This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 87%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Hi, I want to use the user created and user deleted webhooks in Azure. I have successfully created the webhook subscription, but I am not receiving webhook triggers on my server when a user is created or deleted in Azure.
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
Hi, I have set changeType = "created,updated,deleted" for the webhook subscription. However, whenever a user is created or deleted, I am always receiving the event with changeType = "updated" instead of created or deleted.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 14.000000000000002%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
Hi,
Don't rely pure on changeType.
Webhook payload is intentionally minimal.
GET https://graph.microsoft.com/v1.0/users/{id}
Then determine state:
If user exists → create/update
If user not found → deleted
To detect deleted users reliably:
GET /directory/deletedItems/{id}
If found → soft deleted
If not found anywhere → hard deleted
For accurate change tracking:
GET /users/delta
Tracks all changes reliably
Avoids webhook inconsistencies
Provides clear state transitions
This is the most important architectural fix:
Webhook = event trigger
Graph API = source of truth
Hi @Charmi
Thank you for reaching out to Microsoft Q&A.
From your description, the webhook subscription is getting created successfully, but notifications are not reaching your server when users are created or deleted. In Azure (Microsoft Entra ID / Microsoft Graph change notifications), this usually happens due to either endpoint validation issues, event behavior limitations, or delivery constraints rather than a simple misconfiguration.
Refer below points to resolve this issue:
1. Validate Webhook Endpoint Accessibility
Microsoft Graph sends notifications only if your endpoint is publicly accessible over HTTPS. If your server is behind a firewall, private network, or V-Net, notifications will not be delivered.
Ensure:
Endpoint is reachable from internet
HTTPS is enabled (TLS 1.2)
No firewall / WAF is blocking requests
If using APIM / App Gateway → check inbound rules (common blocking cause)
2. Ensure Proper Validation Handshake
During subscription creation, Microsoft Graph sends a validation request with a token, and your endpoint must return that token immediately.
If:
Token is not echoed exactly
Response is delayed
Response format is incorrect
3. Check Response Time (Critical – 3 seconds rule)
Your webhook must respond within 3 seconds with a 200 or 202 status.
If delayed → notifications may be dropped
Graph retries, but eventually stops delivering
4. Subscription Expiry / Renewal
Graph webhook subscriptions are temporary (expire within hours/days depending on resource)
If subscription expires → no notifications will be delivered
Must renew subscription before expiry
Failure to renew is a common reason why webhooks “stop working” suddenly
5. User Deletion Behavior (Important for your scenario)
For user deleted events in Azure AD:
Most deletions are soft deletes first
Webhook may send:
updated event (for soft delete)
deleted only after permanent delete (hard delete)
Subscribe to:
changeType = "created,updated,deleted"
6. Delay in Event Delivery
Graph notifications are not always instant for directory objects
Delivery can sometimes take time (minutes to hours) depending on backend processing
7. Verify Subscription Scope & Permissions
Ensure:
Resource:
/users
Permissions:
User.Read.All
Directory.Read.All (recommended)
If permissions are insufficient → events won’t trigger even though subscription is created
8. Check Filtering / Incorrect Configuration
If using Event Grid / APIM along with Graph:
Verify:
Filters are not excluding events
Event types match expected triggers
Incorrect filters can block delivery entirely