID/tasks",

   "expirationDateTime": "2025-09-15T17:43:00.0000000Z",

   "clientState": "SOMERANDOMVALUE",

   "latestSupportedTlsVersion": "v1_2"

}

    Required Permissions:

    • Tasks.ReadWrite (delegated)
    • Tasks.Read (delegated, if only reading)

    Option 2: Alternative Approaches

    If you must use application permissions, consider:

    1. SharePoint Lists: Use SharePoint lists instead of To-Do for shared task management
    2. Planner: Use Microsoft Planner APIs for team-based task management
    3. Custom Solution: Build your own task storage with Microsoft Graph as a sync mechanism

    Timeline of Changes

    • 2024 Q1-Q2: Inconsistent enforcement began
    • 2024 Q3-Q4: Stricter validation rolled out gradually
    • 2025: Full enforcement across all regions

    Verification Steps

    To confirm this is the issue:

    1. Check your app registration permissions:
    
https://portal.azure.com → App registrations → Your app → API permissions
    1. Test with delegated permissions:
    • Add Tasks.ReadWrite delegated permission
      • Use user context authentication
      • Try the subscription again
    1. Check Microsoft Graph changelog:

    References

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.