3

We created a Webhook for receiving "Delete" notifications when a user is deleted from Azure AD. But we're not receiving any notifications when we delete a user. In AAD the user is first placed in the recycle bin, but also if we remove the user from the recycle bin, we don't receive any notifications. We've tried our code with receiving emails -> that worked. And with changing a user in AAD -> that also worked. So we changed "updated" to "deleted" and no calls are triggered.

We started with de documentation (https://learn.microsoft.com/en-us/graph/webhooks) and the sample code provided by Microsoft (https://github.com/microsoftgraph/aspnet-webhooks-rest-sample)

We use Permission Scopes: User.Read.All & Directory.Read.All

Graph Webhook subscription: Resource: "users" ChangeType: "deleted"

When we specify "updated" as ChangeType, we received notifications, as expected. But ChangeType "deleted" was not giving any notifications. Is this not supported, or are we missing a permission... I hope someone can help.

Tony Ju
  • 14,891
  • 3
  • 17
  • 31
Christian
  • 269
  • 1
  • 10
  • I'm also running into this issue, and the answer to this question didn't help me, so I posted a new question: https://stackoverflow.com/questions/60760219/not-receiving-microsoft-graph-change-notification – Andrew Rasmussen Mar 19 '20 at 15:59

1 Answers1

5

When you've subscribed to deleted events, you will only get notifications for hard-deleted users. User are almost always "soft-deleted" at first, and then get permanently deleted automatically after 30 days.

For both cases, the permissions User.Read.All is sufficient.

When a user is "soft-deleted" an event is sent to apps subscribed to updated changes. Here's an example (you'll have to trust me that this was due to a soft-delete, since it's the same event for a regular attribute change):

{
    "value": [
        {
            "changeType": "updated",
            "clientState": null,
            "resource": "Users/514ffc40-afef-4ad9-bc1f-4ad3e425fcec",
            "resourceData": {
                "@odata.type": "#Microsoft.Graph.User",
                "@odata.id": "Users/514ffc40-afef-4ad9-bc1f-4ad3e425fcec",
                "id": "514ffc40-afef-4ad9-bc1f-4ad3e425fcec",
                "organizationId": "1c411c5e-78cc-4e89-af5e-169408a540b7",
                "sequenceNumber": 636921552671905776
            },
            "subscriptionExpirationDateTime": "2019-05-01T17:13:30.289+00:00",
            "subscriptionId": "cfbfa7fc-0771-4394-b563-cff3f8140d02",
            "tenantId": "1c411c5e-78cc-4e89-af5e-169408a540b7"
        }
    ]
}

When a user is permanently deleted (either naturally after 30 days, or manually by an admin), apps subscribed to deleted will get a notification. Here's an example:

{
    "value": [
        {
            "changeType": "deleted",
            "clientState": null,
            "resource": "Users/514ffc40-afef-4ad9-bc1f-4ad3e425fcec",
            "resourceData": {
                "@odata.type": "#Microsoft.Graph.User",
                "@odata.id": "Users/514ffc40-afef-4ad9-bc1f-4ad3e425fcec",
                "id": "514ffc40-afef-4ad9-bc1f-4ad3e425fcec",
                "organizationId": "1c411c5e-78cc-4e89-af5e-169408a540b7",
                "sequenceNumber": 636921556468034066
            },
            "subscriptionExpirationDateTime": "2019-05-01T17:13:30.289+00:00",
            "subscriptionId": "ce04c176-370d-4b67-9da6-05c441186756",
            "tenantId": "1c411c5e-78cc-4e89-af5e-169408a540b7"
        }
    ]
}
Philippe Signoret
  • 13,299
  • 1
  • 40
  • 58
  • 2
    Thank you for your answer. We've got it working now. One remark that could help other developers: it will a couple of minutes before a notification will arrive. When debugging the sample with "receiving an email" we received a notification within seconds. When debugging the deleted user we didn't receive a notification so it seemed. After about 5 to 10 minutes we received the notification, so be patient ;-) – Christian Apr 30 '19 at 09:31
  • Can you subscribe to new AD users in a similar way? or is it only updated or deleted users? Thanks. – finisterre Apr 30 '19 at 16:46
  • @finisterre When I add "created" as a changeType, I receive an error that this is an invalid changeType. So I think the answer is "no, you can't". "updated" and "deleted" do work. – Christian May 01 '19 at 12:52
  • 2
    From the [docs](https://learn.microsoft.com/en-us/graph/api/resources/subscription?view=graph-rest-1.0): "User and group notifications support `updated` and `deleted` changeType." When a new user is created, apps subscribed to `updated` will get a notification. – Philippe Signoret May 03 '19 at 21:52