What we are trying to do: Create webhook subscriptions on our O365 users OneDrive instances from an Azure hosted App Service. This is used to monitor a drop folder in each users OD instance. We also want to refresh the subscriptions every n days to keep them 'alive'.
When we create the subscriptions, we have a sign-in user - an O365 administrator. We do not have this for the refresh.
App Service: This is a .NET service that uses the MS Graph SDK to carry out OD operations. We have a 'Registered App' in the AAD that the App Service uses to gain the necessary permissions to carry out OD operations.
Problem: While we are able to achieve the objectives of the application, we are having to add the administrator user to each O365 users Sharepoint 'Site Collection Administrators' (in O365 Sharepoint Admin). This is not a very satisfactory outcome as it's quite a bit of administrative overhead.
There are permissions in the AAD MS Graph App Registration that seem similar to what we need (Sites.Manage.All/Sites.FullControl.All/Have full control of all Site Collections/Read and Write files in all site collections), but none of these are allowing us to create subscriptions of behalf of the users.
Question: Is there a setting/permission, or perhaps a combination of permissions we can use in the AAD App Registration (MS Graph) that will allow our app to create the webhooks/subscriptions?