I want to start doing some development with the preview edition of the Microsoft Teams APIs.
I currently have a solution working using the Azure AD v2 Endpoint but I wanted to get a working solution using the v1 Endpoint.
I can't find any Microsoft Teams permissions available in the Azure AD portal and I didn't see anything specifically about this in the Known Issues the Teams API.
Can anyone comment on whether there are any options for a pure v1 Endpoint solution using application registration available right now? If not, is it planned?
The v1 Endpoint uses the same permissions as the v2 Endpoint. The primary difference between the two is that v2 scopes can by dynamically requested during authentication while v1 Endpoint requires permissions to be pre-defined within the registration.
When using the Azure Portal, all of the permissions for Teams show up under "Microsoft Graph". For the Teams you'll generally need User.Read and Group.ReadWrite.All. The Azure Portal lists permissions by description (although you can see the underlying scope name in the tooltip):
Sign in and read user profile (user.read)
Read and write all groups (Group.ReadWrite.All)
Note that Group.ReadWrite.All does require Admin Consent. Before you can authenticate normal user's, you will first need to have an Administrator go through the Admin Consent process.
I'm posting this as the answer, because I'm pretty certain this will trip up other developers out there. Up to this point, when getting an access token for AAD v1 apps that use Microsoft Graph, you use "https://graph.windows.net" as the Resource ID. The interwebs are replete with this example, and I have it in my own code that I use for OneNote and other services.
Now with the Graph endpoint for connecting to Teams (and probably other things), the Resource ID you need to use is "https://graph.microsoft.com". Just ran through a quick test using an AAD v1 app with the Microsoft Graph API and Read All Groups permission. I'm sure there's an explanation out there from some MSFT person that might make sense, but I have not found it after many hours of searching the web.
Hope this helps someone.
Related
I am new to bot development. I am working on creating a MS Teams bot using bot framework. The bot will be installed in ‘Personal’ scope in Teams, and it doesn’t have any tab / messaging extension etc. Once installed, I want to get the list of all the members/ channels/ Notification updates (i.e. members added/deleted etc.). As per the different documentation, I can get the list using Graph API.
List members of team - Microsoft Graph v1.0 | Microsoft Docs
List members of a channel - Microsoft Graph v1.0 | Microsoft Docs
To achieve this, I need the token that will be passed in API. I am not sure how to implement that. I have followed the instructions mentioned in Add authentication to a bot in Bot Framework SDK - Bot Service | Microsoft Docs. There was a step to add ‘Add OAuth Connection Settings’ and there were multiple options in ‘Service Provider’. I selected ‘Azure Active Directory v2’. After doing that, it works and I can get the token, but it only works if during login, I user my azure directory credentials. I have a Microsoft account linked with my MS Teams which id different than the Azure account. A user in team can have a Microsoft account / work / office account so this needs to work for everyone so what would be the correct ‘Service Provider’ option that will work for all accounts?
I was thinking that the flow should be like:
When clicks on ‘Add’ button to install the app in Teams
Once added, bot will prompt for Graph API permission using OAuth.
Once user gives the permission, I can use the token to call graph APIs.
I have also looked at the following tutorials:
How to use Bot Framework Composer to build low-code Microsoft Teams bots (Part 1)
Get user profile information in your Microsoft Teams bot with Microsoft Graph (Part 2) - YouTube
But after performing all the steps, when I try to login, it says – ‘This action can't be performed since the app does not exist or has been uninstalled.’.
I am not getting a clear approach on how to proceed with it.
As #Maxim has also suggested, if you want to have a bot that should run multitenant you need to put tenant Id as common in OAuth Setting in Azure bot. As the value suggest it isn't going to specific to single tenant and Redirect Uri should be set to https://token.botframework.com/.auth/web/redirect in app registration.
This is it, you don't need to add anything.
This is also mention in the doc --
We have some sample around it as well that shows how to use Graph API with the bot -
https://github.com/microsoft/BotBuilder-Samples/tree/main/samples/csharp_dotnetcore/24.bot-authentication-msgraph
You can setup this one and update the Graph calls to get member of team or channels.
Is there any example how I can achieve following requirement:
I need to read Planner Plans from Group in an Azure Function trough Graph Api.
Application permissions are not supported, only delegated.
I tried with ConfidentialClientApplicationBuilder with OnBehalfOfProvider, but no luck. I do not know how to set UserAssertion in this case.
Also, username and password flow is not an option, because end user can use MFA.
Unfortunately Microsoft Planner APIs on Microsoft Graph do not support Application permissions (App-only) . This is confirmed in the docs here https://learn.microsoft.com/en-us/graph/api/planner-post-plans?view=graph-rest-1.0&tabs=http#permissions
Please vote up the feature request for this https://microsoftgraph.uservoice.com/forums/920506-microsoft-graph-feature-requests/suggestions/5904632-application-permissions-to-task-api
I am developing an app in Microsoft Teams using the App Studio. Towards the end of the proccess, in the section Domains and Permissions, you are allowed to give resource-specific consent permissions such as File.Read.Group. I was wondering where I would use these permissions (Microsoft Graph, Azure AD Graph, ...) to programmatically access an API. As a side question, does anybody know which permission allows the app to manage group members?
Thank you!
Here is a good read on that permissions settings page, those consent permissions are not actually a part of azure ad app registrations as of this articles writing. so that means while they are sort of graph permissions, you would use them against the graph api. They are for specific teams based resource specific permissions.
https://blog.thoughtstuff.co.uk/2020/01/microsoft-teams-has-a-new-more-granular-and-resource-specific-permissions-model-for-apps-what-is-resource-specific-consent-rsc-and-how-do-i-use-it/
the official documentation on the matter: https://learn.microsoft.com/en-us/microsoftteams/platform/graph-api/rsc/resource-specific-consent
as per the microsoft link i don't see a resource specific permission to "edit" groups members.
I am having problem migrating to Microsoft graph V2 applications, from V1 Applications.
As part of the backward compatibility offered by the new V2 applications, I can see the applications form the original V1 applications portals (old and new), however I cannot modify the application due to unknown errors (see attached screen shots).
The reason I want to use the original portal is to add permissions to other applications (In the documentation of V2 its called 'static permissions') such as 'Office365 management activity API', I think it is possible using '/applications' resource but I didn't find in the documentation how to do it.
Does someone encountered such problem and know how to overcome it or used the Graph API to get permissions for other Microsoft REST APIs?
For v1 apps, you should use the "App Registrations" blade in the newer Azure Portal (portal.azure.com). This blade has a "Required Permissions" section where you can add different permissions for different APIs.
For v2 apps, you should use the Application Registration Portal (apps.dev.microsoft.com). This portal has a "Microsoft Graph Permissions" section where you can add different permissions for the Microsoft Graph.
At this time, v2 apps only support permissions to the Microsoft Graph, if you want to access other APIs (like the Office 365 Management Activity API) you'll need to use v1 apps.
You should not use the classic Azure portal (manage.windowsazure.com) for anything really at this point.
We are developing a web application using Microsoft Graph, where the signed in user can, Export all the calendar events to a third party calendar Application. After this initial export, we need to keep the exported data in sync with calendar changes via service app (a scheduled task running on server). This need to be a multi tenant application, as people from different organizations should be able to use this service.
Right now we did the authentication using OAuth 2.0 and OpenID Connect as described in this sample. Later we understood that the access token we get using this method cannot be used in the service app without user interaction. Considering our scenario what is the best way to achieve this?
I have read about App-only authorization method to do this. If we use this authentication method, the app need to be consented by a tenant administrator and the these applications are quite powerful in terms of what data they can access in the Office 365 organization. Considering we are developing a product used by different organizations, will it be feasible to use this method?
To use the client credentials OAuth2.0 flow (aka "App-only" or service account access depending on who's documentation you're reading) the admin for each tenancy will need to specify which scopes your daemon process can have for users in their tenancy. The end users can't give these scoping rights to your code themselves (as far as I know at least).
One thing to watch out for is that currently Graph API doesn't allow you to mess about with calendars that are attached to Office 365 Groups if you're using the client credentials flow. This is a pain for us, so we've raised it as an issue that needs fixing in the Office 365 feedback system. if that's an issue for you or anyone else, please throw a few votes at it so that it gets more attention at Microsoft. :-)