title | description | author | ms.author | ms.topic | ms.custom | ms.date |
---|---|---|---|---|---|---|
Receive Microsoft Graph change notifications through Azure Event Grid |
This article explains how to subscribe to events published by Microsoft Graph API. |
robece |
robece |
how-to |
devx-track-azurecli, devx-track-azurepowershell, devx-track-extended-java, devx-track-go, devx-track-js, devx-track-python, build-2024 |
05/22/2024 |
This article describes steps to subscribe to events published by Microsoft Graph API. The following table lists the event sources for which events are available through Graph API. For most resources, events announcing its creation, update, and deletion are supported. For detailed information about the resources for which events are raised for event sources, see supported resources by Microsoft Graph API change notifications .
Microsoft event source | Resources | Available event types |
---|---|---|
Microsoft Entra ID | User, Group | Microsoft Entra event types |
Microsoft Outlook | Event (calendar meeting), Message (email), Contact | Microsoft Outlook event types |
Microsoft Teams | ChatMessage, CallRecord (meeting) | Microsoft Teams event types |
OneDrive | DriveItem | Microsoft OneDrive events |
Microsoft SharePoint | List | Microsoft SharePoint events |
To Do | To Do Task | Microsoft ToDo events |
Security alerts | Alert | Microsoft Security Alert events |
Cloud printing | Printer, Print Task Definition | Microsoft Cloud Printing events |
Microsoft Conversations | Conversation | Microsoft 365 Group Conversation events |
You create a Microsoft Graph API subscription to enable Graph API events to flow into a partner topic. The partner topic is automatically created for you as part of the Graph API subscription creation. You use that partner topic to create event subscriptions to send your events to any of the supported event handlers that best meets your requirements to process the events.
Important
If you aren't familiar with the Partner Events feature, see Partner Events overview.
Besides the ability to subscribe to Microsoft Graph API events via Event Grid, you have other options through which you can receive similar notifications (not events). Consider using Microsoft Graph API to deliver events to Event Grid if you have at least one of the following requirements:
- You're developing an event-driven solution that requires events from Microsoft Entra ID, Outlook, Teams, etc. to react to resource changes. You require the robust event-driven model and publish-subscribe capabilities that Event Grid provides. For an overview of Event Grid, see Event Grid concepts.
- You want to use Event Grid to route events to multiple destinations using a single Graph API subscription and you want to avoid managing multiple Graph API subscriptions.
- You require to route events to different downstream applications, webhooks, or Azure services depending on some of the properties in the event. For example, you might want to route event types such as
Microsoft.Graph.UserCreated
andMicrosoft.Graph.UserDeleted
to a specialized application that processes users' onboarding and off-boarding. You might also want to sendMicrosoft.Graph.UserUpdated
events to another application that syncs contacts information, for example. You can achieve that using a single Graph API subscription when using Event Grid as a notification destination. For more information, see event filtering and event handlers. - Interoperability is important to you. You want to forward and handle events in a standard way using Cloud Native Computing Foundation (CNCF) CloudEvents specification standard.
- You like the extensibility support that CloudEvents provides. For example, if you want to trace events across compliant systems, use CloudEvents extension Distributed Tracing. Learn more about more CloudEvents extensions.
- You want to use proven event-driven approaches adopted by the industry.
You request Microsoft Graph API to forward events to an Event Grid partner topic by creating a Graph API subscription using the Microsoft Graph API Software Development Kits (SDKs) and following the steps in the links to samples provided in this section. See Supported languages for Microsoft Graph API SDK for available SDK support.
You should meet these general prerequisites before implementing your application to create and renew Microsoft Graph API subscriptions:
-
Become familiar with the high-level steps to subscribe to partner events. As described in that article, before creating a Graph API subscription, you should follow the instructions in:
-
Register the Event Grid resource provider with your Azure subscription.
-
Authorize Microsoft Graph API (partner) to create a partner topic in your resource group.
-
-
Have a working knowledge of Microsoft Graph API notifications. As part of your learning, you could use the Graph API Explorer to create Graph API subscriptions.
-
Understand Partner Events concepts.
-
Identify the Microsoft Graph API resource from which you want to receive system state change events. For more information, see Microsoft Graph API change notifications. For example, for tracking changes to users in Microsoft Entra ID you should use the user resource. Use group for tracking changes to user groups.
-
Have a tenant administrator account on a Microsoft 365 tenant. You can get a development tenant for free by joining the Microsoft 365 Developer Program.
You find other prerequisites specific to the programming language of choice and the development environment you use in the Microsoft Graph API samples links found in a coming section.
Important
While detailed instructions to implement your application are found in the samples with detailed instructions section, you should read all sections in this article as they contain additional, important information related to forwarding Microsoft Graph API events using Event Grid.
When you create a Graph API subscription, a partner topic is created for you. You pass the following information in parameter notificationUrl to specify what partner topic to create and be associated to the new Graph API subscription:
- partner topic name
- resource group name in which the partner topic is created
- region (location)
- Azure subscription
These code samples show you how to create a Graph API subscription. They show examples for creating a subscription to receive events from all users in a Microsoft Entra ID tenant when they're created, updated, or deleted.
POST https://graph.microsoft.com/v1.0/subscriptions
Content-type: application/json
{
"changeType": "Updated,Deleted,Created",
"notificationUrl": "EventGrid:?azuresubscriptionid=8A8A8A8A-4B4B-4C4C-4D4D-12E12E12E12E&resourcegroup=yourResourceGroup&partnertopic=yourPartnerTopic&location=theNameOfAzureRegionFortheTopic",
"lifecycleNotificationUrl": "EventGrid:?azuresubscriptionid=8A8A8A8A-4B4B-4C4C-4D4D-12E12E12E12E&resourcegroup=yourResourceGroup&partnertopic=yourPartnerTopic&location=theNameOfAzureRegionFortheTopic",
"resource": "users",
"expirationDateTime": "2024-03-31T00:00:00Z",
"clientState": "secretClientValue"
}
[!INCLUDE sample-code]
[!INCLUDE sample-code]
[!INCLUDE sample-code]
[!INCLUDE sample-code]
[!INCLUDE sample-code]
[!INCLUDE sample-code]
[!INCLUDE sample-code]
[!INCLUDE sample-code]
changeType
: the kind of resource changes for which you want to receive events. Valid values:Updated
,Deleted
, andCreated
. You can specify one or more of these values separated by commas.notificationUrl
: a URI used to define the partner topic to which events are sent. It must conform to the following pattern:EventGrid:?azuresubscriptionid=<you-azure-subscription-id>&resourcegroup=<your-resource-group-name>&partnertopic=<the-name-for-your-partner-topic>&location=<the-Azure-region-name-where-you-want-the-topic-created>
. The location (also known as Azure region)name
can be obtained by executing the az account list-locations command. Don't use a location display name. For example, don't use West Central US. Usewestcentralus
instead.az account list-locations
lifecycleNotificationUrl
: a URI used to define the partner topic to whichmicrosoft.graph.subscriptionReauthorizationRequired
events are sent. This event signals your application that the Graph API subscription is expiring soon. The URI follows the same pattern as notificationUrl described earlier if using Event Grid as destination to lifecycle events. In that case, the partner topic should be the same as the one specified in notificationUrl.- resource: the resource that generates events that announce state changes.
- expirationDateTime: the expiration time at which the subscription expires and the flow of events stop. It must conform to the format specified in Request for Change (RFC) 3339. You must specify an expiration time that is within the maximum subscription length allowable per resource type.
- client state. This property is optional. It's used for verification of calls to your event handler application during event delivery. For more information, see Graph API subscription properties.
Important
-
The partner topic name must be unique within the same Azure region. Each tenant-application ID combination can create up to 10 unique partner topics.
-
Be mindful of certain Graph API resources' service limits when developing your solution.
-
Existing Graph API subscriptions without a
lifecycleNotificationUrl
property don't receive lifecycle events. To add the lifecycleNotificationUrl property, you should delete the existing subscription and create a new subscription specifying the property during subscription creation.
After creating a Graph API subscription, you have a partner topic created on Azure.
Your application must renew the Graph API subscription before it expires to avoid stopping the flow of events. To help you automate the renewal process, Microsoft Graph API supports lifecycle notifications events to which your application can subscribe. Currently, all type of Microsoft Graph API resources support the microsoft.graph.subscriptionReauthorizationRequired
, which is sent when any of the following conditions occur:
- Access token is about to expire.
- Graph API subscription is about to expire.
- A tenant administrator revoked your app's permissions to read a resource.
If you didn't renew your Graph API subscription after it expires, you need to create a new Graph API subscription. You could refer to the same partner topic you used in your expired subscription as long as it's expired for less than 30 days. If the Graph API subscription expired for more than 30 days, you can't reuse your existing partner topic. In this case, you need to either specify another partner topic name. Alternatively, you can delete the existing partner topic to create a new partner topic with the same name during the Graph API subscription creation.
Upon receiving a microsoft.graph.subscriptionReauthorizationRequired
event your application should renew the Graph API subscription by doing these actions:
-
If you provided a client secret in the clientState property when you created the Graph API subscription, that client secret in included with the event. Validate that the event's clientState matches the value used when you created the Graph API subscription.
-
Ensure that the app has a valid access token to take the next step. More information is provided in the coming samples with detailed instructions section.
-
Call either of the following two APIs. If the API call succeeds, the change notification flow resumes.
-
Call the
/reauthorize
action to reauthorize the subscription without extending its expiration date.POST https://graph.microsoft.com/beta/subscriptions/{id}/reauthorize
-
Perform a regular "renew" action to reauthorize and renew the subscription at the same time.
PATCH https://graph.microsoft.com/beta/subscriptions/{id} Content-Type: application/json { "expirationDateTime": "2024-04-30T11:00:00.0000000Z" }
Renewing might fail if the app is no longer authorized to access to the resource. It might then be necessary for the app to obtain a new access token to successfully reauthorize a subscription.
-
Authorization challenges don't replace the need to renew a subscription before it expires. The lifecycles of access tokens and subscription expiration aren't the same. Your access token might expire before your subscription. It's important to be prepared to regularly reauthorize your endpoint to refresh your access token. Reauthorizing your endpoint doesn't renew your subscription. However, renewing your subscription also reauthorizes your endpoint.
When renewing and/or reauthorizing your Graph API subscription the same partner topic specified when the subscription was created is used.
When Specifying a new expirationDateTime, it must be at least three hours from the current time. Otherwise, your application might receive microsoft.graph.subscriptionReauthorizationRequired
events soon after renewal.
For examples about how to reauthorize your Graph API subscription using any of the supported languages, see subscription reauthorize request.
For examples about how to renew and reauthorize your Graph API subscription using any of the supported languages, see update subscription request..
Microsoft Graph API documentation provides code samples with instructions to:
- Set up your development environment with specific instructions according to the language you use. Instructions also include how to get a Microsoft 365 tenant for development purposes.
- Create a Graph API subscriptions. To renew a subscription, you can call the Graph API using the code snippets in How to renew a Graph API subscription.
- Get authentication tokens to use them when calling Microsoft Graph API.
Note
It is possible to create your Graph API subscription using the Microsoft Graph API Explorer. You should still use the samples for other important aspects of your solution such as authentication and receiving events.
Web application samples are available for the following languages:
- C# sample. It's an up-to-date sample that includes how to create and renew Graph API subscriptions and walks you through some of the steps to enable the flow of events.
- Java sample
- NodeJS sample.
Important
You need to activate your partner topic that is created as part of your Graph API subscription creation. You also need to create an Event Grid event subscription to your web application to receive events. To that end, you use the URL configured in your web application to receive events as a webhook endpoint in your event subscription. Next steps for more information.
Important
Do you need sample code for another language or have questions? Please email us at [email protected].
Follow the instructions in the following two steps to complete set-up to receive Microsoft Graph API events using Event Grid:
- Activate the partner topic created as part of the Microsoft Graph API creation.
- Subscribe to events by creating an event subscription to your partner topic.
Other useful links:
- Azure Event Grid - Partner Events overview
- Information on Microsoft Graph API.
- Microsoft Graph API webhooks
- Best practices for working with Microsoft Graph API
- Microsoft Graph API SDKs
- Microsoft Graph API tutorials, which shows how to use Graph API. This article doesn't necessarily include examples for sending events to Event Grid.