RSC Teams app starts to throw error for Graph calls

[tobiasviehweger]

While not directly related to the Javscript SDK, we are using RSC permissions in our Teams app and started to have issues with it in the last few weeks. For no reason we can see, Graph started throwing the following

Missing role permissions on the request. API requires one of 'TeamMember.Read.All, TeamMember.ReadWrite.All, Group.Read.All, Group.ReadWrite.All, TeamMember.Read.Group, Member.Read.Group'. Roles on the request 'Group.Selected'

This was fixed for one of our customers by just re-installing the Teams app, but it's not clear why this suddenly starts to fail - might this be related to the migration from group owner consent to team owner consent on MS side?

Example request ids:

2024-05-27T13:57:34 request-id: 05b95254-9e7c-46d3-a7a1-a0c05108e714 2024-05-27T08:59:50 request-id: d315b5a6-60e8-45a3-8753-53e6c9d8e0fe 2024-05-27T10:54:36 request-id: 70dff19c-02fa-4680-9243-0bb69dc3b906

(we have a lot more in case this is required)

Any idea why this might start happening?

[Meghana-MSFT]

Thank you for reporting this, we will check this and get back to you.

Could you please confirm if all the failures are within the same tenant? It could have been that the tenant admin accidentally deleted the service principal of the app which in turn would have deleted any RSC permissions granted against the AzureAD app id.

[tobiasviehweger]

Hi @Meghana-MSFT, no unfortunately we have observed this in different tenants.. By service principal you are referring to the Enterprise application located in the webApplication part of the manifest correct? We are using the same enterprise application also for delegated authorization and these seem to be still working - so my understanding would be that the service principal has not been deleted...

[Meghana-MSFT]

@tobiasviehweger - Engineering team has looked into logs and said that User with object ID 3c8ef21a-XXXX-XXXX-XXXX-XXXXXXXXXXXX revoked resource specific consents at 2:35 PM UTC on May 28. A different user granted RSC permissions a few minutes later.

[tobiasviehweger]

Hi @Meghana-MSFT thanks for checking, though that sounds like when the customer tried uninstalling/re-installing to fix the issue. Let me cross check out logs I'll get back soon

[LeonYasoon]

Hi @Meghana-MSFT What the engineering team is referring to, is that our customer reinstalled our app into the team as an attempt to resolve the missing permission grants error.

We looked into our logs again to verify the observed behaviour and the team for which we still experience the reported Graph error is 86cfc43b-f710-40aa-89e7-XXXXXXXXXXXX.

This is the request which is failing:

https://graph.microsoft.com/v1.0/teams/86cfc43b-f710-40aa-89e7-XXXXXXXXXXXX/members?$filter=(microsoft.graph.aadUserConversationMember/userId eq 'a38156de-210a-4cef-a66d-XXXXXXXXXXXX')

with request-id: date: 2024-06-11T04:11:06 request-id: d5aeebf9-48fd-4803-bef5-bd056e2796b3

According to the Graph team permission grants call https://graph.microsoft.com/v1.0/teams/86cfc43b-f710-40aa-89e7-XXXXXXXXXXXX/permissionGrants for our app with azure client id 89d5ca9f-d63b-4885-bd30-XXXXXXXXXXXX we have the following permissions:

{ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#permissionGrants", "value": [ { "id": "Q2mHJxgNJj9PdM2ZNGT1bfavz2Nks3x1PXvAMTt7Xlc", "clientAppId": "89d5ca9f-d63b-4885-bd30-XXXXXXXXXXXX", "resourceAppId": "00000003-0000-0000-c000-000000000000", "clientId": "f4ffeed7-713b-4478-8e64-XXXXXXXXXXXX", "permissionType": "Application", "permission": "ChannelMessage.Read.Group" }, { "id": "PO_OK99GuKP9_LqIxDVvRbQe1OmotgfydJbAmXdNV8s", "clientAppId": "89d5ca9f-d63b-4885-bd30-XXXXXXXXXXXX", "resourceAppId": "00000003-0000-0000-c000-000000000000", "clientId": "f4ffeed7-713b-4478-8e64-XXXXXXXXXXXX", "permissionType": "Application", "permission": "ChannelSettings.Read.Group" }, { "id": "1Hhz4zUlvf1xUTda5fmETkLbFm4k87AqMk8QRwhxiOk", "clientAppId": "89d5ca9f-d63b-4885-bd30-XXXXXXXXXXXX", "resourceAppId": "00000003-0000-0000-c000-000000000000", "clientId": "f4ffeed7-713b-4478-8e64-XXXXXXXXXXXX", "permissionType": "Application", "permission": "TeamMember.Read.Group" }, { "id": "-dDj_Ttst5Muhw_Xf8Sdh7zlF4X_ragljctHoA9a_wk", "clientAppId": "89d5ca9f-d63b-4885-bd30-XXXXXXXXXXXX", "resourceAppId": "00000003-0000-0000-c000-000000000000", "clientId": "f4ffeed7-713b-4478-8e64-XXXXXXXXXXXX", "permissionType": "Application", "permission": "TeamsAppInstallation.Read.Group" }, { "id": "gBEX3F32fLGKUn20Mu-TlfqRcNLMXM-pSAHCPgWeGFE", "clientAppId": "89d5ca9f-d63b-4885-bd30-XXXXXXXXXXXX", "resourceAppId": "00000003-0000-0000-c000-000000000000", "clientId": "f4ffeed7-713b-4478-8e64-XXXXXXXXXXXX", "permissionType": "Application", "permission": "TeamSettings.Read.Group" }, { "id": "NiaoOiS83KKgKtm2nXZi_fuxUwuGm_BgUIybCUXzxdU", "clientAppId": "89d5ca9f-d63b-4885-bd30-XXXXXXXXXXXX", "resourceAppId": "00000003-0000-0000-c000-000000000000", "clientId": "f4ffeed7-713b-4478-8e64-XXXXXXXXXXXX", "permissionType": "Application", "permission": "TeamsTab.Create.Group" } ] }

which leads us to the conclusion that this is in fact an error with the Graph API.

[Meghana-MSFT]

@LeonYasoon - Engineering team has looked into the logs and said that the two traces provided above are in different tenants: GET teams/id/members was invoked for tenant 7eb71b7c-ca4b-470d-XXXX-XXXXXXXXXXXX

while GET permissions grants was invoked for tenant c1a5a59d-592c-49a2-XXXX-XXXXXXXXXXXX.

[LeonYasoon]

@Meghana-MSFT Thanks for the investigation. We were able to find out that the affected customer had done a tenant migration, leaving behind ambigous traces in our systems. Feel free to close this issue.

[Meghana-MSFT]

Thank you for confirming. We are closing this issue, please feel free to reach out to us if you have further queries. kindly share your valuable feedback on feedback on your experience with our support team and Platform.

[microsoft-github-policy-service[bot]]

Tell us about your experience!

Hi tobiasviehweger! We have closed this issue in our system, but we would love to hear your feedback. To let us know how we did, simply use one of the following emoji icons: :thumbsup: for resolved, :thumbsdown: for unresolved, or :heart: for a great experience on this message. Please use the link for more detailed feedback.

Best regards, Teams Platform

[LeonYasoon]

Hi @Meghana-MSFT sorry for reopening this issue, but we have found another case that results in the same symptoms as before.

In tenant with id 19963573-6f6f-4cd6-9837-XXXXXXXXXXXX the app 89d5ca9f-d63b-4885-bd30-XXXXXXXXXXXX in team 543c85fe-3889-44af-94a9-XXXXXXXXXXXX was revoked RSC permissions on 6/11/2024, 4:51:40 PM.

The correlation id for this revoke transaction is cd0fda2d-1ff0-402c-9462-a87186a533b4 and from the azure portal audit log it looks like this:

There is another transaction with the exact same timestamp which was "Update group" for that same team with the same correlation id which changed the group type to "Unified".

The "Display Name" of the actor is "Microsoft Teams Graph Service". Could it be possible that this was some kind of migration which didnt complete successfully leaving the app without RSC permissions?

[Meghana-MSFT]

Hi @LeonYasoon - We will check this internally and get back to you.