Real-Time Notifications with Microsoft Graph API Subscriptions: Syncing Data into Power Automate
Hamza Khan
Microsoft Power Platform | Dynamics 365 CRM | Senior Software Engineer @ Imperium Dynamics
The Microsoft Graph API is like a secret agent in the world of Microsoft 365 – always watching, ready to report the latest happenings with users, groups, messages, and more. If you want to stay ahead of the game, creating a subscription is a fantastic way to receive real-time updates when changes occur, so you can automate workflows in Power Automate and avoid constantly refreshing your screen (you know you've done it).
In this scenario, we'll look at how to sync your Azure Active Directory (AAD) with a "User" table in Dataverse. While AAD sync support exists by default, we'll dive in to demystify how Microsoft Graph API subscriptions work behind the scenes.
Step 1: Register an App in Azure Active Directory?
Before the Graph API can send you exciting updates, it needs to know you exist. First we'll register an app in Azure Active Directory (AAD) so it can find you.
1. Log in to the Azure Portal – You know, that place with all the buttons.
2. Navigate to Azure Active Directory > App registrations and select New registration.
3. Give your app a name (try to resist the urge to name it something like "TotallyNotSpyingApp").
4. Head over to the API permissions tab and select Add a permission > Microsoft Graph.
5. Add the necessary permissions, and don’t be shy – here are the ones that work best for this mission:
?? - Delegated permissions: User.ReadBasic.All, User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All
?? - Application permissions: User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All
6. Grant admin consent – we don’t want any "permission denied" drama later.
Step 2: Generate a Client Secret
This part is like giving your app a top-secret password so it can sneak around and get the info you need.
1. In your app’s Certificates & secrets section, click New client secret.
2. Add a description and set an expiration period (don’t pick "never" – secrets don’t last forever!).
3. Copy the client secret value and store it in a safe place. You’ll need it later to talk to the API, so keep it handy.
Step 3: Set Up a Microsoft Graph API Subscription
Now that your app has its credentials, it’s time to create a subscription, so Microsoft Graph knows what to keep an eye on. We'll need an access token and a few other details. Think of this as setting up your personal spy network (minus the trench coats).
Generate Access Token:
To generate an access token, you'll need to make a POST request with your app’s details. Here’s the recipe:?
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
- Request Body:
grant_type: client_credentials
client_id: <Client ID>
client_secret: <Client Secret>
scope: https://graph.microsoft.com/.default
Once executed, you should get a 200 OK response – like a little thumbs-up from Azure, telling you your app is cleared for action.
Here's how you will be implementing this in Power Automate:
?
Create the Subscription:
Armed with the access token, it's time to set up the subscription. Here’s what you’ll need:
- changeType: The type of changes to monitor (created, updated, or deleted – no point in tracking anything boring).
- notificationUrl: The endpoint where Microsoft will drop off its updates.
- resource: The path you want to subscribe to, such as /users or /groups.
- expirationDateTime: How long your subscription should last (subscriptions have a max lifetime, like an overly cautious bodyguard).
- clientState: A secret value that Microsoft will return to ensure you’re the one getting the updates.
?
Sample Request:
POST https://graph.microsoft.com/v1.0/subscriptions
Content-Type: application/json
Authorization: Bearer {access_token}
{
"changeType": "created,updated,deleted",
"notificationUrl": "https://your_notification_url.com/api/webhook",
"resource": "/users",
"expirationDateTime": "2024-01-01T18:23:45.9356913Z",
"clientState": "secretClientValue"
}
?
When you see that subscription ID in the response, you’re in business!
How Does a Subscription Actually Work??
Think of the subscription as a vigilant gatekeeper. When your notificationUrl endpoint is called, Azure sends a validation token, like saying, "Hey, are you there?" Once validated (your HTTP trigger should return it with a 200 status), the Graph API will keep an eye out for any resource changes and send another request when something happens.
But wait, there’s more! If your subscription is about to expire, it will notify your lifecycleNotificationUrl. You can renew the subscription using a request to keep your workflow uninterrupted.
Renewing the Subscription?
When the expiration date looms (think of it like a subscription service that doesn’t auto-renew), you’ll want to renew it with this request:
PATCH https://graph.microsoft.com/v1.0/subscriptions/{subscriptionId}
Content-Type: application/json
Authorization: Bearer {access_token}
{
"expirationDateTime": "2024-01-01T18:23:45.9356913Z"
}
?
Remember to renew it before it expires. You don’t want to miss out on the juicy updates about your users and resources!
?
Using the Subscription in Power Automate
Now for the fun part – putting all this to work in Power Automate. When the HTTP trigger in Power Automate receives a notification from Graph API, parse the JSON payload to identify the changeType (created, updated, deleted) and perform actions like:
?
- Adding a new user to Dataverse when changeType is "created"
- Updating user info when changeType is "updated"
- Archiving user data if changeType is "deleted"
Setting up a Microsoft Graph API subscription and integrating it with Power Automate gives you an inside scoop on Microsoft 365 changes without lifting a finger. Whether it’s tracking new users, updated group memberships, or email changes, this setup will have you automating like a pro. Just remember to renew that subscription – or your app may wonder why no one’s calling!