Azure Microsoft Graph API - Subscription - validation request failed

Question

I try to set up a notification for changes in Azure user data ( https://docs.microsoft.com/en-us/graph/webhooks ).

I send a request from a local client to the Azure Graph API and I have a publicly available server (with SSL) in the payload of the request as notification URL.

Azure now sends a posts request to my server (like in the documentation - exact post request see below) and I try to send the token I got back (like in the documentation). But I always get the following error message "Subscription validation request failed. Response must exactly match validationToken query parameter."

Post request from Azure:

Path: /?validationToken=Validation%3a+Testing+client+application+reachability+for+subscription+Request-Id%3a+3b3f9821-ce3f-23d9-879b-00a23f3 Body: is empty

I tried every part and encoding of the path (like just the request ID or the whole path) but I always get the error message. So whats the right thing to send back?

Answer 1

Firstly, the validation token you receive should be treated as an opaque value and returned unchanged and the error Subscription validation request failed. Response must exactly match validationToken query parameter Subscription validation request failed. Response must exactly match validationToken query parameter is trying to tell you that something changed.

Since the validation token comes to you as a URL query parameter, make sure you're working with a properly decoded value in your code before returning it .

Here is the relevant documentation from Microsoft Docs: Notification endpoint validation

POST https://{notificationUrl}?validationToken={opaqueTokenCreatedByMicrosoftGraph}

Other requirements(from the same reference):

• response within 10 seconds
• 200 (OK) status code.
• content type must be text/plain.
• body must include the validation token.

Code Samples

ASP.NET MVC Sample - Specifically look at the NotificationController.cs file

    [HttpPost]
    public async Task<ActionResult> Listen()
    {

        // Validate the new subscription by sending the token back to Microsoft Graph.
        // This response is required for each subscription.
        if (Request.QueryString["validationToken"] != null)
        {
            var token = Request.QueryString["validationToken"];
            return Content(token, "plain/text");
        }

Node.js code sample - Specifically look at listen.js

/* Default listen route */
listenRouter.post('/', (req, res, next) => {
  let status;
  let clientStatesValid;

  // If there's a validationToken parameter in the query string,
  // then this is the request that Office 365 sends to check
  // that this is a valid endpoint.
  // Just send the validationToken back.
  if (req.query && req.query.validationToken) {
    res.send(req.query.validationToken);
    // Send a status of 'Ok'
    status = 200;
  }

Answer 2

You should return the validationToken from the query string with an HTTP 200 response code. You also have to do that within a few seconds, or the graph will fail the request and your call to create the subscription will fail.

Here is an example of the validation endpoint in ASP.NET Web API 2:

public ActionResult<string> Post([FromQuery]string validationToken = null)
{
    if(!string.IsNullOrEmpty(validationToken))
    {
        Console.WriteLine($"Token: '{validationToken}'");
        return Ok(validationToken);
    }
}