Does renewing subscriptions with PATCH work?

[icelava]

https://learn.microsoft.com/en-us/graph/change-notifications-lifecycle-events?tabs=http
https://learn.microsoft.com/en-us/graph/api/subscription-update?view=graph-rest-1.0&tabs=http

I am subscribing to Teams channel messages to report updates to Power Automate webhook workflow.

foreach (var team in _settings.TeamsSub)
{
	foreach (var channel in team.Channels)
	{
		Console.WriteLine($"Subscribe to {team.Name} channel {channel.Key} {channel.Value}");

		var subscription = new Subscription
		{
			ChangeType = "updated",
			Resource = $"/teams/{team.Id}/channels/{channel.Value}/messages",
			NotificationUrl = _settings.SubscriptionWebhook,
			ClientState = _settings.SubscriptionClientState,
			ExpirationDateTime = DateTime.UtcNow.AddHours(1),
			LifecycleNotificationUrl = _settings.LifecycleWebhook
		};
	
		try
		{
			var createdSubscription = await _userClient.Subscriptions.PostAsync(subscription);
			Console.WriteLine($"Subscription ID {createdSubscription.Id}");
		}
		catch (Exception e)
		{
			Console.WriteLine(e.Message);
		}
	}
}

There's a separate workflow to handle lifecycle events (because it got so nested and complicated it broke Power Automate and couldn't save the workflow) and its job is just to re-subscribe on reauthorizationRequired event by PATCH request to https://graph.microsoft.com/v1.0/subscriptions/{id} with the HTTP With Entra ID connector. It has been configured with the custom ManagePermissionGrant.ps1 to grant Subscription.Read.All ChannelMessage.Read.All permissions and using my user credentials.

When the workflow executes the PATCH request fails

{
    "error": {
        "code": "ExtensionError",
        "message": "Operation: Update; Exception: [Status Code: Forbidden; Reason: Writes are not allowed for the specified subscription with Id 'DIFFERENT_GUID_FROM_SUBSCRIPTION' by the caller]",
        "innerError": {
            "date": "2025-03-24T14:06:10",
            "request-id": "requestId",
            "client-request-id": "clientRequestId"
        }
    }
}

When I make the PATCH request via Graph Explorer

{
    "error": {
        "code": "ExtensionError",
        "message": "Operation: Update; Exception: [Status Code: NotFound; Reason: No subscription found for tenantId: 'tenantId' and subscriptionId: 'DIFFERENT_GUID_FROM_SUBSCRIPTION']",
        "innerError": {
            "date": "2025-03-26T06:43:30",
            "request-id": "requestId",
            "client-request-id": "clientRequestId"
        }
    }
}

But Graph API still sends validation requests to the Power Automate webhook URLs on that request.

How are subscriptions supposed to be renewed properly?

[icelava]

For Graph Explorer it appears the initial application permission setup did not grant Subscription.Read.All. After granting that the error message becomes consistent with the one from Power Automate HTTP request.

So are subscriptions even modifiable? There are no other permissions for the Subscription category.

[icelava]

Oh my goodness found out the core problem.

On learning Graph API, I was extending the tutorial C# code base to test the subscriptions which is its own app in Entra ID. I then subsequently tested the renew PATCH request from Power Automate (Entra ID connector) and Graph Explorer which turns out them being their own apps are not allowed to modify the subscriptions of the tutorial app even though they use my delegated credentials and granted the same permissions.

So in order for Power Automate to renew subscriptions, they must have been originally subscribed from Power Automate. Vice versa for Graph Explorer.

The documentation doesn’t mention such restrictions.