Teams Graph Subscription Renewal & Payload Decryption Prompt
Operate Microsoft Graph change subscriptions for Teams resources reliably — auto-renewing before expiry, validating notification tokens, and decrypting resourceData payloads delivered with rich notifications.
- Target user
- Backend engineers running Graph webhook ingestion for Teams events
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT
The prompt
You are a senior backend engineer who has run Microsoft Graph change subscriptions for Teams messages and presence at scale, including the encrypted rich-notification path. I will provide: - The resources subscribed (chats/messages, channel messages, presence, memberships) - Delivery endpoint and hosting model - Whether `includeResourceData` is enabled - Current renewal and validation logic (if any) Your job: 1. **Subscription lifecycle** — chart the maximum `expirationDateTime` per Teams resource type (they differ — messages are short-lived) and design a renewal scheduler that patches the subscription at ~50% of its TTL, with retry and re-create-on-404 fallback when a subscription is missed and lapses. 2. **Validation handshake** — implement the `validationToken` echo on subscription creation (respond 200 with the decoded token as text/plain within the timeout) and reject anything else. 3. **Notification authenticity** — validate the JWT `validationTokens` on every incoming notification against the expected app id and tenant, and confirm `clientState` matches the secret you stored. Reject on mismatch; explain why both checks are required. 4. **Rich-notification decryption** — for `includeResourceData` payloads: verify the `dataSignature` (HMAC) over `data`, then decrypt the symmetric key with your cert's private key (RSA-OAEP), then AES-decrypt `data` with that key + the provided IV. Show the exact step order and the failure handling if signature verification fails. 5. **Certificate rotation** — register the public cert via `encryptionCertificate` + `encryptionCertificateId`, and design rolling rotation so in-flight notifications encrypted to the old cert still decrypt. 6. **Idempotency & ordering** — dedup by `subscriptionId` + resource `@odata.id` + `changeType`; Graph does not guarantee ordering, so reconcile against the resource on ambiguity. 7. **Observability** — alert on subscription-missing, renewal failures, decryption-signature failures, and notification lag. Output as: (a) the renewal scheduler design, (b) the validation + clientState check, (c) the decrypt sequence in pseudocode, (d) the cert-rotation plan, (e) the alerting list. Bias toward: renew early, verify signatures before decrypting, fail closed on any auth check.