Share via

Microsoft Graph webhook subscription fails with TLS error when endpoint only accepts TLS 1.3

Divya Prakash 20 Reputation points
2026-02-04T21:34:23.2566667+00:00

When creating a Microsoft Graph change notification subscription via POST /v1.0/subscriptions, the request fails with a TLS/SSL error during webhook URL validation:

{
  "code": "ValidationError",
  "message": "HttpRequestException: An error occurred while sending the request. WebException: The request was aborted: Could not create SSL/TLS secure channel."
}

Environment

  • Creating subscriptions for OneDrive for Business / SharePoint drives
  • Notification URL is publicly accessible and uses HTTPS
  • Certificate is valid (Google Trust Services, ECDSA prime256v1)
  • Endpoint correctly handles validation token (works in development)

We tested our production endpoint's TLS support using OpenSSL: TLS 1.3 (succeeds):

$ openssl s_client -connect example.com:443 -servername example.com
CONNECTED
Protocol: TLSv1.3
Cipher: TLS_AES_256_GCM_SHA384
Verify return code: 0 (ok)

TLS 1.2 fails:

$ openssl s_client -connect example.com:443 -servername example.com -tls1_2
error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version
SSL alert number 70

Our production environment (behind Cloudflare) is configured to accept TLS 1.3 only. TLS 1.2 connections are rejected with protocol version alert.

  1. The same code works in development using ngrok (which accepts TLS 1.2)
  2. The Microsoft Graph API accepts TLS 1.3 for inbound requests (our app calling Graph works fine)
  3. The webhook validation fails, suggesting Graph's outbound validation service uses TLS 1.2

Questions

  • Does Microsoft Graph's webhook validation service support TLS 1.3 for outbound connections to notification URLs?
  • If not, is this documented anywhere? The current documentation only states endpoints must "support TLS 1.2 or higher" but doesn't clarify what version Graph uses for outbound calls.
  • Is there a planned timeline for TLS 1.3 support for outbound webhook connections?
  • Is there any workaround other than enabling TLS 1.2 on our endpoint?

Additional Context

We've verified the certificate chain is valid

The endpoint is publicly accessible

DNS resolves correctly

The validation endpoint handler works correctly (tested with ngrok/TLS 1.2)

Permissions are correct (tested via GET /subscriptions which returns 200)

The only variable that changed between working (dev) and failing (prod) is the TLS version accepted by our endpoint.

Microsoft 365 and Office | Development | Other
0 comments
Answer accepted by question author
  1. Teddie-D 11,990 Reputation points Microsoft External Staff Moderator
    2026-02-05T00:32:18.0466667+00:00

    Hi @Divya Prakash
    Thank you for posting your question in the Microsoft Q&A forum.
    Currently, Microsoft Graph’s webhook validation does not reliably work with endpoints that only support TLS 1.3. 

    In practice, the webhook validation service often negotiates TLS 1.2 and does not consistently negotiate TLS 1.3. As a result, endpoints that completely reject TLS 1.2 will fail validation before the request reaches application code, even if the certificate and endpoint are fully valid for TLS 1.3.

    Although the official documentation does not explicitly address this issue, both testing and community reports consistently indicate the behavior. Unfortunately, Microsoft has not yet shared a public roadmap or timeline for enabling outbound TLS 1.3 support in webhook validation. 

    At this time, there is no workaround other than allowing TLS 1.2 compatibility on the webhook validation endpoint. This requirement applies specifically during subscription creation, when Graph makes the outbound HTTPS request to validate your webhook. 

    I understand this may be frustrating if you are aiming for TLS 1.3‑only security, but enabling TLS 1.2 support is currently the only way to ensure successful validation. 

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.