Closed jonbotbuilder closed 8 months ago
Hello @jonbotbuilder - Thanks for raising your query. We will look into it and let you know the updates.
Hello @jonbotbuilder - Looks like you are trying the Resource Specific Permission for TeamsAppInstallation.ReadWriteForUser.All which is not documented or supported:
Please refer this documentation: https://learn.microsoft.com/en-us/microsoftteams/platform/graph-api/rsc/resource-specific-consent
You can also refer this sample: https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/graph-rsc/nodeJs
Hi @ChetanSharma-msft thank you for the timely response.
Just to clarify, it looks like TeamsAppInstallation.ReadWriteForUser.All is documented here
and is also referenced in your teams sample here https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/graph-proactive-installation/nodejs under step 10.
Are you suggesting it cannot be granted via oauth2 for a teams app and that is the difference between the sample above and what I am attempting to do?
If that is the case, can you point me the direction of how to accomplish the following?
Thank you!
@ChetanSharma-msft bumping this. thanks in advance!
Hello @jonbotbuilder - You are calling application permissions (TeamsAppInstallation.ReadWriteForUser.All) in the scopes for a user authentication flow (OAuth flow). Users will receive only delegated permissions in access token after a successful authentication, but not the application permissions.
So, even if you add the scopes in your Azure bot with AAD V2 connection, you will get below error:
{ "error": { "code": "AuthenticationFailed", "error": "invalid_client", "errorDescription": "AADSTS650053: The application 'ProactiveInstall' asked for scope 'TeamsAppInstallation.ReadWriteForUser.All' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'." } }
So, I believe you will need to make this API call under the context of the application, not the signed in user.
There is a brief description between the differences here - https://learn.microsoft.com/en-us/graph/auth/auth-concepts#microsoft-graph-permissions
In below sample, we are generating the token based on the client id and secret but not based on the user login.
'grant_type': 'client_credentials', 'client_id': process.env.MicrosoftAppId, 'scope': 'https://graph.microsoft.com/.default', 'client_secret': process.env.MicrosoftAppPassword
Sample code reference link: https://github.com/OfficeDev/Microsoft-Teams-Samples/blob/main/samples/graph-proactive-installation/nodejs/Models/ProactiveAppIntallationHelper.js#L6
You can get team members using below Graph API: https://learn.microsoft.com/en-us/graph/api/team-list-members?view=graph-rest-1.0&tabs=http#example-1-get-list-of-members-in-team
Sharing the same sample link again :) https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/graph-proactive-installation/nodejs
This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 3 days. It will be closed if no further activity occurs within 3 days of this comment.
Hello, I'm trying to build an app that proactively installs a Teams app for all users within an organization upon someone using oauth2 to grant access to do so.
I have done my best to follow instructions from the teams samples provided in various places, including this one
https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/graph-proactive-installation/nodejs
But have yet to be able to get any TeamsAppInstallation permissions, like TeamsAppInstallation.ReadWriteForUser.All, to be able to be granted via oauth2.
So far I have created a bot through https://dev.botframework.com/bots, which also created the App Registration inside Azure. I then created an oauth2 flow using the App Registration from Azure and was successfully able to receive a token for a user with basic permissions. Unfortunately whenever I request permissions related
TeamsAppInstallation
, I get the following error:Please see my bot app manifest here:
bot-manifest.json
And a screenshot of my permissions and settings for the App Registration:
See also how, via the screenshot, that the following oauth2 url works:
https://login.microsoftonline.com/fa0d43d8-7406-4708-91d1-3783a5f01e19/oauth2/v2.0/authorize?client_id=0ad11258-b407-477c-ac2e-a3d05795ab45&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fmsft_teams&response_mode=query&scope=offline_access+profile+openid+email+https%3A%2F%2Fgraph.microsoft.com%2FUser.Read.All+https%3A%2F%2Fgraph.microsoft.com%2FChat.ReadBasic+https%3A%2F%2Fgraph.microsoft.com%2FAgreementAcceptance.Read.All&state=12345
when using a new random permission like AgreementAcceptance.Read.All
But this one fails:
https://login.microsoftonline.com/fa0d43d8-7406-4708-91d1-3783a5f01e19/oauth2/v2.0/authorize?client_id=0ad11258-b407-477c-ac2e-a3d05795ab45&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fmsft_teams&response_mode=query&scope=offline_access+profile+openid+email+https%3A%2F%2Fgraph.microsoft.com%2FUser.Read.All+https%3A%2F%2Fgraph.microsoft.com%2FChat.ReadBasic+https%3A%2F%2Fgraph.microsoft.com%2FTeamsAppInstallation.ReadWriteForUser.All&state=12345
when using the TeamsAppInstallation.ReadWriteForUser.All permission
See failure url http://localhost:3000/msft_teams?error=invalid_client&error_description=AADSTS650053%3a+The+application+%27WorkDNA%27+asked+for+scope+%27TeamsAppInstallation.ReadWriteForUser.All%27+that+doesn%27t+exist+on+the+resource+%2700000003-0000-0000-c000-000000000000%27.+Contact+the+app+vendor.+Trace+ID%3a+340f9e85-40aa-4eaf-a8d0-d2b08804a300+Correlation+ID%3a+3e39583f-2911-4484-810d-0d514cc2c79a+Timestamp%3a+2024-01-22+04%3a48%3a46Z&state=12345#
Any insight you can share as to why this is not working?
Thank you very much.