Thank you for contacting Microsoft Q&A Support and for sharing the details of your issue. Since your scenario involves Microsoft Graph subscriptions with encrypted resource data in GCC High, which is a specialized and security-sensitive environment, this falls outside the scope of our direct support on Microsoft Q&A. I’d recommend posting your question on the Microsoft Tech Community as well: Contributing to the Community | Microsoft Community Hub
The Tech Community is actively monitored by Microsoft engineers and product teams who work directly with GCC High and government cloud deployments. By posting there, you’ll have access to:
- Experts familiar with Graph API limitations in sovereign clouds
- Real-world insights from other GCC High customers
- Potential updates or workarounds not yet documented publicly
You can simply copy your current question and include any additional context or tenant details if available.
In the meantime, you may also find the following official documentation helpful for understanding Graph API behavior in sovereign clouds and working with encrypted resource data:
- Set up Microsoft Graph change notifications with resource data - Microsoft Graph | Microsoft Learn
- Microsoft Graph national cloud deployments - Microsoft Graph | Microsoft Learn
- Update subscription - Microsoft Graph beta | Microsoft Learn
Also, I took some time to analyze the subscription payload you shared, and I noticed a key issue:
This configuration is not valid for the PATCH (update) operation on an existing Microsoft Graph subscription. According to the official documentation (Update subscription - Microsoft Graph beta), the following properties cannot be updated once the subscription is created:
- includeResourceData
- encryptionCertificate
- encryptionCertificateId
- clientState
These fields are read-only during update and must be set only during the initial POST (create) request. Attempting to include them in a PATCH request will result in an error.
If your goal is to change any of these values, you’ll need to delete the existing subscription and create a new one with the desired configuration.
For reference, you can review the correct usage of these fields during subscription creation in the following documentation: Create subscription - Microsoft Graph v1.0 | Microsoft Learn
Key Insights on GCC High Differences
- Feature Support in GCC High: Change notifications (subscriptions) are available, but advanced options like including resource data with encryption may not be fully rolled out or supported in national clouds, including GCC High.
- Outlook event Resources: In the global endpoint, encryption is optional for rich notifications. However, in GCC High, providing encryption parameters may trigger deserialization errors due to backend limitations.
- No Explicit Encryption Support in Gov Clouds: The documentation does not confirm support for encrypted resource data in sovereign clouds, and similar features (e.g., Teams change notifications) are explicitly unsupported in GCC High.
This aligns with your observation that the same payload works in the global service but fails in GCC High.
If you need any further assistance or have additional questions, please don’t hesitate to reach out. I'm here to help.
Thank you again for your cooperation and understanding.
Have a good day!
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.