Forum Discussion

josephboyd's avatar
josephboyd
Copper Contributor
Dec 14, 2023

Error on subsciption get/post/patch/delete, [Status Code: Unauthorized; Reason: p#S256 doesn't match

I first encountered this issue in a project using the .NET SDK, but has since replicated it with the graph explorer at https://developer.microsoft.com/en-us/graph/graph-explorer to verify that the is...
api
developer
Hugo_Esperanca's avatar
Hugo_Esperanca
Copper Contributor
Dec 15, 2023
Looking into this further,

I think the issue is related to a mismatch with the "CreatorId" (not the ApplicationId). If you look at the subscription properties (by listing all subscriptions), you will see that there is a field called "CreatorId" that corresponds to the Azure "ObjectId" (not the ClientID) of the application or user that originally created the subscription (depends on if the app used delegated or app permissions when the subscription was created). According to my tests, if you send a request to a specific resource endpoint (by providing the ID after "/subscriptions") using the original application the request succeeds. If you send the request from any other app (e.g MS Graph Explorer), the request fails with the "p#S256" error.

I don't see this documented anywhere so these comments are just based on my experience.
  • vzverev's avatar
    vzverev
    Copper Contributor
    Dec 15, 2023
    I use both .Net SDK and PowerShell package. I log in as the application. I create a subscription and try to read it back (using the same session, the same token). But it still fails with the "p#S256" error. Could you elaborate on what you mean by "the original application"? The API client? Because the application id is the same, you specify it on logging in (getting OAuth token).
    • Hugo_Esperanca's avatar
      Hugo_Esperanca
      Copper Contributor
      Dec 15, 2023

      Based on what we have seen there are two IDs in play here. When you list all the subscriptions (e.g. doing a Get on the "https://graph.microsoft.com/v1.0/subscriptions" endpoint using the graph explorer ) you will see that, associated with each subscription, there is an "applicationId" and a "creatorId". The applicationID is the ClientId of your application (as registered in Azure) the "creatorId" corresponds to the Azure "ObjectID" (not ClientID) of the application or user that was used to create the subscription in the first place. I believe that this ObjectID is passed in the token given to GRaph. When targetting specific subscriptions the "ObjectID" passed in the token needs to match the "creatorId" otherwise you get the mismatch error mentioned.

Resources