A cloud-based identity and access management service for securing user authentication and resource access
The 403 Forbidden during subscription validation indicates that Microsoft Graph is reaching the notification endpoint, but the endpoint’s response does not meet the required validation contract for webhook subscriptions.
For Microsoft Graph (and related services like OneDrive and SharePoint) the validation flow is:
- After the
POST /subscriptionsrequest, Microsoft Graph sends aPOSTto thenotificationUrlwith avalidationTokenquery parameter:POST https://{notificationUrl}?validationToken={opaqueTokenCreatedByMicrosoftGraph} Content-Type: text/plain; charset=utf-8 - The notification endpoint must:
- Extract the
validationTokenfrom the query string. - URL‑decode the token.
- Respond within 10 seconds with:
- HTTP status code
200 OK. -
Content-Type: text/plain. - Body containing only the plain‑text, URL‑decoded validation token.
- HTTP status code
- Extract the
If any of these conditions are not met, Microsoft Graph treats the validation as failed and the subscription is not created.
Given the error HTTP status code is 'Forbidden', the most likely causes are:
- Endpoint returns 403 instead of 200 for the validation request
Common reasons:- Authentication/authorization middleware (e.g., API key, OAuth, IP restrictions) blocks the request because it has no auth header or comes from an unexpected source.
- A WAF, reverse proxy, or firewall in front of the endpoint denies the request.
POSTwithvalidationToken. - Endpoint returns 200 but with wrong content type or body
Even if manual tests succeed, the validation can fail if:- Response
Content-Typeis nottext/plain. - Body does not contain exactly the URL‑decoded
validationToken(for example, JSON, HTML, or additional text).
For Microsoft Graph, the same principle applies: readreturn new OkObjectResult(req.Query["validationtoken"].ToString());validationTokenfrom the query string, URL‑decode it, and return it as plain text. - Response
- Validation not handled at all for this endpoint
If the endpoint logic does not detect and handle thevalidationTokenquery parameter specially, it may treat the request as a normal call and return 403 or another error. - Latency or timeout issues
If the endpoint takes longer than 10 seconds to respond, Graph considers validation failed. Ensure the validation path is lightweight and responds quickly.
To resolve the issue:
- Implement explicit handling of the validation request on the notification endpoint:
- Detect
validationTokenin the query string. - Return HTTP 200,
Content-Type: text/plain, and the URL‑decoded token as the body.
- Detect
- Ensure no auth or IP restrictions block anonymous POSTs to this endpoint during validation.
- Verify via logs that the endpoint is not returning 403 to Graph’s validation request.
Once the endpoint returns the required 200 + plain‑text token response, the subscription creation should succeed.
References: