graph api: Subscriptions - How Can I access or delete subscriptions form created by other users /applications?

Ingo2021atMS 1 Reputation point
2021-09-07T12:58:50.197+00:00

Sending Get Request for subscription (https://graph.microsoft.com/v1.0/subscriptions) there are following results:

  • Requesting with application permissions I only got the subscription which are created by the application.
  • Requesting with a delegateToken ( where user is an admin) I get all subscription of user and apps listed. (permission subscrptions.read.all must be set)

But accessing an subcriptions (https://graph.microsoft.com/v1.0/subscriptions/{id} for show, update or delete it works only for the the subscriptions created by the the admin user.

if I try to access other subcription with a get Request, I got this: 

{
    "error": {
        "code": "ExtensionError",
        "message": "Operation: Read; Exception: [Status Code: Forbidden; Reason: Access is denied. Check credentials and try again.]",
        "innerError": {
            "date": "2021-09-07T13:01:15",
            "request-id": "f7ddf8bd-562d-487b-bde0-d64b25fd78a8",
            "client-request-id": "8806f229-e11d-491f-94f5-207bd0f7103a"
        }

Is there a way to access (show, update, delete) other subscriptions, which are not created by the user (the user has admin rights)?
is that possible ?
And if so what must done additional? Adding some special roles?
I hope someone can help me.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,646 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shweta Choudhary 601 Reputation points Microsoft Employee
    2021-09-08T08:43:16.187+00:00

    Most commonly, an application wants to retrieve subscriptions that it originally created for the currently signed-in user, or for all users in the directory (work/school accounts). These scenarios do not require any special permissions beyond the ones the app used originally to create its subscriptions.

    130117-image.png

    In some cases, an app wants to retrieve subscriptions created by other apps. For example, a user wants to see all subscriptions created by any app on their behalf. Or, an administrator may want to see all subscriptions from all apps in their directory. For such scenarios, a delegated permission Subscription.Read.All is required.

    130171-image.png

    Additional limitations apply for subscriptions on Outlook items. The limitations apply to creating as well as managing (getting, updating, and deleting) subscriptions. Delegated permission supports subscribing to items in folders in only the signed-in user's mailbox. For example, you cannot use the delegated permission Calendars.Read to subscribe to events in another user’s mailbox.

    Additional limitations apply for subscriptions on OneDrive items. The limitations apply to creating as well as managing (getting, updating, and deleting) subscriptions.

    Refer documentation here for more details.

    Thanks.

  2. Ingo2021atMS 1 Reputation point
    2021-09-08T09:33:07.703+00:00

    This will aonly work for list susbscription (described as adnavnced scenario) and yes that worked fo getting all list subscription but not for accessing a single subscription for a get, patch or delete requestwhich it is not the own.

    Have you really tried it it or do you have tested it only with list subscription?

    If this really worked for you with single subscriptions then please write my what you do additional.

    I tried it app access with c# but I know this will not work for all subscription, because subscription ReadAll is delagte permission.

    I used postman for that for getting (configured like described here https://learn.microsoft.com/en-us/graph/use-postman).
    There i tested it with delegate permission (admin user) and app-permission. I checked, and it was correct.
    So I got complete subscription list with delegate permission (admin user) but only own subscription list with app permission as expected.

    Accessing a single subscription ( none of the own) it failed with delegate permissions as admin and the permissions subscriptions.Read.All the needed Ressource permission.

    That was not expected for me, but i re-read the documentation again and microsoft doesn't wrote the Advanced Scenario for get , update or delete a subscription
    https://learn.microsoft.com/en-us/graph/api/subscription-get?view=graph-rest-1.0
    https://learn.microsoft.com/en-us/graph/api/subscription-update?view=graph-rest-1.0
    https://learn.microsoft.com/en-us/graph/api/subscription-delete?view=graph-rest-1.0

    So if it worked for you please write what you did additionally .

    0 comments