Error on subsciption get/post/patch/delete, [Status Code: Unauthorized; Reason: p#S256 doesn't match

Copper Contributor

I first encountered this issue in a project using the .NET SDK, but has since replicated it with the graph explorer at https://developer.microsoft.com/en-us/graph/graph-explorer to verify that the issue is with the api.

 

After creating a subscription, I can see it appear on a get request to https://graph.microsoft.com/v1.0/subscriptions, no problem. When I try any query with the subscription ID in the URL though, I always get the same error:

 

{
    "error": {
        "code": "ExtensionError",
        "message": "Operation: Read; Exception: [Status Code: Unauthorized; Reason: p#S256 doesn't match.]",
        "innerError": {
            "date": "2023-12-14T04:10:00",
            "request-id": "ff9d5295-2dd5-40ca-91c7-4ec0cf871c8c",
            "client-request-id": "2fb3723b-1858-5d41-e4bc-47589df481a0"
        }
    }
}

I've attempted Get, Patch, Post and Delete requests to both https://graph.microsoft.com/v1.0/subscriptions/<subscriptionId> and https://graph.microsoft.com/beta/subscriptions/<subscriptionId> , all requests giving the same error.

10 Replies
I'm encountering the same error when trying to delete or get subscriptions for drives.

I'm encountering the same issue. Able to reproduce using Postman REST API calls and Graph .NET SDK.

Only creation (POST) and get ALL subscriptions (GET) works.
Update (PATCH), Deletion (DEL) and getting a specific subscription using Subscription ID (GET) fails with the same error.

Same here, we are encountering the same error when trying to delete subscriptions and more. We use Java SDK. 

Same problem. Can list all subscriptions but as soon as I try to target a specific resource I get the above error. We experienced the issue in code (using the .Net SDK) and also in the MS Graph Explorer. Raised a ticket with MS will post here with any updates.

Looking into this further,

I think the issue is related to a mismatch with the "CreatorId" (not the ApplicationId). If you look at the subscription properties (by listing all subscriptions), you will see that there is a field called "CreatorId" that corresponds to the Azure "ObjectId" (not the ClientID) of the application or user that originally created the subscription (depends on if the app used delegated or app permissions when the subscription was created). According to my tests, if you send a request to a specific resource endpoint (by providing the ID after "/subscriptions") using the original application the request succeeds. If you send the request from any other app (e.g MS Graph Explorer), the request fails with the "p#S256" error.

I don't see this documented anywhere so these comments are just based on my experience.
I use both .Net SDK and PowerShell package. I log in as the application. I create a subscription and try to read it back (using the same session, the same token). But it still fails with the "p#S256" error. Could you elaborate on what you mean by "the original application"? The API client? Because the application id is the same, you specify it on logging in (getting OAuth token).

Based on what we have seen there are two IDs in play here. When you list all the subscriptions (e.g. doing a Get on the "https://graph.microsoft.com/v1.0/subscriptions" endpoint using the graph explorer ) you will see that, associated with each subscription, there is an "applicationId" and a "creatorId". The applicationID is the ClientId of your application (as registered in Azure) the "creatorId" corresponds to the Azure "ObjectID" (not ClientID) of the application or user that was used to create the subscription in the first place. I believe that this ObjectID is passed in the token given to GRaph. When targetting specific subscriptions the "ObjectID" passed in the token needs to match the "creatorId" otherwise you get the mismatch error mentioned.

It seems MS has fixed the issue. I don't get the error anymore.

Yes, quoting people from MS here-

 


Quick update to let you know the service team had mitigated the issue and the service should behave normally.

Working fine for me now.