Meeting change notification cannot receive notice after updating meeting
Hi, I have some questions about online meeting subscription. I created change notifications for online meeting resource and it worked before, But if I update the meeting(such as changing meeting time, changing subject or adding/removing attendee). The subscription still be valid but I cannot receive change notice when I start meeting. Can I confirm that is the change notification doesn't support meeting after updating? ThanksOneDrive webhook API occasionally returns a 401 status code
TL;DR: scroll down to the "Questions" section Hello, I am currently working on an integration with OneDrive that manipulates webhook subscriptions to OneDrive drives via the Graph API, using the https://docs.microsoft.com/en-us/onedrive/developer/rest-api/concepts/using-webhooks?view=odsp-graph-online endpoint. Sometimes, without any apparent reason, the API returns a 401 Unauthorized error with a response similar to the one below (this one is the payload of an actual response I got for a https://docs.microsoft.com/en-us/onedrive/developer/rest-api/api/subscription_update?view=odsp-graph-online call): { "error": { "code": "ExtensionError", "message": "Operation: Update; Exception: [Status Code: Unauthorized; Reason: Authentication failed]", "innerError": { "date": "2021-04-16T00:29:11", "request-id": "4f1f55fe-9ac1-4c8c-9d21-529d0d0be1a1", "client-request-id": "4f1f55fe-9ac1-4c8c-9d21-529d0d0be1a1" } } } Retrying the request usually works (yes, retrying the exact same request that returned a 401 Unauthorized error can succeed if retried). To demonstrate this, I attached the logs of 2 other, identical requests: one that failed and another one that succeeded. I obfuscated the auth tokens, but assume that the exact same auth token was used for both. Also assume that the endpoint indicated in the payload existed at the time, and correctly performed the https://docs.microsoft.com/en-us/onedrive/developer/rest-api/concepts/webhook-receiver-validation-request?view=odsp-graph-online. Given that the response payload and headers don't provide any useful information (even the x-ms-ags-diagnostic header is identical between a successful and a failed request), and that the documentation does not mention https://docs.microsoft.com/en-us/onedrive/developer/rest-api/api/subscription_update?view=odsp-graph-online#error-responses to these endpoints and their status codes I wanted to reach out to the community to check if anyone else faced a similar issue. ==Questions== Did anyone experience intermittent 401 Unauthorized status codes from the OneDrive /subscriptions endpoints? If so, how did you handle them? The naiive approach would be to retry the request, except that the outcome of a request that returns a 401 Unauthorized status code is uncertain. For example, sometimes the webhook gets eventually created even when a POST /subscription request apparently fails. Given the nature of the problem, it's hard to come up with a consistent way to test this, but if I discover more information I'll update this post. Thanks!
process for Azure subscription retirement
Hi all, I'm wondering what processes/workflows you have in place for retiring (deleting) no more needed subscriptions. I was thinking about stuff like this: Financial reporting cleanup RBAC cleanup Firewall rule cleanup Removal of AAD groups What else could there be ? Could anyone share their view or even provide some useful documentations? Thanks !Question about subscription length
Hi, I want to keep a change notification subscription to calendar and online meeting resource being updated every day(firstly created a subscription with 24 hours length and set expire time in next 24 hours after one day) but the subscription disappear in 3 days(I wanted to update existing subscription but received 404 response). I know that the maximum life length of subscription for event is 3 days but I want to confirm that this period is the time the subscription could be saved in Microsoft and cannot be extended?(Can I update expire time to extend subscription or only 3 days after it being created?)
Unprofessional Handling of a support case
Dear Azure Team and whom it may concern, at the end of December I created a free trial subscription in Azure to begin with and started setting up my project (SQL Server DB and Analysis Services plus some cognitive services). A few days later I set up PowerBI for the same domain I set up the azure environment with and that was were the trouble started. Afterwards I was not able to log in anymore, my subscription expired and the worst I could not transfer or change it to a Pay As you Go one for until now an unexplained reason. After literally thousands of calls and remote sessions, 5 different contact persons from all over the world, no one was able to help me out of this miserable situation. In fact they just closed the case and left me where I am right now. Neither can I access my data cause the subscription is disabled nor can I delete it to start from scratch (I really have to use this domain name...) nor can I re-enable it by adding a credit card to it. Everything just does not work. The most rude thing actually is that they just closed the case without getting back to me. The only feedback I got was this: The Account Research Team responded stating “As part of our strong commitment to the protection of our customers and our interest in preserving the quality and integrity of the Azure service, we perform supplementary reviews of accounts which may exhibit irregular or suspicious activity. Your account was selected for one of these reviews and after careful consideration, we will be unable to reinstate your purchasing ability. Please understand that we keep security checks like these in place in order to protect the quality and integrity of the Azure service.” I am referring to this particual support case: [REG:118010817420745] Two AD and no subscription Initial Response Anyone,please help me out!Subscription Governance: The Relationships and Dependencies Involved with Managing Subscriptions
In this article Introduction Relationships and dependencies between Entra ID, Billing Accounts and Subscriptions Identity and Roles Billing Account and Subscription Creation Summary Introduction In cloud governance, the relationships between Entra ID, Billing Accounts, Subscriptions, and User Permissions are frequently misunderstood even by experienced practitioners. Many organizations assume these components form a simple hierarchy or that permissions and associations are inherited in certain ways. In reality, these elements are loosely associated, and their dependencies are far more nuanced. Misunderstanding these relationships and dependencies poses a challenge to governance and can allow subscription sprawl. For example, assuming that billing accounts and subscriptions are always tied to the same Entra ID tenant, or that user roles in Entra ID automatically confer billing permissions, can result in misconfigured access controls and the creation of subscriptions outside of your corporate procurement and deployment processes. There can also be confusion about where to go to manage permissions. Is it Entra ID, is it in the resource RBAC, is it in the billing account? Effective governance requires clarity on: How Entra ID tenants, billing accounts, and subscriptions are associated and how these associations can be changed. Which roles have the authority to create or manage subscriptions and billing accounts, and where those roles are found. How the type of billing account (EA, MCA, MOSP, Partner) determines who can create subscriptions and what controls are available. By understanding these foundational relationships and the specific permissions required, organizations can avoid common pitfalls and build a governance model that is both secure and flexible. Relationships and dependencies between Entra ID, Billing Accounts and Subscriptions In order to manage subscriptions, it is key to understand the components and dependencies related to subscriptions. Let’s first understand the relationship between subscriptions, billing accounts and Entra ID tenants. Do not think of the tenant as a container for billing accounts which are containers for subscriptions. Think of the relationship between these components as “associations” rather than a hierarchy. A billing account is typically associated with a single Entra ID tenant. However, with MCA billing accounts you can configure Associated Billing Tenants which allow users from multiple tenants to have billing permissions on a single billing account. Entra ID can have many different billing accounts of different types. A billing account can be associated with many subscriptions, but a subscription can only be associated with a single billing account. An Entra ID tenant can be associated with many subscriptions, but a subscription can only be associated with a single tenant. A subscription is first associated with the tenant in which the user is logged in, which isn’t always the same tenant for which the associated billing account belongs to. These relationships or associations can also be changed later. For example, Subscription Owners can change the association of the subscription’s Entra ID tenant to ANY other Entra ID tenant in which they have access. They don’t need elevated permissions in the target tenant. One of the most important things to know is that the billing account that is associated with a subscription does not need to be associated with the same Entra ID tenant for which the subscription is associated with. See the following example associations: Identity and Roles Entra ID is a directory of user identities and other objects. A user identity can be associated with many Entra ID tenants. While the primary account belongs to a single tenant, users can be invited as guest users to any number of Entra ID tenants using B2B collaboration. There are three places that house roles/permissions that are mapped to those user identities: Entra ID roles, Azure Resource Manager (ARM) Role Based Access Control (RBAC), and Billing Accounts. Entra ID Roles Entra ID roles manage directory level objects such as user identities. The Global Administrator is the most well-known role within Entra ID. Entra ID roles are typically limited to managing the directory, however there is the ability to elevate access so that the Global Administrator can access and assign RBAC and Billing roles to themselves or others (two exceptions are that the Global Admin cannot elevate billing permissions for EA or MOSP billing accounts). Entra ID roles assigned to a user in one tenant do not follow them when they gain access to another tenant. ARM RBAC RBAC is a function of the ARM and is scoped to either management groups, subscriptions, resource groups or resources. RBAC is inherited from parent scopes. The RBAC assigned for a user in one tenant, is not shared with any another tenant as the mappings are maintained by ARM for each resource in the tenant. As each tenant has unique resources, the RBAC mapping the user has for resources in one tenant logically cannot exist in another tenant. While user identity is handled by Entra ID, the RBAC is handled at the resource level. Billing Roles Billing roles are a part of the billing/commerce engine and depend on the billing account type. For example, with an MCA billing account you manage them in Cost Management + Billing instead and not in Entra ID. These billing roles are different depending on the billing account type. While billing roles manage access to billing details, they also control the creation of subscriptions. If you have the correct billing role, you can create subscriptions under that billing account. Subscription creation is not managed by Entra ID roles nor RBAC. Billing Accounts There are 4 main billing account types: Enterprise Agreements (EA): Legacy contractual model for large enterprises. Provides volume licensing discounts, centralized invoicing, and long-term pricing commitments but is gradually being replaced by MCA. Billing roles to create subscriptions: Enterprise Administrator, Account Owner Microsoft Customer Agreements (MCA) The modern default billing model for enterprise customers. Free trial and pay-go subscriptions are supported. Invoice-based or credit card billing, supports multiple billing profiles and invoice sections. Billing roles to create subscriptions: Billing Account Owner/Contributor, Billing Profile Owner/Contributor, Billing Invoice Owner/Contributor, Subscription Creator Microsoft Online Services Program (MOSP) Agreements Tied to a single user, lacks enterprise governance features, and is the most common source of subscription sprawl. Typically used by individuals or small businesses and supports free trial, pay-go and Visual Studio subscriptions. Billing role to create subscriptions: Account Administrator Microsoft Partner Agreements (MPA) A billing account owned and managed by a Microsoft partner. Subscriptions billed under CSP appear in your tenant but financially roll up under the partner’s agreement. Control over invoicing and some subscription-level actions is delegated to the CSP, not directly to corporate IT. Billing role to create subscriptions: Admin agent role in the CSP partner organization Billing Account and Subscription Creation As the roles within the billing account provide the permissions to create subscriptions it is important to understand who can create these billing accounts. Because whoever can create a billing account, is also able to create a subscription. And remember, subscriptions do not need to be associated with the same Entra ID tenant as the billing account. Billing accounts are created in the following ways: Enterprise Agreements (EA) An individual at your company works with Microsoft to set up an EA contract. An EA billing account is created for them, and they become the Enterprise Administrator for that billing account. Microsoft Customer Agreements (MCA) An individual at your company works with Microsoft to set up an MCA contract. An MCA billing account is created for them, and they become the Billing Account Owner for that billing account. Microsoft Online Services Program (MOSP) Agreements Any individual can perform a self-signup for a pay-go or free-trial subscription. When they do this, a billing account is created for them, and they become the Account Administrator for that billing account. This can be done in any Entra ID tenant for which they have an identity (including guest accounts). Microsoft Partner Agreements A Microsoft Partner registers and manages the CSP billing account on behalf of a customer. They become the Admin agent. Summary Understanding the associations between Entra ID tenants, identity, permissions, billing accounts, and subscriptions is foundational for effective governance. With these building blocks in place, you can design for and establish governance that will ensure your environment aligns with your corporate strategy and reduce opportunity for subscription sprawl.
