Subscription.Read.All
Export JSON
Export CSV
Copy URL
Print
Delegated
Read
All Resources
Allows the app to read all webhook subscriptions on behalf of the signed-in user.
Permission data: April 6, 2026 at 4:06 AM UTC
Delegated Access
App-Only Access
Permission Details
Delegated Permission
Admin consent required
Read all webhook subscriptions
Allows the app to read all webhook subscriptions on behalf of the signed-in user.
User sees: Allows the app to read all webhook subscriptions on your behalf.
Permission ID:
5f88184c-80bb-4d52-9ff2-757288b2e9b7
Properties
Microsoft Graph v1.0
exact-category-docs
Properties is shown from stable Microsoft Graph v1.0 metadata.
| Property | Type | Description |
|---|---|---|
applicationId |
StringNullable |
Optional. Identifier of the application used to create the subscription. Read-only. |
changeType |
String |
Required. Indicates the type of change in the subscribed resource that raises a change notification. The supported values are: created, updated, deleted. Multiple values can be combined using a comma-separated list. , , Note: <li Drive root item and list change notifications support only the updated changeType. <liUser and group change notifications support updated and deleted changeType. Use updated to receive notifications when user or group is created, updated, or soft deleted. Use deleted to receive notifications when user or group is permanently deleted. |
clientState |
StringNullable |
Optional. Specifies the value of the clientState property sent by the service in each change notification. The maximum length is 128 characters. The client can check that the change notification came from the service by comparing the value of the clientState property sent with the subscription with the value of the clientState property received with each change notification. |
creatorId |
StringNullable |
Optional. Identifier of the user or service principal that created the subscription. If the app used delegated permissions to create the subscription, this field contains the ID of the signed-in user the app called on behalf of. If the app used application permissions, this field contains the ID of the service principal corresponding to the app. Read-only. |
encryptionCertificate |
StringNullable |
Optional. A base64-encoded representation of a certificate with a public key used to encrypt resource data in change notifications. Optional but required when includeResourceData is true. |
encryptionCertificateId |
StringNullable |
Optional. A custom app-provided identifier to help identify the certificate needed to decrypt resource data. |
expirationDateTime |
DateTimeOffset |
Required. Specifies the date and time when the webhook subscription expires. The time is in UTC, and can be an amount of time from subscription creation that varies for the resource subscribed to. Any value under 45 minutes after the time of the request is automatically set to 45 minutes after the request time. For the maximum supported subscription length of time, see Subscription lifetime. |
id |
String |
Optional. Unique identifier for the subscription. Read-only. |
includeResourceData |
BooleanNullable |
Optional. When set to true, change notifications include resource data (such as content of a chat message). |
latestSupportedTlsVersion |
StringNullable |
Optional. Specifies the latest version of Transport Layer Security (TLS) that the notification endpoint, specified by notificationUrl, supports. The possible values are: v10, v11, v12, v13. </br</brFor subscribers whose notification endpoint supports a version lower than the currently recommended version (TLS 1.2), specifying this property by a set timeline allows them to temporarily use their deprecated version of TLS before completing their upgrade to TLS 1.2. For these subscribers, not setting this property per the timeline would result in subscription operations failing. </br</brFor subscribers whose notification endpoint already supports TLS 1.2, setting this property is optional. In such cases, Microsoft Graph defaults the property to v12. |
lifecycleNotificationUrl |
StringNullable |
Required for Teams resources if the expirationDateTime value is more than 1 hour from now; optional otherwise. The URL of the endpoint that receives lifecycle notifications, including subscriptionRemoved, reauthorizationRequired, and missed notifications. This URL must make use of the HTTPS protocol. For more information, see Reduce missing subscriptions and change notifications. |
notificationQueryOptions |
StringNullable |
Optional. OData query options for specifying value for the targeting resource. Clients receive notifications when resource reaches the state matching the query options provided here. With this new property in the subscription creation payload along with all existing properties, Webhooks deliver notifications whenever a resource reaches the desired state mentioned in the notificationQueryOptions property. For example, when the print job is completed or when a print job resource isFetchable property value becomes true etc. , , Supported only for Universal Print Service. For more information, see Subscribe to change notifications from cloud printing APIs using Microsoft Graph. |
notificationUrl |
String |
Required. The URL of the endpoint that receives the change notifications. This URL must make use of the HTTPS protocol. Any query string parameter included in the notificationUrl property is included in the HTTP POST request when Microsoft Graph sends the change notifications. |
notificationUrlAppId |
StringNullable |
Optional. The app ID that the subscription service can use to generate the validation token. The value allows the client to validate the authenticity of the notification received. |
resource |
String |
Required. Specifies the resource that is monitored for changes. Don't include the base URL (https://graph.microsoft.com/v1.0/). See the possible resource path values for each supported resource. |
JSON Representation
Microsoft Graph v1.0
exact-category-docs
JSON representation is shown from stable Microsoft Graph v1.0 metadata.
JSON representation
{
"@odata.type": "#microsoft.graph.subscription",
"applicationId": "String",
"changeType": "String",
"clientState": "String",
"creatorId": "String",
"encryptionCertificate": "String",
"encryptionCertificateId": "String",
"expirationDateTime": "String (timestamp)",
"id": "String (identifier)",
"includeResourceData": "Boolean",
"latestSupportedTlsVersion": "String",
"lifecycleNotificationUrl": "String",
"notificationQueryOptions": "String",
"notificationUrl": "String",
"notificationUrlAppId": "String",
"resource": "String"
}Relationships
Relationships metadata is not available for this permission mapping.
View resource documentationGraph Methods
Delegated access
App-only access
No Learn or OpenAPI mapping available
Microsoft Graph v1.0 endpoints are not available from refreshed Microsoft Learn or Microsoft Graph OpenAPI metadata for this permission.
No API methods available for this version.
No Learn or OpenAPI mapping available
Microsoft Graph beta endpoints are not available from refreshed Microsoft Learn or Microsoft Graph OpenAPI metadata for this permission.
No API methods available for this version.
No Microsoft Learn PowerShell mapping available
Microsoft Graph PowerShell v1.0 commands are not available from refreshed Microsoft Learn PowerShell snippets for this permission.
No deterministic PowerShell command map is available for this permission.
Browse PowerShell docs
No Microsoft Learn PowerShell mapping available
Microsoft Graph PowerShell beta commands are not available from refreshed Microsoft Learn PowerShell snippets for this permission.
No deterministic PowerShell command map is available for this permission.
Browse PowerShell docsCode Examples
C# / .NET SDK
using Azure.Identity;
using Microsoft.Graph;
var scopes = new[] { "Subscription.Read.All" };
var credential = new InteractiveBrowserCredential(
new InteractiveBrowserCredentialOptions
{
ClientId = "YOUR_CLIENT_ID",
TenantId = "YOUR_TENANT_ID",
RedirectUri = new Uri("http://localhost")
});
var graphClient = new GraphServiceClient(credential, scopes);
var response = await graphClient
.WithUrl("https://graph.microsoft.com/v1.0/subscription")
.GetAsync();
JavaScript
import { Client } from "@microsoft/microsoft-graph-client";
import { InteractiveBrowserCredential } from "@azure/identity";
const credential = new InteractiveBrowserCredential({
clientId: "YOUR_CLIENT_ID",
tenantId: "YOUR_TENANT_ID",
redirectUri: "http://localhost"
});
const token = await credential.getToken(["Subscription.Read.All"]);
const client = Client.init({
authProvider: (done) => done(null, token.token)
});
const response = await client.api("/subscription").get();
PowerShell
Connect-MgGraph -Scopes "Subscription.Read.All"
Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/subscription"
Python
from azure.identity import InteractiveBrowserCredential
import requests
credential = InteractiveBrowserCredential(
client_id="YOUR_CLIENT_ID",
tenant_id="YOUR_TENANT_ID"
)
token = credential.get_token("Subscription.Read.All")
response = requests.get(
"https://graph.microsoft.com/v1.0/subscription",
headers={"Authorization": f"Bearer {token.token}"}
)
print(response.json())App Registration
1
Navigate to Azure Portal
Go to App registrations in Microsoft Entra admin center
2
Add API Permission
Select your app → API permissions → Add a permission → Microsoft Graph
3
Select Permission Type
Choose Delegated permissions and search for Subscription.Read.All
4
Grant Admin Consent
This delegated permission requires admin consent.