Skip to content

Commit a6bd8ab

Browse files
authored
Merge pull request #28259 from microsoftgraph/isgupta-patch-1
Clarify ExplicitAccessGrantRequired flag for notifications
2 parents 2e21d70 + d9429f9 commit a6bd8ab

1 file changed

Lines changed: 11 additions & 0 deletions

File tree

concepts/change-notifications-with-resource-data.md

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,14 @@ Rich notifications include resource data with these details:
2929
- All property values of the resource instance, encrypted as specified in the subscription, found in the **encryptedContent** property.
3030
- Specific properties of the resource, depending on the resource, or if requested using a `$select` parameter in the **resource** URL of the subscription.
3131

32+
### Application configuration for notifications
33+
34+
Before creating a subscription with resource data, configure application access for the service principal object representing the tenant-app pair by setting the **appRoleAssignmentRequired** property as follows::
35+
- [Recommended] Setting it to `false`. [Learn how to configure this property](./tutorial-applications-basics.md#restrict-sign-in-to-only-users-assigned-all-roles-on-the-app).
36+
- Alternatively, if the property must remain `true`, explicitly assign the *Microsoft Graph Change Tracking* service principal (**appId** is `0bf30f3b-4a52-48df-9a82-234910c4a086`) a resource app role supported by the Microsoft Graph resource. [Learn how to grant app roles to a service principal](./permissions-grant-via-msgraph.md?pivots=grant-application-permissions#step-2-grant-an-app-role-to-a-client-service-principal).
37+
38+
If neither condition is met, the notification payload will contain a `null` [validation token](#validation-tokens-in-the-change-notification).
39+
3240
## Create a subscription
3341

3442
To set up rich notifications, follow the same steps as [basic change notifications](/graph/api/subscription-post-subscriptions), but include these required properties:
@@ -105,6 +113,9 @@ Rich notifications include a **validationTokens** property, which contains an ar
105113
106114
In the following example, the change notification contains two items for the same app, and for two different tenants, therefore the **validationTokens** array contains two tokens that need to be validated.
107115

116+
> [!TIP]
117+
> A `null` value for **validationTokens** indicates Microsoft Graph couldn't encrypt the resource data due to incorrect app configuration. Review the [Application configuration for notifications](#application-configuration-for-notifications) section to fix this issue.
118+
108119
```json
109120
{
110121
"value": [

0 commit comments

Comments
 (0)