Slide deck for my third webinar on Microsoft Graph API with OutSystems. In this part we talk about Event subscriptions and handling.

1. Microsoft Graph API with
OutSystems
Event Subscriptions
Subscribe and handle Microsoft Graph API
change notifications in your application
February 8thth 11am (CET)
Stefan Weber
Senior Director Software Development
Telelink Business Services Germany GmbH
OutSystems MVP – AWS Community Builder

2. Fundamentals
 Overview of Microsoft Graph API subscriptions
 Basic Notifications and Rich Notifications
 Subscription Lifecycle
 Best Practices
Agenda
Implementation
 Prerequisites
 Entra Application Registration and Permissions
 OAuth access token client credential flow
 Subscribe and handle basic notifications
 Handle lifecycle events
 Subscribe and handle rich notifications

3. Previous Webinars on Microsoft Graph API with OutSystems
Application Permissions
Query Microsoft Graph API with application permissions.
Demonstration on how to acquire an access token from
Microsoft Entra with an OAuth client credentials flow.
https://youtu.be/yVK8WQz5qnU
Delegated Permissions
Query Microsoft Graph API with delegated (user) permissions.
Demonstration on how to acquire an access token from
Microsoft Entra with an OAuth authorization code flow.
https://youtu.be/2cSsg5ws1H4

4. Microsoft Graph API Event
Subscription
Microsoft Graph API event subscriptions allow you to subscribe to
changes in resources such as messages, calendars, and contacts
in Microsoft Graph. When a change occurs, the API sends a
notification to the subscribed application.
To create a subscription you must specify an event type – e.g.
create – and a resource using an application or delegated access
token with corresponding permissions (Scopes).
Subscriptions expire and get deleted automatically on
 Individual subscription expiry
 Resource subscription lifetime limit
 Access Token used for subscribing expires
if Lifecycle Notifications are not handled by your application.

5. Basic Notifications
A basic notifications only returns the event type and the
affected resource identifier back to your application.
In order to get the details of the affected resource you must
perform a Graph API query.
It is the easiest way to get started with Microsoft Graph API event
subscriptions.
Resource Events
Rich Notifications
Rich Notifications include the affected resource data besides the
event type and the resource identifier.
Resource data in Rich Notifications is encrypted by a Public Key
you must include when subscribing to an event and you need
the corresponding Private Key to decrypt the resource data.
You must specify explicitly which attributes should be
transported as encrypted resource data.

6. Lifecycle Events
Missed
Notification to your lifecycle events
endpoint on non-delivered event e.g.
because of Timeout.
Actions to take
 Acknowledge event by returning a
status code of 202 – Accepted
 Query the resource or perform a
delta query to take further action
Applicable only to Outlook Messages,
Events and Personal Contacts.
Subscription Removed
Triggered whenever a subscription is
removed from Microsoft Graph.
Applicable only to Outlook Messages,
Events and Contacts and Teams Chat
Messages.
Reauthorization Required
This events hits your lifecycle events
endpoint when
 The access token is about to
expire
 The subscription is about to expire
 A tenant administrator revoked
permissions for your application
Actions to take
 Acknowledge event by returning a
status code of 202 – Accepted
 Reauthorize and update
subscription

7. Application
 Configure application permissions on resources in your Entra
application registration.
Keep in mind that application permissions are very powerful and
additional actions should be taken to limit application permissions.
 Use the Client Credential OAuth2 flow to retrieve an access
token.
 Subscribe to resources using the access token.
 On Reauthorization Required lifecycle events simply request
a new access token via the Client Credential flow to
reauthorize and update a subscription
Subscribing as application or on-behalf of a user (delegated)
Delegated
 Configure delegated permissions on resources in your Entra
application registration.
 Make sure that you added the offline_access permission to
get a refresh token.
 Perform a Authorization Code OAuth2 flow to retrieve an
access token and refresh token.
 Subscribe to resources
 On Reauthorization Required lifecycle events use a valid
cached access token or retrieve a new access token using by
performing a token refresh operation.

8. Implementation

9. Prerequisites
 Access to your Azure Tenant using the Azure Portal
 Cloud Application Administrator role assigned to your user
account to register an application in your tenant.
 Powershell to generate a Public/Private key pair for Rich
Notifications.

10. Demo Application
GraphWebinar Event Subscriptions
Available on Forge

11. Rich Notifications
Certificate / Private Key
11
<#
Script generates a new certificate and private key
private-key.xml The private key in XML format
public.cer The public key base64 encoded
#>
$params = @{
Subject = "CN=Microsoft Graph Rich Notifications"
CertStoreLocation = "Cert:CurrentUserMy"
KeyExportPolicy = "Exportable"
KeyUsage = "DataEncipherment"
KeyAlgorithm = "RSA"
KeyLength = 2048
KeyUsageProperty = "All"
} # End Certificate Parameters
$cert = New-SelfSignedCertificate @params # Create Certificate in User Certificate Store (Personal)
$cert.PrivateKey.ToXmlString($true) | Out-File "private-key.xml" # Export the private key in XML Format
[System.Convert]::ToBase64String($cert.Export('Cert')) | Out-File "public.cer" # Export the certificate (public) as DER base64 encoded

12. Walkthrough

13. Best practices
 Try to avoid subscribing under application permissions. Use
delegated permission if possible.
 Use a single REST API to receive all Graph API webhooks.
Don‘t create separate endpoints for different use cases.
 For large volumes of subscriptions and events consider
Azure Event Grid (preview) or Lambda to AWS EventBridge.

14.  Master OAuth 2.0 Website
 Microsoft Developer Program
 Azure Portal
 Microsoft Learn – Authorization Code Flow
 Use the Microsoft Graph API documentation
 Microsoft Graph Explorer
 OAuth Token Exchange Forge component
 CryptoAPI Forge component
Additional Material
 Microsoft Graph Permission Reference
 Microsoft Graph API Lifecycle Events
 Notifications Endpoint Validation
 Rich Notifications

15. Introduction and Bedrock Knowledge Bases
 Overview of Amazon Bedrock
 Configuration and Model Access
 Creating a Knowledge Base
 Query Knowledge Base Information
 When to roll your own custom Knowledge Base
 Use Bedrock Knowledge Bases for Retrievable Augmented
Generation (RAG) in OutSystems applications.
March 2024
Coming up – Amazon Bedrock
Bedrock Agents and Action Groups
 Overview of Agents and AI Reasoning
 Create and Configure an Agent
 Add Knowledge Base(s) to an Agent
 Add Lambda Functions middleware to an Agent
 Use Bedrock Agents in OutSystems applications
April 2024

16. Stefan Weber
Senior Director Software Development
Telelink Business Services Germany GmbH
OutSystems MVP – AWS Community Builder
https://www.tbs.tech
https://www.linkedin.com/in/stefanweber1/
https://lcnc.blog