MrCodeWeaver Blog

Can we talk about presence?

April 27, 2043

Can we talk about presence

In a blog post on April 26th, 2024, Microsoft announced breaking changes to Microsoft Graph presence change notifications that goes into affect June 1, 2024. Basically if you are listening to presence change notifications, you will no longer get data on what the presence changed to. You will only get a notification that the presence change for a user. You are left with two options if you want to know what the presence change to (which lets be honest, you do).

  1. After getting the change notification, you would have to call the get user presence API to see what the users presence is. This is.... well... you have to make a whole additional API call to graph for every single change notification. Not good at scale.
  2. Or you have to skip basic change notifications and use rich notifications that will have the presence data encrypted in the request body. This is ok, but then it is up to you to manage the certificate and send the public key along with the request when setting up the rich change notification, and then for every change notification you have to decrypt the resource data.

So, what is the resource data? For presence change notifications, it is only the following:

  • Availability or base presence information (available, away, busy)
  • Activity or information that's supplemental to the availability (in a meeting, in call)

Personally, I'm a bit surprised that that information is considered so sensitive that it needs to be encrypted in the change notification, but I suppose it does make it more secure, so who am I to complain.

Ok fine but,

What I will complain about is the lack of application level scopes for presence change notifications. According to the MS docs, application level permissions are not supported for presence change notification subscriptions. This is especially infuriating because application level permissions are supported on get and set presence, but not on change notification subscriptions.

So if your application would like to get presence change notifications, you are left hanging. You have to setup a "service account", authenticate as that account, and setup the subscriptions that way. Oh and then that service account cannot have MFA on it, etc. Which if we are really caring about security is a bigger concern than the resource data.

So please Microsoft Graph, can we have application level scopes for presence change notification subscriptions? 🙏

Hopefully you've found this useful! Until next time! Peace

Profile picture

Written by Ryan Weaver a software developer in the Microsoft Ecosystem LinkedIn | Github | StackOverflow