I'm trying to proactively install my Teams app, which is still in development and has not been fully published by Microsoft. I've installed it to my Teams org in the Teams admin center. When I try to install the app in the personal scope of my test user, I'm getting the following message (excluding my azure app id):
{
"error": {
"code": "Forbidden",
"message": "AAD App Id {My azure app ID} is not allowed to manage the Teams App '8782dd91-2afe-45e9-8906-858553f7675c'.",
"innerError": {
"date": "2021-09-12T21:19:56",
"request-id": "b50af1b2-b697-403f-b0be-4f66486f4ac1",
"client-request-id": "b50af1b2-b697-403f-b0be-4f66486f4ac1"
}
}
}
The request I'm sending:
POST https://graph.microsoft.com/v1.0/users/{{USERID}}/teamwork/installedApps
Body:
"teamsApp#odata.bind": "https://graph.microsoft.com/v1.0/appCatalogs/teamsApps/8782dd91-2afe-45e9-8906-858553f7675c"
}
What might the issue be? In the developer portal for my app (https://dev.teams.microsoft.com/apps/), my application client ID for my Teams app is set as the correct Azure app ID, so not sure why it isn't allowed to proactively install the Teams app here.
Thanks!
I've been able to successfully make this call in a similar setup, by granting the permission TeamsAppInstallation.ReadForUser.All to the Azure AD app on the client tenant (the tenant of the Teams user).
Update
Sorry in fact the truth is even more crazy than that. Turns out I only get this error when my application requires (and gets) the permission TeamsAppInstallation.ReadWriteSelfForUser.All.
That's right: by getting one additional permission, you have less abilities. I guess only Microsoft could pull that one off 🤣
Original TL;DR
Azure AD apps permissions don't seem to propagate reliably. Re-installing the app on the client tenant(s) may help.
By install I mean going to Azure portal as an admin, Enterprise Applications, selecting the app, then clicking Grant admin consent for <...>.
Original Details
For the record, I was getting the same error for another endpoint (trying to list chats). But after the following flow, the call was accepted by Microsoft Graph !
removed all the permissions of the Azure AD app
the app was still able to list Teams installations in the client tenant 🤯
added a dummy permission to the app, so I could re-install it on client tenant
now the call to list Teams installations was denied by MS Graph
added back single permission TeamsAppInstallation.ReadForUser.All
re-install on client tenant again
now both calls (list Teams installations, list chats) work
Good luck 🍀
Related
We have created a Microsoft Teams tab app with bot integration that we want to distribute to various organizations either manually or via an App Store. In summary,
We created Tabs App with Microsoft Bot using node.js botbuilder package.
We provided zip archive to another organization (another tenant Id).
Organization uploaded our app using Microsoft Teams Admin panel and approved permission in Permission tabs.
Question is how can we receive the tenant id from the organization we are deploying to without asking their admins to go to Azure Active Directory and look it up. Once provided, the graph api and the multi tenant bot does work fine. We are trying to avoid asking their admin to provide us the tenant id and want to retrieve it automatically upon the app being uploaded or on startup.
Thank you.
The best place to get the tenant id is from the access token you are provided by logging in to your app. Look for the 'tid' value.
I'm assuming you are talking about stream lining the company wide admin consent for your application.
What you can do is have a web site that a customer's admin can log into (using standard Microsoft OAuth interactive flow). You can then pull the Tenant ID from the access token and then run through the Microsoft consent process. Once consent process redirected back to your web site, you can do your own customer onboarding if required.
I have got an error when following this Microsoft tutorial. This is the error I'm getting pic of error
I only get this error when I try to login with my organizational AD account, however when I log in with my personal Microsoft account all work as expected.
I'm new to both Microsoft Graph and Larvel I'm not 100% sure what is causing the issue, but I believe that it might have something to do with permissions for the owned app in AD. If so what permissions do I need to allow as the tutorial I believe doesn't cover this.
I would also like to only allow logins from my organizational AD and not a personal Microsoft account but when I set the app to a single-tenant nothing works.
here is my Github repository
here is a picture of my owned app permissions
here is a picture of the error you get pic of error
hopefully, I have included everything that might need to help
got this working by ensuring that I had user read permissions and mail read setting enabled on the owned permissions list and my org is still an on-prem mail system which is unable to get the calendar from this can only be done with online mail and hybrid mail servers
We have an app registered on Azure AD (we got app ID, secret, redirect URL). This app is a daemon/background application which is performing actions on behalf of a user, there is no signed-in user that can grant permissions. In particular, the app will periodically retrieve all emails from a particular outlook mailbox called my.test#org.com
We are following the permission scoping documentation and the permission documentation when there is no signed in user.
In my understanding we need
to give application-permissions on the API permissions page in Azure AD
create a security group which is somehow assigned to the mailbox we want to read from via
New-ApplicationAccessPolicy
-AppId e7e4dbfc-046f-4074-9b3b-2ae8f144f59b
-PolicyScopeGroupId EvenUsers#contoso.com <-- would I put here my.test#org.com or the ID of the security group?
-AccessRight RestrictAccess
-Description "Restrict this app to members of distribution group EvenUsers."
Is my understanding correct that both of the above steps are needed. It seems strange that in the first step we can only give tenant wide permissions to the application when we really only need to limit it to one particular mailbox.
Thanks for the help
The above steps looks good to me and i would do the same as well. Just provide necessary Graph permissions while you grant permissions to access your/others mailboxes - as described in the documentation/steps.
I want to use Microsoft Graph to send our company mobile app push notifications as discussed at Microsoft Build 2019.
I am following Integrate with Microsoft Graph notifications. It directs me to create a "Developer Account" to use the Partner Portal but my company already has an Enterprise Azure account with Microsoft and we leverage Azure AD.
I've tried the "Onboard" step but then I read "To get started, sign in to the Partner Center dashboard using your Windows developer account (you cannot use an Azure AD account)". I'm very confused.
Also, the Partner Portal shows no items under the menu no matter how I signed in. I tried using a personal account and my AAD account and I get the same result. No menu items at all.
I'm not sure where you're getting a "Developer Account" from but the first step is registering your application. This gives you an Application Id and Secret which is required to authenticate against Graph:
In order for your application service to integrate with Microsoft Graph notifications, you need to register your app with the Microsoft identity platform to support Microsoft accounts or work or school accounts, and declare the API permissions that are required.
With regards to the windows developer account, this is explained in the documentation:
If you don’t already have a Windows developer account, you’ll need to create one. For details, see Opening a developer account. You need to do this even if you don’t plan to build a Windows UWP application. If you’re building a school or work application as part of an enterprise, you can associate your developer account with the appropriate Azure AD account that is used for managing your enterprise submissions. For details, see Associate Azure Active Directory with your Partner Center account.
I used the Graph Explorer to test against my Office 365 profile. Everything works fine accept the Microsoft Teams (beta) API. If I use GET https://graph.microsoft.com/beta/me/joinedTeams I get
Status Code 401 - Looks like you may not have the permissions for this
call. Please modify your permissions.
{
"error": {
"code": "",
"message": "Authorization has been denied for this request.",
"innerError": {
"request-id": "a1733d8a-5adb-45ad-a0ad-463595d71a89",
"date": "2017-06-09T14:33:11"
}
}
}
There seems no option for give permission for Microsoft Teams. Has anyone figured that out, yet?
The documentation page for listing your joined teams is at https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/user_list_joinedteams. It looks like this call requires the User.Read.All or User.ReadWrite.All permissions. To change your permissions in the Graph explorer, you can click Modify Permissions
Then find and enable either permission:
However, these scopes require tenant administrators to let the Graph Explorer use admin only scopes. You can either just login as an administrator to just test with that account, or you can let any user in your organization access admin scopes through the explorer by clicking the link that says grant access to your entire organization.
Also, I'm glad you found the Microsoft Teams samples. We just added these last week and it's great to see developers are trying them out! Thanks for your feedback on the permissions process for the Teams in explorer, I'll pass that along to all the engineers on the project.
I've created a command line tool that lets you bulk create new Microsoft Team channels using the Graph APIs outlined above. It includes instructions on how to register your application for use with your Teams environment - and provide administrative consent so that non-admins can use it.
One of the API calls is to "joinedTeams", which lists the Teams you're currently a member of. Take a look in "SelectJoinedTeam" function in the ChannelSurfCli/Utils/Channels.cs class.
https://github.com/tamhinsf/ChannelSurf