Not receiving a request on our MS Graph Webhook for deleting a User in AAD

问题

We created a Webhook for receiving "Delete" notifications when a user is deleted from Azure AD. But we're not receiving any notifications when we delete a user. In AAD the user is first placed in the recycle bin, but also if we remove the user from the recycle bin, we don't receive any notifications. We've tried our code with receiving emails -> that worked. And with changing a user in AAD -> that also worked. So we changed "updated" to "deleted" and no calls are triggered.

We started with de documentation (https://docs.microsoft.com/en-us/graph/webhooks) and the sample code provided by Microsoft (https://github.com/microsoftgraph/aspnet-webhooks-rest-sample)

We use Permission Scopes: User.Read.All & Directory.Read.All

Graph Webhook subscription: Resource: "users" ChangeType: "deleted"

When we specify "updated" as ChangeType, we received notifications, as expected. But ChangeType "deleted" was not giving any notifications. Is this not supported, or are we missing a permission... I hope someone can help.

回答1:

When you've subscribed to deleted events, you will only get notifications for hard-deleted users. User are almost always "soft-deleted" at first, and then get permanently deleted automatically after 30 days.

For both cases, the permissions User.Read.All is sufficient.

When a user is "soft-deleted" an event is sent to apps subscribed to updated changes. Here's an example (you'll have to trust me that this was due to a soft-delete, since it's the same event for a regular attribute change):

{
    "value": [
        {
            "changeType": "updated",
            "clientState": null,
            "resource": "Users/514ffc40-afef-4ad9-bc1f-4ad3e425fcec",
            "resourceData": {
                "@odata.type": "#Microsoft.Graph.User",
                "@odata.id": "Users/514ffc40-afef-4ad9-bc1f-4ad3e425fcec",
                "id": "514ffc40-afef-4ad9-bc1f-4ad3e425fcec",
                "organizationId": "1c411c5e-78cc-4e89-af5e-169408a540b7",
                "sequenceNumber": 636921552671905776
            },
            "subscriptionExpirationDateTime": "2019-05-01T17:13:30.289+00:00",
            "subscriptionId": "cfbfa7fc-0771-4394-b563-cff3f8140d02",
            "tenantId": "1c411c5e-78cc-4e89-af5e-169408a540b7"
        }
    ]
}

When a user is permanently deleted (either naturally after 30 days, or manually by an admin), apps subscribed to deleted will get a notification. Here's an example:

{
    "value": [
        {
            "changeType": "deleted",
            "clientState": null,
            "resource": "Users/514ffc40-afef-4ad9-bc1f-4ad3e425fcec",
            "resourceData": {
                "@odata.type": "#Microsoft.Graph.User",
                "@odata.id": "Users/514ffc40-afef-4ad9-bc1f-4ad3e425fcec",
                "id": "514ffc40-afef-4ad9-bc1f-4ad3e425fcec",
                "organizationId": "1c411c5e-78cc-4e89-af5e-169408a540b7",
                "sequenceNumber": 636921556468034066
            },
            "subscriptionExpirationDateTime": "2019-05-01T17:13:30.289+00:00",
            "subscriptionId": "ce04c176-370d-4b67-9da6-05c441186756",
            "tenantId": "1c411c5e-78cc-4e89-af5e-169408a540b7"
        }
    ]
}

来源：https://stackoverflow.com/questions/55904620/not-receiving-a-request-on-our-ms-graph-webhook-for-deleting-a-user-in-aad