Can users consent to Notifications.ReadWrite.CreatedByApp themselves?

Yes, this delegated permission allows user consent. Users can grant this permission during sign-in without admin approval.

How do I add Notifications.ReadWrite.CreatedByApp to my app registration?

Go to Azure Portal > App registrations > Your app > API permissions > Add permission > Microsoft Graph, then search for Notifications.ReadWrite.CreatedByApp and select it.

Notifications.ReadWrite.CreatedByApp Permission - Microsoft Graph API

Notifications.ReadWrite.CreatedByApp

Permission Details

Delegated Permission

Deliver and manage user notifications for this app

Allows the app to deliver its notifications on behalf of signed-in users. Also allows the app to read, update, and delete the user's notification items for this app.

Permission ID: 89497502-6e42-46a2-8cb2-427fd3df970a

Properties

Property	Type	Description
`id`	`string`	The unique identifier for an entity. Read-only.
`targetHostName`	`string`	Represents the host name of the app to which the calling service wants to post the notification, for the given user. If targeting web endpoints (see targetPolicy.platformTypes), ensure that targetHostName is the same as the name used when creating a subscription on the client side within the application JSON property.
`payload`	`microsoft.graph.payloadTypes`
`displayTimeToLive`	`int32`Nullable	Sets how long (in seconds) this notification content stays in each platform's notification viewer. For example, when the notification is delivered to a Windows device, the value of this property is passed on to ToastNotification.ExpirationTime, which determines how long the toast notification stays in the user's Windows Action Center.
`expirationDateTime`	`date-time`Nullable	Sets a UTC expiration date and time on a user notification using ISO 8601 format (for example, midnight UTC on Jan 1, 2019 would look like this: '2019-01-01T00:00:00Z'). When time is up, the notification is removed from the Microsoft Graph notification feed store completely and is no longer part of notification history. Max value is 30 days.
`groupName`	`string`Nullable	The name of the group that this notification belongs to. It is set by the developer for grouping notifications together.
`targetPolicy`	`object`	Target policy object handles notification delivery policy for endpoint types that should be targeted (Windows, iOS, Android and WebPush) for the given user.
`priority`	`object`	Indicates the priority of a raw user notification. Visual notifications are sent with high priority by default. Valid values are None, High and Low.

Graph Methods

Delegated access App-only access

No API methods available for this version.

Methods
POST `/me/notifications/`

No PowerShell cmdlets available for this version.

Commands
`New-MgBetaUserNotification`

Code Examples

C# / .NET SDK

// Install: dotnet add package Microsoft.Graph
// Install: dotnet add package Azure.Identity
using Microsoft.Graph;
using Azure.Identity;

// Delegated permissions - interactive user sign-in
var scopes = new[] { "Notifications.ReadWrite.CreatedByApp" };
var options = new InteractiveBrowserCredentialOptions
{
    ClientId = "YOUR_CLIENT_ID",
    TenantId = "YOUR_TENANT_ID",
    RedirectUri = new Uri("http://localhost")
};
var credential = new InteractiveBrowserCredential(options);
var graphClient = new GraphServiceClient(credential, scopes);

// Example: GET /me
var result = await graphClient.Me.GetAsync();
Console.WriteLine($"User: {result?.DisplayName}");

JavaScript / TypeScript

// npm install @azure/msal-browser @microsoft/microsoft-graph-client
import { PublicClientApplication } from "@azure/msal-browser";
import { Client } from "@microsoft/microsoft-graph-client";
import { AuthCodeMSALBrowserAuthenticationProvider } from 
    "@microsoft/microsoft-graph-client/authProviders/authCodeMsalBrowser";

const msalConfig = {
    auth: {
        clientId: "YOUR_CLIENT_ID",
        authority: "https://login.microsoftonline.com/YOUR_TENANT_ID"
    }
};

const pca = new PublicClientApplication(msalConfig);
await pca.initialize();

// Delegated: Login with required scope
const loginResponse = await pca.loginPopup({
    scopes: ["Notifications.ReadWrite.CreatedByApp"]
});

const authProvider = new AuthCodeMSALBrowserAuthenticationProvider(pca, {
    account: loginResponse.account,
    scopes: ["Notifications.ReadWrite.CreatedByApp"],
    interactionType: "popup"
});

const graphClient = Client.initWithMiddleware({ authProvider });

// Example: GET /me
const result = await graphClient.api("/me").get();
console.log(result);

PowerShell

# Install Microsoft Graph PowerShell module
Install-Module Microsoft.Graph -Scope CurrentUser

# Delegated access - interactive sign-in
Connect-MgGraph -Scopes "Notifications.ReadWrite.CreatedByApp"

# Verify connection
Get-MgContext | Select-Object Account, TenantId, Scopes

# Example: GET /me
$result = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/me"
$result | ConvertTo-Json -Depth 5


# Always disconnect when done
Disconnect-MgGraph

Python

# pip install msgraph-sdk azure-identity
from azure.identity import InteractiveBrowserCredential, ClientSecretCredential
from msgraph import GraphServiceClient
import asyncio

# Delegated permissions - interactive browser sign-in
credential = InteractiveBrowserCredential(
    client_id="YOUR_CLIENT_ID",
    tenant_id="YOUR_TENANT_ID"
)
scopes = ["Notifications.ReadWrite.CreatedByApp"]
client = GraphServiceClient(credential, scopes)

async def get_data():
    # Example: GET /me
    result = await client.me.get()
    print(f"User: {result.display_name}")
    return result

asyncio.run(get_data())

App Registration

Navigate to Azure Portal

Go to App registrations in Microsoft Entra admin center

Add API Permission

Select your app → API permissions → Add a permission → Microsoft Graph

Select Permission Type

Choose Delegated permissions and search for Notifications.ReadWrite.CreatedByApp

Grant Admin Consent

Users can consent to this permission themselves during sign-in.