Forum Discussion
Error on subsciption get/post/patch/delete, [Status Code: Unauthorized; Reason: p#S256 doesn't match
I think the issue is related to a mismatch with the "CreatorId" (not the ApplicationId). If you look at the subscription properties (by listing all subscriptions), you will see that there is a field called "CreatorId" that corresponds to the Azure "ObjectId" (not the ClientID) of the application or user that originally created the subscription (depends on if the app used delegated or app permissions when the subscription was created). According to my tests, if you send a request to a specific resource endpoint (by providing the ID after "/subscriptions") using the original application the request succeeds. If you send the request from any other app (e.g MS Graph Explorer), the request fails with the "p#S256" error.
I don't see this documented anywhere so these comments are just based on my experience.
- Hugo_EsperancaDec 15, 2023Copper ContributorBased on what we have seen there are two IDs in play here. When you list all the subscriptions (e.g. doing a Get on the "https://graph.microsoft.com/v1.0/subscriptions" endpoint using the graph explorer ) you will see that, associated with each subscription, there is an "applicationId" and a "creatorId". The applicationID is the ClientId of your application (as registered in Azure) the "creatorId" corresponds to the Azure "ObjectID" (not ClientID) of the application or user that was used to create the subscription in the first place. I believe that this ObjectID is passed in the token given to GRaph. When targetting specific subscriptions the "ObjectID" passed in the token needs to match the "creatorId" otherwise you get the mismatch error mentioned.