0

I'm trying to post subscription request to graph api via https://graph.microsoft.com/v1.0/subscriptions endpoint. However, I keep getting this error:

   "code": "ExtensionError",
        "message": "Operation: Create; Exception: [Status Code: InternalServerError; Reason: Expected 1 response for tenant lookup for tenant id ... but received 0]

My request:

{
    "changeType": "created,updated",
    "notificationUrl": "https://.../notification",
    "resource": "communications/callRecords",
    "expirationDateTime": "2021-03-24T18:23:45.9356913Z",
    "clientState": "secretClientValue"
}

I'm able to get token with my tenant id as grant_type = client_credentials (OAuth 2.0 client credentials grant flow). I do not understand why my tenant gives error when subscribing, although token creation is successful. What am I doing wrong? Please help!

Thanks.

Update: Permissions of my application:

  1. Calendars.ReadWrite Application
  2. CallRecords.Read.All Application
  3. Directory.ReadWrite.All Application
  4. OnlineMeetings.Read.All Application

Admin consent is granted for all.

mrcy
  • 3
  • 2

1 Answers1

0

I assume since you say "grant_type = client_credentials (OAuth 2.0 client credentials grant flow)" you are using Delegated CallRecords.Read.All permission.

If you read this page, it says that CallRecord subscriptions only support the Application CallRecords.Read.All permission. So you have to use application client for authentication and not client credentials.

===== UPDATE =====

Based on the comments I can guess I number of possible problems:

Since the "free" azure accounts don't have teams licenses, one guess that the subscription call will fail with something. This may be why it's failing for you with a weird message.

The other setup is that your azure application is in the "free" account and the subscription is for another tenant (like your work tenant). For this to work you would need:

  • azure application set to multi-tenant
  • admin consent in the work tenant by their admin
  • in the generate token call the "myTenantId" has to be the tenantid of the work tenant
Shane Powell
  • 13,698
  • 2
  • 49
  • 61
  • My application has Application type "CallRecords.Read.All" permission and I can see it when I decode the token also. – mrcy Mar 23 '21 at 06:07
  • At this point it’s only guessing at your problem. You need to provide more info like the code, this azure application setup, etc. – Shane Powell Mar 23 '21 at 06:17
  • What code can I share? My notification endpoint is working; request is arriving and I reply with the decoded token just like explained here: https://learn.microsoft.com/en-us/graph/webhooks#notification-endpoint-validation I know this part works because I was getting different errors for that before. After fixing those, I started getting the tenant error which is shown in the original post. My azure application is pretty dummy. Publisher domain is verified. Do not have any certificates, using client secret. Do not have any scope or roles defined as I think they are not necessary. – mrcy Mar 23 '21 at 07:09
  • Also my azure account has only free subscription, but afaik it should be enough. – mrcy Mar 23 '21 at 07:11
  • I would like to see the all the code you use to generate the token – Shane Powell Mar 23 '21 at 07:12
  • I'm using postman to generate the token. I am testing the subscription before writing all the code to make sure I set everything correctly on Azure side. From postman: Post https://login.microsoftonline.com/myTenantId/oauth2/v2.0/token client_id: XX scope: https://graph.microsoft.com/.default client_secret: YY grant_type: client_credentials – mrcy Mar 23 '21 at 09:07
  • updated answer, maybe that would help you – Shane Powell Mar 23 '21 at 17:24
  • Updated answer did work for me. After getting Microsoft Business 365 Basic license and signing up for teams with the a user in the tenant, subscription creation worked successfully. – mrcy Apr 01 '21 at 12:21