Microsoft Graph Subscription Validation Fails with 403 Forbidden Despite Reachable Notification Endpoint

Mohamed Hany 0 Reputation points
2026-06-28T18:38:28.71+00:00

I am encountering an issue when creating a Microsoft Graph subscription for online meeting notifications.

The subscription request fails immediately with the following error:

Microsoft.Graph.Models.ODataErrors.ODataError:
Subscription validation request failed.
HTTP status code is 'Forbidden'.
Notification endpoint must respond with 200 OK to validation request.

What I have verified

  • My notification endpoint is publicly accessible.
  • I tested the endpoint manually and it responds successfully.
  • The endpoint is functioning correctly outside of the subscription validation process.
  • The error occurs immediately when attempting to create the subscription.

Expected Behavior

Microsoft Graph should send the validation request to the notification endpoint, and the endpoint should respond with 200 OK along with the validation token, allowing the subscription to be created successfully.

Actual Behavior

The subscription creation fails with a 403 Forbidden during the validation request, even though the endpoint itself is working correctly.

Code :

var requestBody = new Subscription
{
    ChangeType = changeType,
    NotificationUrl = notificationUrl,
    Resource = resource,
    ExpirationDateTime = expirationDateTime,
    ClientState = clientState,
    LatestSupportedTlsVersion = "v1_2",
};

return await _graphClient.Subscriptions.PostAsync(requestBody); // runtime error here ⚠️🚨

Error

Microsoft.Graph.Models.ODataErrors.ODataError: Subscription validation request failed. HTTP status code is 'Forbidden'. Notification endpoint must respond with 200 OK to validation request.
    at Microsoft.Kiota.Http.HttpClientLibrary.HttpClientRequestAdapter.ThrowIfFailedResponseAsync(...)
    at Microsoft.Graph.Subscriptions.SubscriptionsRequestBuilder.PostAsync(...)

Could you please help determine why Microsoft Graph is receiving a 403 Forbidden during the validation request, even though the notification endpoint is accessible and has been verified to work?

Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
  1. AI answer

    2026-06-28T18:38:47.3433333+00:00

    The 403 Forbidden during subscription validation indicates that Microsoft Graph is reaching the notification endpoint, but the endpoint’s response does not meet the required validation contract for webhook subscriptions.

    For Microsoft Graph (and related services like OneDrive and SharePoint) the validation flow is:

    1. After the POST /subscriptions request, Microsoft Graph sends a POST to the notificationUrl with a validationToken query parameter:
         POST https://{notificationUrl}?validationToken={opaqueTokenCreatedByMicrosoftGraph}
         Content-Type: text/plain; charset=utf-8
      
    2. The notification endpoint must:
      • Extract the validationToken from the query string.
      • URL‑decode the token.
      • Respond within 10 seconds with:
        • HTTP status code 200 OK.
        • Content-Type: text/plain.
        • Body containing only the plain‑text, URL‑decoded validation token.

    If any of these conditions are not met, Microsoft Graph treats the validation as failed and the subscription is not created.

    Given the error HTTP status code is 'Forbidden', the most likely causes are:

    1. Endpoint returns 403 instead of 200 for the validation request
      Common reasons:
      • Authentication/authorization middleware (e.g., API key, OAuth, IP restrictions) blocks the request because it has no auth header or comes from an unexpected source.
      • A WAF, reverse proxy, or firewall in front of the endpoint denies the request.
      Ensure the validation request path allows anonymous access and does not enforce auth for this specific POST with validationToken.
    2. Endpoint returns 200 but with wrong content type or body
      Even if manual tests succeed, the validation can fail if:
      • Response Content-Type is not text/plain.
      • Body does not contain exactly the URL‑decoded validationToken (for example, JSON, HTML, or additional text).
      For SharePoint webhooks, the expected pattern is:
         return new OkObjectResult(req.Query["validationtoken"].ToString());
      
      For Microsoft Graph, the same principle applies: read validationToken from the query string, URL‑decode it, and return it as plain text.
    3. Validation not handled at all for this endpoint
      If the endpoint logic does not detect and handle the validationToken query parameter specially, it may treat the request as a normal call and return 403 or another error.
    4. Latency or timeout issues
      If the endpoint takes longer than 10 seconds to respond, Graph considers validation failed. Ensure the validation path is lightweight and responds quickly.

    To resolve the issue:

    • Implement explicit handling of the validation request on the notification endpoint:
      • Detect validationToken in the query string.
      • Return HTTP 200, Content-Type: text/plain, and the URL‑decoded token as the body.
    • Ensure no auth or IP restrictions block anonymous POSTs to this endpoint during validation.
    • Verify via logs that the endpoint is not returning 403 to Graph’s validation request.

    Once the endpoint returns the required 200 + plain‑text token response, the subscription creation should succeed.


    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.