Microsoft 365 Management API webhook validation fails with domain, works with IP

Question

Microsoft 365 Management API webhook validation fails with domain, works with IP

Gor 10

Hello,

We are having trouble setting up a webhook for the Microsoft 365 Management Activity API. We’re using an AWS Application Load Balancer (ALB) with a valid TLS certificate for our domain. The webhook endpoint is publicly accessible and works fine when we test it manually using Postman or curl, and we also successfully receive event notifications from Microsoft at that same URL. However, when Microsoft tries to validate the webhook during subscription, it fails. Interestingly, if we use the public IP address of the load balancer instead of the domain name, the validation works. We also see in the ALB access logs that the load balancer responds with a 400 status code during Microsoft’s validation attempt. This behavior is new and started just two days ago, nothing has changed on our side in terms of ALB configuration, DNS, or certificates. Our listener is set up with HTTPS, and the target group routes correctly. It seems like Microsoft might be handling validation requests differently than event deliveries, possibly using a different DNS cache, but we’re not sure.

Any help or insights would be appreciated. Thanks in advance!

2 answers

Your answer

Answer 1

TiNo-T 4,215 Microsoft External Staff Moderator

Dear @Gor,

Thank you so much for contacting Microsoft Q&A.

Based on your description, I understand that you had a problem with Microsoft 365 Management Activity API webhook validation when using domain names behind AWS Application Load Balancers (ALBs). Also, you have tried to do many steps for this setup:

Works with IP address during Microsoft’s validation.
Fails with domain name, returning a 400 Bad Request during validation.
Receives event notifications successfully after subscription is created.
No changes were made to ALB, DNS, or TLS certs recently.

During my research, I find that there are several reasons that may cause it:

1.Microsoft may be using stale or cached DNS records during validation.

2.Validation requests might be routed differently than event notifications.

3.Microsoft’s validation logic is stricter, possibly rejecting responses due to:

TLS handshake issues.
Unexpected headers or content types.
DNS resolution failures or mismatches.

In this situation, I suggest that you should re-check ALB Listener rules and target group health. This is for ensuring the listener is correctly configured for HTTPS and confirming the target group health checks are passing.

Also, I would like to ask for more details of your issue, please kindly provide me a screenshot of the 400 error that you mentioned. Besides that, I want to know that when you use Postman and curl, is it still work normally now? If not, please kindly provide a screenshot as well.

Additionally, you mentioned that it worked with the IP. Therefore, I advise that you can use it as a temporary method while you are checking it again.

Also, I find some articles that you can consult for this feature:

I hope this information can help you with your concern.

Wish you a pleasant day!

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

User's image

Gor 10 Reputation points

2025-07-31T08:01:58.4766667+00:00

Thanks for the response.

Our ALB listener rules and target groups are configured correctly. When using Postman/curl it works normally as expected. Here is an example from the access logs:

According to AWS documentation, the URL in the log shows the exact request sent by the client, and the load balancer keeps it unchanged. In this case, the request was made to the ALB domain, but the TLS handshake was done using our service domain which appears in the SNI field.
TiNo-T 4,215 Reputation points Microsoft External Staff Moderator

2025-08-01T03:51:43.4466667+00:00
Dear @Gor,

Good day! Thank you for your update to Microsoft Q&A Forum.

Based on the log entry and your description, I have checked and can see that:

The ALB is receiving the request.

The SNI is correctly identifying the intended domain.

Postman/cURL tests are working, which suggests the backend and listener rules are correctly configured.

The 400 Bad Request response suggests the ALB is rejecting the request before it reaches the target group.

The -1 -1 -1 values confirm that the request didn’t get forwarded to the target.

Also, you are using AWS Application, this is a third-party app, as a forum moderator, I have limitations in my testing resources and cannot access the internal databases to help you further in this issue. However, I find several ideas that you can double-check to see if they can help:

1.Check listener rule conditions: Ensure that the listener rule matches the Host header (dev.wh.msft.int.overe.io) and the path /ingestion/o365/.... If the rule is too restrictive, the request might not be routed correctly.

2.Verify TLS certificate configuration:

The certificate ARN is present but confirm that the certificate covers the SNI domain (dev.wh.msft.int.overe.io). A mismatch can cause TLS handshake failures or 400 errors.

3.Enable ALB access logs with detailed error reasons:

AWS now supports enhanced logging with error reasons. This can help pinpoint whether the error is due to:

Invalid headers

TLS issues

Rule mismatches

4.Check for Header or payload issues:

Sometimes, malformed headers or payloads can cause ALB to return a 400. Compare the Postman/cURL request with the one your customer is sending to ensure consistency.

Also, I found these articles during my research that may related to your case, you can take a look in here:

TLS - SSL (Schannel SSP) Overview | Microsoft Learn

End-to-end TLS Azure Application Gateway for Containers - Gateway API | Microsoft Learn

Customize SNI in HTTP requests - .NET | Microsoft Learn

I hope for your understanding and patience in this matter.

And if you found my answer and response were helpful in anyway, it'd be great that you can mark it as an accepted answer. So that it can help others in our community who find the same issues as your scenario.

Wish you all the best!
TiNo-T 4,215 Reputation points Microsoft External Staff Moderator

2025-08-04T06:34:38.3233333+00:00

Dear @Gor,

Just following up to see if the info I shared helped out with your issue.

If you’ve got any updates or still need help, feel free to give me a shout, I’m happy to dig into it more with you.

And if everything’s sorted, mark it as an accepted answer. It could be a big help to others in our community who might run into the same thing.

Once again, thank you for your patience and cooperation!

Answer 2

Paul Barnes 0

Hi, this issue has now been fixed by the MSFT team after escalation, it was a recently introduced bug - thanks for the support!

TiNo-T 4,215 Reputation points Microsoft External Staff Moderator

2025-08-05T06:39:42.35+00:00

Dear @Paul Barnes,

Thank you so much for your feedback to Microsoft Q&A Forum.

I appreciate that you can confirm the best solution in this case, so that Mr. @Gor can follow you.Please kindly review all answer and response in this thread Mr. Gor.

And if you found my initial responses were helpful in any way, it'd be great that you can mark it as an accepted answer. This action can help others in our community who find the same issue and they can learn from it.

Wish you a good day!

Share via

Microsoft 365 Management API webhook validation fails with domain, works with IP

2 answers

Your answer