SharePoint permission change notifications not working

Problem:

Trying to get Microsoft Graph change notifications when permissions change on SharePoint/OneDrive drive items (sharing, inheritance breaks, access grants/revocations).

Using Prefer: includesecuritywebhooks on subscription creation as documented subscription creates successfully, but the header appears to be silently ignored (notificationQueryOptions is always null in response, Preference-Applied header is always empty).

What works: Regular content change notifications fire fine.

What doesn't: Zero security notifications on any permission change.

Subscription request:

POST https://graph.microsoft.com/v1.0/subscriptions

Prefer: includesecuritywebhooks

{

"changeType": "updated",

"notificationUrl": "https://...",

"resource": "drives/{driveId}/root",

"expirationDateTime": "2026-06-12T00:00:00Z"

}

Permissions (all with admin consent): Files.Read.All, Files.ReadWrite.All, Sites.Read.All, Sites.FullControl.All, Directory.Read.All

Already tried:

• Both v1.0 and /beta endpoints same result
• Every relevant permission combination

But the official document says it should work:

Link to documentation: 

https://learn.microsoft.com/en-us/onedrive/developer/rest-api/concepts/scan-guidance?view=odsp-graph-online#receiving-webhook-notifications-for-security-events

Any working example or confirmation of current status would be extremely helpful. Happy to share more details or test specific configurations.