Microsoft Graph rich subscription creation fails for GCC clients.

Stephen Appiah 0 Reputation points
2025-08-18T13:47:11.5966667+00:00

Details: I’m trying to create a Microsoft Graph subscription to watch Outlook events with encrypted resource data. My request body looks like this:


{
    "changeType":"updated,deleted",
    "notificationUrl":"https://my-inbound.url",
    "lifecycleNotificationUrl":"https://my-inbound.url",
    "resource":"users/<redacted>/events?$select=id,subject,start,end,attendees,isCancelled,isOrganizer,iCalUId,uid,bodyPreview,uid,organizer,onlineMeeting,onlineMeetingUrl,changeKey,sensitivity,lastModifiedDateTime,originalEndTimeZone,createdDateTime,allowNewTimeProposals,hasAttachments,singleValueExtendedProperties",
    "expirationDateTime":"2025-08-15T12:02:19.124967+00:00",
    "includeResourceData":true,
    "clientState":"<redacted>",
    "encryptionCertificate":"<redacted>",
    "encryptionCertificateId":"<redacted>"
}

When I POST to:


https://graph.microsoft.us/v1.0/subscriptions

I get the following error:

json
Copy
{
    "error": {
        "code": "ExtensionError",
        "message": "Operation: Create; Exception: [Status Code: BadRequest; Reason: were unable to deserialize ]",
        "innerError": {
            "date": "2025-08-13T12:18:05",
            "request-id": "cde172db-4cc2-4cd2-9e1c-63f46f36d0e3",
            "client-request-id": "cde172db-4cc2-4cd2-9e1c-63f46f36d0e3"
        }
    }
}

This request payload works for all our clients except those on Microsoft GCC High. Is there a different setup required when configuring clients in GCC High?

Outlook | Web | Outlook on the web for business | Calendar
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Liora D 2,570 Reputation points Microsoft External Staff Moderator
    2025-08-18T15:01:22.07+00:00

    Hi @Stephen Appiah

    Thank you for contacting Microsoft Q&A Support and for sharing the details of your issue. Since your scenario involves Microsoft Graph subscriptions with encrypted resource data in GCC High, which is a specialized and security-sensitive environment, this falls outside the scope of our direct support on Microsoft Q&A. I’d recommend posting your question on the Microsoft Tech Community as well: Contributing to the Community | Microsoft Community Hub 

    The Tech Community is actively monitored by Microsoft engineers and product teams who work directly with GCC High and government cloud deployments. By posting there, you’ll have access to: 

    • Experts familiar with Graph API limitations in sovereign clouds 
    • Real-world insights from other GCC High customers 
    • Potential updates or workarounds not yet documented publicly 

    You can simply copy your current question and include any additional context or tenant details if available. 

    In the meantime, you may also find the following official documentation helpful for understanding Graph API behavior in sovereign clouds and working with encrypted resource data: 

    Also, I took some time to analyze the subscription payload you shared, and I noticed a key issue:   

    This configuration is not valid for the PATCH (update) operation on an existing Microsoft Graph subscription. According to the official documentation (Update subscription - Microsoft Graph beta), the following properties cannot be updated once the subscription is created: 

    • includeResourceData 
    • encryptionCertificate 
    • encryptionCertificateId 
    • clientState 

    These fields are read-only during update and must be set only during the initial POST (create) request. Attempting to include them in a PATCH request will result in an error. 

    If your goal is to change any of these values, you’ll need to delete the existing subscription and create a new one with the desired configuration. 

    For reference, you can review the correct usage of these fields during subscription creation in the following documentation: Create subscription - Microsoft Graph v1.0 | Microsoft Learn 

    Key Insights on GCC High Differences

    • Feature Support in GCC High: Change notifications (subscriptions) are available, but advanced options like including resource data with encryption may not be fully rolled out or supported in national clouds, including GCC High.
    • Outlook event Resources: In the global endpoint, encryption is optional for rich notifications. However, in GCC High, providing encryption parameters may trigger deserialization errors due to backend limitations.
    • No Explicit Encryption Support in Gov Clouds: The documentation does not confirm support for encrypted resource data in sovereign clouds, and similar features (e.g., Teams change notifications) are explicitly unsupported in GCC High.

    This aligns with your observation that the same payload works in the global service but fails in GCC High.

    If you need any further assistance or have additional questions, please don’t hesitate to reach out. I'm here to help. 

    Thank you again for your cooperation and understanding. 

    Have a good day! 


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".   

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.  


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.