Proactive Install Teams App Using Token From OAuth2 And GraphApi

[jonbotbuilder]

Hello, I'm trying to build an app that proactively installs a Teams app for all users within an organization upon someone using oauth2 to grant access to do so.

I have done my best to follow instructions from the teams samples provided in various places, including this one

https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/graph-proactive-installation/nodejs

But have yet to be able to get any TeamsAppInstallation permissions, like TeamsAppInstallation.ReadWriteForUser.All, to be able to be granted via oauth2.

So far I have created a bot through https://dev.botframework.com/bots, which also created the App Registration inside Azure. I then created an oauth2 flow using the App Registration from Azure and was successfully able to receive a token for a user with basic permissions. Unfortunately whenever I request permissions related TeamsAppInstallation, I get the following error:

{"error":"access token not received, please accept all permissions and retry or contact support"}

Please see my bot app manifest here:

bot-manifest.json

And a screenshot of my permissions and settings for the App Registration:

See also how, via the screenshot, that the following oauth2 url works:

https://login.microsoftonline.com/fa0d43d8-7406-4708-91d1-3783a5f01e19/oauth2/v2.0/authorize?client_id=0ad11258-b407-477c-ac2e-a3d05795ab45&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fmsft_teams&response_mode=query&scope=offline_access+profile+openid+email+https%3A%2F%2Fgraph.microsoft.com%2FUser.Read.All+https%3A%2F%2Fgraph.microsoft.com%2FChat.ReadBasic+https%3A%2F%2Fgraph.microsoft.com%2FAgreementAcceptance.Read.All&state=12345

when using a new random permission like AgreementAcceptance.Read.All

But this one fails:

https://login.microsoftonline.com/fa0d43d8-7406-4708-91d1-3783a5f01e19/oauth2/v2.0/authorize?client_id=0ad11258-b407-477c-ac2e-a3d05795ab45&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fmsft_teams&response_mode=query&scope=offline_access+profile+openid+email+https%3A%2F%2Fgraph.microsoft.com%2FUser.Read.All+https%3A%2F%2Fgraph.microsoft.com%2FChat.ReadBasic+https%3A%2F%2Fgraph.microsoft.com%2FTeamsAppInstallation.ReadWriteForUser.All&state=12345

when using the TeamsAppInstallation.ReadWriteForUser.All permission

See failure url http://localhost:3000/msft_teams?error=invalid_client&error_description=AADSTS650053%3a+The+application+%27WorkDNA%27+asked+for+scope+%27TeamsAppInstallation.ReadWriteForUser.All%27+that+doesn%27t+exist+on+the+resource+%2700000003-0000-0000-c000-000000000000%27.+Contact+the+app+vendor.+Trace+ID%3a+340f9e85-40aa-4eaf-a8d0-d2b08804a300+Correlation+ID%3a+3e39583f-2911-4484-810d-0d514cc2c79a+Timestamp%3a+2024-01-22+04%3a48%3a46Z&state=12345#

Any insight you can share as to why this is not working?

Thank you very much.

[ChetanSharma-msft]

Hello @jonbotbuilder - Thanks for raising your query. We will look into it and let you know the updates.

[ChetanSharma-msft]

Hello @jonbotbuilder - Looks like you are trying the Resource Specific Permission for TeamsAppInstallation.ReadWriteForUser.All which is not documented or supported:

Please refer this documentation: https://learn.microsoft.com/en-us/microsoftteams/platform/graph-api/rsc/resource-specific-consent

You can also refer this sample: https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/graph-rsc/nodeJs

[jonbotbuilder]

Hi @ChetanSharma-msft thank you for the timely response.

Just to clarify, it looks like TeamsAppInstallation.ReadWriteForUser.All is documented here

https://learn.microsoft.com/en-us/graph/permissions-reference#teamsappinstallationreadwriteforuserall

and is also referenced in your teams sample here https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/graph-proactive-installation/nodejs under step 10.

Are you suggesting it cannot be granted via oauth2 for a teams app and that is the difference between the sample above and what I am attempting to do?

If that is the case, can you point me the direction of how to accomplish the following?

• Get list of all Team's users and their names/emails within our web app (we are able to get the AD user ids via graph api and oauth2 currently, but not the teams conversation/user ids)
• Send proactive direct messages to a subset of teams users, without those individual teams members needing to have manually installed the teams app individually

Thank you!

[jonbotbuilder]

@ChetanSharma-msft bumping this. thanks in advance!

[ChetanSharma-msft]

Hello @jonbotbuilder - You are calling application permissions (TeamsAppInstallation.ReadWriteForUser.All) in the scopes for a user authentication flow (OAuth flow). Users will receive only delegated permissions in access token after a successful authentication, but not the application permissions.

So, even if you add the scopes in your Azure bot with AAD V2 connection, you will get below error:

{ "error": { "code": "AuthenticationFailed", "error": "invalid_client", "errorDescription": "AADSTS650053: The application 'ProactiveInstall' asked for scope 'TeamsAppInstallation.ReadWriteForUser.All' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'." } }

So, I believe you will need to make this API call under the context of the application, not the signed in user.

There is a brief description between the differences here - https://learn.microsoft.com/en-us/graph/auth/auth-concepts#microsoft-graph-permissions

In below sample, we are generating the token based on the client id and secret but not based on the user login. 'grant_type': 'client_credentials', 'client_id': process.env.MicrosoftAppId, 'scope': 'https://graph.microsoft.com/.default', 'client_secret': process.env.MicrosoftAppPassword

Sample code reference link: https://github.com/OfficeDev/Microsoft-Teams-Samples/blob/main/samples/graph-proactive-installation/nodejs/Models/ProactiveAppIntallationHelper.js#L6

You can get team members using below Graph API: https://learn.microsoft.com/en-us/graph/api/team-list-members?view=graph-rest-1.0&tabs=http#example-1-get-list-of-members-in-team

Sharing the same sample link again :) https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/graph-proactive-installation/nodejs

[microsoft-github-policy-service[bot]]

This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 3 days. It will be closed if no further activity occurs within 3 days of this comment.