Microsoft Graph API with OutSystems Event Subscriptions
1. Microsoft Graph API with
OutSystems
Event Subscriptions
Subscribe and handle Microsoft Graph API
change notifications in your application
February 8thth 11am (CET)
Stefan Weber
Senior Director Software Development
Telelink Business Services Germany GmbH
OutSystems MVP – AWS Community Builder
2. Fundamentals
Overview of Microsoft Graph API subscriptions
Basic Notifications and Rich Notifications
Subscription Lifecycle
Best Practices
Agenda
Implementation
Prerequisites
Entra Application Registration and Permissions
OAuth access token client credential flow
Subscribe and handle basic notifications
Handle lifecycle events
Subscribe and handle rich notifications
3. Previous Webinars on Microsoft Graph API with OutSystems
Application Permissions
Query Microsoft Graph API with application permissions.
Demonstration on how to acquire an access token from
Microsoft Entra with an OAuth client credentials flow.
https://youtu.be/yVK8WQz5qnU
Delegated Permissions
Query Microsoft Graph API with delegated (user) permissions.
Demonstration on how to acquire an access token from
Microsoft Entra with an OAuth authorization code flow.
https://youtu.be/2cSsg5ws1H4
4. Microsoft Graph API Event
Subscription
Microsoft Graph API event subscriptions allow you to subscribe to
changes in resources such as messages, calendars, and contacts
in Microsoft Graph. When a change occurs, the API sends a
notification to the subscribed application.
To create a subscription you must specify an event type – e.g.
create – and a resource using an application or delegated access
token with corresponding permissions (Scopes).
Subscriptions expire and get deleted automatically on
Individual subscription expiry
Resource subscription lifetime limit
Access Token used for subscribing expires
if Lifecycle Notifications are not handled by your application.
5. Basic Notifications
A basic notifications only returns the event type and the
affected resource identifier back to your application.
In order to get the details of the affected resource you must
perform a Graph API query.
It is the easiest way to get started with Microsoft Graph API event
subscriptions.
Resource Events
Rich Notifications
Rich Notifications include the affected resource data besides the
event type and the resource identifier.
Resource data in Rich Notifications is encrypted by a Public Key
you must include when subscribing to an event and you need
the corresponding Private Key to decrypt the resource data.
You must specify explicitly which attributes should be
transported as encrypted resource data.
6. Lifecycle Events
Missed
Notification to your lifecycle events
endpoint on non-delivered event e.g.
because of Timeout.
Actions to take
Acknowledge event by returning a
status code of 202 – Accepted
Query the resource or perform a
delta query to take further action
Applicable only to Outlook Messages,
Events and Personal Contacts.
Subscription Removed
Triggered whenever a subscription is
removed from Microsoft Graph.
Applicable only to Outlook Messages,
Events and Contacts and Teams Chat
Messages.
Reauthorization Required
This events hits your lifecycle events
endpoint when
The access token is about to
expire
The subscription is about to expire
A tenant administrator revoked
permissions for your application
Actions to take
Acknowledge event by returning a
status code of 202 – Accepted
Reauthorize and update
subscription
7. Application
Configure application permissions on resources in your Entra
application registration.
Keep in mind that application permissions are very powerful and
additional actions should be taken to limit application permissions.
Use the Client Credential OAuth2 flow to retrieve an access
token.
Subscribe to resources using the access token.
On Reauthorization Required lifecycle events simply request
a new access token via the Client Credential flow to
reauthorize and update a subscription
Subscribing as application or on-behalf of a user (delegated)
Delegated
Configure delegated permissions on resources in your Entra
application registration.
Make sure that you added the offline_access permission to
get a refresh token.
Perform a Authorization Code OAuth2 flow to retrieve an
access token and refresh token.
Subscribe to resources
On Reauthorization Required lifecycle events use a valid
cached access token or retrieve a new access token using by
performing a token refresh operation.
9. Prerequisites
Access to your Azure Tenant using the Azure Portal
Cloud Application Administrator role assigned to your user
account to register an application in your tenant.
Powershell to generate a Public/Private key pair for Rich
Notifications.
11. Rich Notifications
Certificate / Private Key
11
<#
Script generates a new certificate and private key
private-key.xml The private key in XML format
public.cer The public key base64 encoded
#>
$params = @{
Subject = "CN=Microsoft Graph Rich Notifications"
CertStoreLocation = "Cert:CurrentUserMy"
KeyExportPolicy = "Exportable"
KeyUsage = "DataEncipherment"
KeyAlgorithm = "RSA"
KeyLength = 2048
KeyUsageProperty = "All"
} # End Certificate Parameters
$cert = New-SelfSignedCertificate @params # Create Certificate in User Certificate Store (Personal)
$cert.PrivateKey.ToXmlString($true) | Out-File "private-key.xml" # Export the private key in XML Format
[System.Convert]::ToBase64String($cert.Export('Cert')) | Out-File "public.cer" # Export the certificate (public) as DER base64 encoded
13. Best practices
Try to avoid subscribing under application permissions. Use
delegated permission if possible.
Use a single REST API to receive all Graph API webhooks.
Don‘t create separate endpoints for different use cases.
For large volumes of subscriptions and events consider
Azure Event Grid (preview) or Lambda to AWS EventBridge.
14. Master OAuth 2.0 Website
Microsoft Developer Program
Azure Portal
Microsoft Learn – Authorization Code Flow
Use the Microsoft Graph API documentation
Microsoft Graph Explorer
OAuth Token Exchange Forge component
CryptoAPI Forge component
Additional Material
Microsoft Graph Permission Reference
Microsoft Graph API Lifecycle Events
Notifications Endpoint Validation
Rich Notifications
15. Introduction and Bedrock Knowledge Bases
Overview of Amazon Bedrock
Configuration and Model Access
Creating a Knowledge Base
Query Knowledge Base Information
When to roll your own custom Knowledge Base
Use Bedrock Knowledge Bases for Retrievable Augmented
Generation (RAG) in OutSystems applications.
March 2024
Coming up – Amazon Bedrock
Bedrock Agents and Action Groups
Overview of Agents and AI Reasoning
Create and Configure an Agent
Add Knowledge Base(s) to an Agent
Add Lambda Functions middleware to an Agent
Use Bedrock Agents in OutSystems applications
April 2024
16. Stefan Weber
Senior Director Software Development
Telelink Business Services Germany GmbH
OutSystems MVP – AWS Community Builder
https://www.tbs.tech
https://www.linkedin.com/in/stefanweber1/
https://lcnc.blog