
- Subscriptions: Imagine you want to be notified whenever a specific event happens – like when a new email arrives in your Outlook inbox, or a file is changed in OneDrive. Subscriptions in Microsoft Graph let you define exactly what you’re interested in. You specify the type of data (resource), the kind of change you want to track (like creation, update, or deletion), where you want the notifications sent (your notification URL), and how long you want the subscription to stay active.
- Webhooks: These are the destinations for the notifications triggered by your subscriptions. A webhook is essentially a URL in your application that is ready to receive and process these notifications. When a subscribed event occurs, Microsoft Graph sends a notification to this URL. Your application can then react in real-time, whether that’s by sending alerts, updating a dashboard, syncing data, or triggering other workflows.
Creating and managing subscriptions
To create a subscription, you need to make a POST request to the /subscriptions endpoint of Microsoft Graph, and provide the subscription properties in the request body. For example, the following request creates a subscription to the messages resource of the signed-in user, and specifies that the notification URL is https://mywebhook.azurewebsites.net/api/notify, and the subscription expires in one hour.
				
						POST https://graph.microsoft.com/v1.0/subscriptions
	Content-Type: application/json
	Authorization: Bearer {access-token}
	{
	"resource": "me/messages",
	"changeType": "created,updated",
	"notificationUrl": "http://mywebhook.azurewebsites.net/api/notify",
	"expirationDateTime": "2023-06-30T11:00:00.0000000Z"
	}
 
				
			
		The response will contain the subscription object with an id, which you can use to manage the subscription later. For example, you can update the subscription properties by making a PATCH request to the /subscriptions/{id} endpoint, or delete the subscription by making a DELETE request to the same endpoint.
You can also list all the subscriptions for the signed-in user by making a GET request to the /subscriptions endpoint, or get a specific subscription by making a GET request to the /subscriptions/{id} endpoint.
To create and manage subscriptions using the Microsoft Graph SDKs, you can use the SubscriptionRequestBuilder and SubscriptionRequest classes. For example, the following code snippet in C# creates a subscription to the messages resource of the signed-in user, using the same parameters as the previous request.
				
						var graphClient = new GraphServiceClient(authProvider);
	var subscription = new Subscription
	{
	Resource = "me/messages",
	ChangeType = "created,updated",
	NotificationUrl = "https://mywebhook.azurewebsites.net/api/notify",
	ExpirationDateTime = DateTimeOffset.Parse("2023-06-30T11:00:00.0000000Z")
	};
	var result = await graphClient.Subscriptions
	.Request()
	.AddAsync(subscription);
	Console.WriteLine($"Created subscription with id: {result.Id}");
 
				
			
		Handling notifications in your webhook
Once you have created a subscription, Microsoft Graph will send notifications to your webhook whenever the data changes according to the subscription criteria. The notifications will contain the subscription id, the resource URL, and the change type. You can use this information to retrieve the updated data from Microsoft Graph, or perform any other action based on your logic.
To handle the notifications in your webhook, you need to implement the following steps:
- Validate the notification URL: When you create a subscription, Microsoft Graph will send a validation request to your webhook, with a validationToken query parameter. You need to respond with a 200 OK status code and the validationToken value in the response body. This is to ensure that you own the webhook and prevent spoofing.
- Validate the notification payload: When you receive a notification, you need to validate the payload by checking the signature header. The signature header contains a SHA256 hash of the payload, encrypted with a certificate that you can download from Microsoft Graph. You need to decrypt the signature header using the certificate, and compare it with the hash of the payload. This is to ensure that the notification is authentic and not tampered with.
- Acknowledge the notification: After you validate the notification, you need to respond with a 202 Accepted status code within 30 seconds. This is to acknowledge that you have received the notification and prevent Microsoft Graph from resending it. If you do not respond within 30 seconds, or respond with an error code, Microsoft Graph will retry the delivery up to three times, with an exponential back-off interval.
- Process the notification: After you acknowledge the notification, you can process it according to your logic. For example, you can use the resource URL in the notification to get the updated data from Microsoft Graph, or trigger a workflow, or update a dashboard, or send an alert, or anything else that your application requires.
To handle the notifications using the Microsoft Graph SDKs, you can use the ChangeNotification and ChangeNotificationCollection classes. For example, the following code snippet in JavaScript validates and processes the notifications in a Node.js webhook, using the Express framework.
				
						const express = require('express');
	const crypto = require('crypto');
	const graph = require('@microsoft/microsoft-graph-client');
	const app = express();
	app.use(express.json());
	// Load the certificate from Microsoft Graph
	const certificate = fs.readFileSync('certificate.pem');
	// Handle the validation request
	app.get('/api/notify', (req, res) => {
	const validationToken = req.query.validationToken;
	if (validationToken) {
	res.send(validationToken);
	} else {
	res.sendStatus(400);
	}
	});
	// Handle the notification request
	const notification = req.body.value[0];
	app.post('/api/notify', (req, res) => {
	const signature = req.headers['x-microsoft-signature'];
	if (validateNotification(notification, signature)) {
	res.sendStatus(202);
	processNotification(notification);
	} else {
	res.sendStatus(403);
	}
	});
	// Validate the notification payload
	function validateNotification(notification, signature) {
	const payload = JSON.stringify(notification);
	const hash = crypto.createHash('sha256').update(payload).digest('hex');
	const decryptedSignature = crypto.publicDecrypt(certificate, Buffer.from(signature, 'base64')).toString('hex');
	return hash === decryptedSignature;
	}
	// Process the notification
	async function processNotification(notification) {
	const subscriptionId = notification.subscriptionId;
	const resource = notification.resource;
	const changeType = notification.changeType;
	console.log(`Received notification for subscription ${subscriptionId} on resource ${resource} with change type ${changeType}`);
	// Get the updated data from Microsoft Graph
	const client = graph.Client.init({
	authProvider: (done) => {
	done(null, {access-token}); // Get the access token from your auth provider
	}
	});
	const data = await client.api(resource).get();
	console.log(data);
	// Do something with the data, such as triggering a workflow, updating a dashboard, sending an alert, etc.
	}
	// Start the server
	app.listen(3000, () => {
	console.log('Server is listening on port 3000');
	});
 
				
			
		In this blog post, we have learned how to use Microsoft Graph Subscriptions and Webhooks to get real-time notifications from Microsoft 365 services. We have seen how to create and manage subscriptions using Microsoft Graph API and SDKs, and how to handle and process the notifications in our webhook. We have also shown some code examples using .NET and JavaScript to illustrate the concepts. We hope that this blog post has helped you to understand the benefits and possibilities of using Microsoft Graph Subscriptions and Webhooks in your applications.
To learn more, you can visit the official Microsoft site: Receive change notifications through webhooks – Microsoft Graph | Microsoft Learn


