SubscriptionCountReached' has reached limit of '1000' - azure-active-directory

I am setting up subscriptions to M365 mailboxes so I can receive a change notification event when something happens to that mailbox. This has been working fine until recently when I started receiving this error:
Status Code: 429; Reason: Resource 'SubscriptionCountReached' has reached limit of '1000'. Please retry after '12/31/9999 11:59:59 PM
Ideally, I just want to delete all subscriptions setup on my M365 tenant, but cannot find where these exist in the Portal UI.
Does anyone have any ideas on how to clear out the old subscriptions that seem to be hanging around?

Status Code: 429;
Reason: Resource 'SubscriptionCountReached' has reached limit of '1000'. Please retry after '12/31/9999 11:59:59 PM
The above error usually occurs when you reach the maximum quota of times(1000) that are predetermined.
According to this Microsoft Doc, the maximum subscription quota for Azure AD resources are as follow:
To delete all the subscriptions set up in your M365 tenant, try steps mentioned in below link:
Delete subscriptions of Azure AD tenant - Azure Active Directory | Microsoft Docs
To allow deletion, subscriptions must be in Deprovisioned state.
An Expired or Canceled subscription will initially move to the Disabled state, and the final stage is the Deprovisioned state.
The simple way to cancel your subscription is to turn off recurring billing option in order to prevent other charges.
If you added your own domain name to use with your subscription, you must remove the domain before cancelling subscription.
The expired subscription will send several notifications. It can be deleted automatically after 90 days and will be deleted no later than 180 days.
For more in detail, please find below links if they are helpful.
References:
azure - Microsoft Graph. Exception : reached limit of '1000' - Stack Overflow
Cancel your subscription | Microsoft Docs
Delete expired subscription - Microsoft Community

Related

How to correlate audit logs of Privileged Identity Management in Azure?

I am looking for a way to bundle the individual log entries inside the Privileged Identity Management audit logs by the workflow they belong to.
Every action (like request -> approval -> completion) is a separate entry in the audit logs, and simply grouping by requester and role is not helpful e.g. in case the same person requests something multiple times.
There is a CorrelationId field in every audit log but that is not the same for all steps from the workflow.
I found this in the docs, but that is not helpful for automatic processing:
Typically, the log event immediately above the approval event is an event for "Add member to role completed" where the Initiated by (actor) is the requester. In most cases, you won't need to find the requester in the approval request from an auditing perspective.
Is there another way that I am overlooking?
You could do that by using the Request Id from the Target(s). All actions (request->approval->completion) use the same Request Id.
[]

Not able to configure hotmail id with azure logic app

I have a simple azure logic app as follows.
Now I add a new action after the first one.
Select an email action.
Look for send email action
Now no mater what I do, I get this error
Please check your account info and/or permissions and try again. Details: REST API is not yet supported for this mailbox. This error can occur for sandbox (test) accounts or for accounts that are on a dedicated (on-premise) mail server. clientRequestId: 9295041e-4d27-4d7f-8ac7-9f90f1cc65ff serviceRequestId: 17c7df3b-7f07-6d27-4f7b-68a4475e9b55 More diagnostic information: x-ms-client-request-id is '51B43F16-6D7C-4BE7-9AE2-7B4A6B73BA49'.
I click Change Connection above and I see these increasing number of connection, and I find no way to delete them. See the last image at the bottom.
And when I click Save, I get this message.
Save logic app failed. Failed to save logic app vivek-logic-app. Some of the connections are not authorized yet. If you just created a workflow from a template, please add the authorized connections to your workflow before saving.
And finally when I click Api Connections, I find no connections to delete.
So two questions.
How to authorize hotmail account te be used by Azure Logic App
How to delete the un-necessary connections
Ok, here it is after a good 3 hour PIA.
For the connections to manage(or delete), look at the resource group and not the Logic app.
And next for the send email action, choose Outlook.Com connection and not Office 365 Outlook. Found the answer here. Mine is personal account and not for work or for school.
Once you setup this action successfully, you can take a look at this page for managing the connection access.

GMB real-time notification settings in pub/sub "reset" every few days

Non-technical person here ๐Ÿ™‹โ€โ™‚๏ธ
I'm having an issue where (using the Oauth 2.0 Playground) I authorize an internal user's GMB account and configure real-time notifications to be sent to our GCP topic. Every few days or so, notifications stop getting sent to our topic and when I check the notification settings for that account, they have been subscribed to an unknown GCP topic. I can reconfigure the notifications settings again, but every few days they are reconfigured to the unknown GCP topic.
It's possible some other app is overwritting my changes periodically, but I am having trouble figuring out where they're coming from.
Is there a log I can review to know where the request to change the notification settings is coming from?
When using the OAuth 2.0 Playground to configure settings, do they "expire" at some point? If so, is how do I prevent that from happening?
Thanks in advance for your help!
You can start looking into when and who created the unknown GCP topics by checking your Cloud Logging for created topics. You can do this by:
Open your Google Cloud Console
Open "Logging"
There should be a "Query" tab and select it.
Input protoPayload.methodName="google.pubsub.v1.Publisher.CreateTopic" and click "Run Query". You can check this reference if you'd like to see other logs related to Pub/Sub.
Click "LAST 1 HOUR" to adjust the time parameters of your log query. (Example: adjust it to a whole month to query all Created topics within a month)
Click the ">" beside the result and expand the log.
There are lots of info like the created topic name, what email authenticated this request, etc. In your case you should look out for field authenticationInfo for you to check who invoked the request:
authenticationInfo: {
principalEmail: "email-used-to-create-the-topic#example.com"
principalSubject: "user:email-used-to-create-the-topic#example.com"
}
NOTE: For testing purposes I blacked out my project-id and email for this example. Also the topic I created is log-this-topic and the email in the log mine since I was the one that created the topic.
OAuth have set rules for expiration, you can check it on Refresh Token expiration.

Trigger based on addition of User in Azure AD

I am looking for a mechanism to identify the users who are added in a specific group and trigger an action based on user addition event. Looks like people are still waiting for it to be available from Azure. The details could be found here
The solution that i am thinking at the moment is have an Azure task/Function that goes through the audit logs and detect the "user added" event and then trigger an action.
Is there any other better method?
You could Integrate Azure AD logs with Azure Monitor logs, send the Azure AD AuditLogs to the Log Analytics workspace, then Alert on Azure AD activity log data, the query could be something like(just a sample, I have not test it, because there is some delay, the log will not send to the workspace immediately when it happened)
AuditLogs
| where TimeGenerated >= ago(1h)
| where OperationName == "Add member to group"
Sample:
You could set the Alert logic depending on your own requirement, e.g. Whenever count of results in Custom log search log query for last 1 hour is greater than 0. Evaluated every 10 minutes. and configure the action group, select the action type you want like Email, webhook.
a better way would be to trigger an automation runbook based on an alert based on a condition specific to that audit event. But I'm not sure adding a user is an audit event on azure level, it is probably an Azure AD event. I dont think Azure AD offers events based on that.
So you'd have to basically parse the events and figure out where you stopped last time based on time or something like that.

Deleting free trial of azure AD

I am trying to delete a free trial of AzureAD but there are two requisites that I am unable to get past these are
Delete all licence-based subscriptions
Delete all azure-subscriptions
When you click on the first option this states there are no subscriptions to delete?
If you try the second option and navigate to the trial there is no cancel option as this trials status is set to disabled?
Anyone know how to proceed so I can get this test AzureAD account gone?
To delete a directory in Azure Active Directory, you need to meet all the checks.
Azure trial subscription will be canceled automatically after the trial. But you cannot delete the subscription yourself. You will need to wait 90 days before permanently deleting your data in case that you need to access it again.
Here is the reply from MicrosoftDocs.
You can't delete an Azure subscription directly. As the article
states, all an account admin needs to do is Cancel subscription.
Billing stops at that point and all Azure services get disabled, but a
final invoice isnโ€™t created until the end of the current billing
period. 90 days after you cancel the subscription, Azure automatically
permanently deletes the subscription and all data.
Reference:
Can not delete subscription
Add an option to delete disabled subscriptions

Resources