microsoftgraph / microsoft-graph-comms-samples

Microsoft Graph Communications Samples
MIT License
210 stars 235 forks source link

New-CsOnlineApplicationInstance command is not supported as per Mircosoft docs #669

Open VadymPavliuk opened 1 year ago

VadymPavliuk commented 1 year ago

Hi,

I'm trying to set Policy recording bot, I did deployed cloud up, now I'm trying to set-up app Instance as per instructions: image

I tried this command in few different variations, with same result each time: Access Denied: image

I did connect in few suggested ways: Connect-MicrosoftTeams -CertificateThumbprint "XXXXXXXXXXXXXXXXXXXX" -ApplicationId "XXXXXXXXXXXXXXXXXXXXX" -TenantId "XXXXXXXXXXXXXXXXXXXXXX" Connect-MicrosoftTeams - to logic direcrtly Connect-MicrosoftTeams -AccessTokens @("$graphToken", "$teamsToken") - or using acces token.

I was able to connect in all 3 ways, I did assgned nessesary privilegs to the app, and gave roll of "Teams Administrator" and "Global Administrator" at some point. But still I got Access Denied on any of the operations. [Get|Set|New|Sync]-CsOnlineApplicationInstance

I found this article that suggest that this commad is not supported: https://learn.microsoft.com/en-us/microsoftteams/teams-powershell-application-authentication#cmdlets-supported

I did see on other issue that people were able to run this command. Am I missing something? or there was a changes related to this command? Do I have any alternetives ?

Graph SDK (please complete the following information): 1.2.0.3742

InDieTasten commented 1 year ago

Using a tenant native user with global administrator permissions should work

GarmanK commented 3 months ago

@VadymPavliuk Did you find a work around using app based auth? I am running into the same issue.

InDieTasten commented 3 months ago

I think the best bet will be to drop attempting to do this with app-based login and instead use proper user login. Is there any reason this is not a viable option for you?

GarmanK commented 3 months ago

unfortunately it's our only option from a security standpoint for this multi tenant solution.

NicCarlos commented 1 week ago

I do not understand why this is still not possible. We try to automate things with IT stuff, and a simple task like creating a resource account needs a Teams admin to login and execute the command? That doesn't make sense to me.

InDieTasten commented 1 week ago

Four things:


I do not understand why this is still not possible. We try to automate things with IT stuff, and a simple task like creating a resource account needs a Teams admin to login and execute the command? That doesn't make sense to me.

@NicCarlos Most of the commands work with app-based authentication and thus are able to function with application permissions. However, many Graph endpoints and other APIs provided by Microsoft have limitations for supporting delegated/user permissions only. This is going to be the reason for the listed commands to not work with application-based authentication. Some underlying process requires the details of a delegated user that an application credential simply cannot satisfy. Please keep in mind that there are still portions of Skype for Business/Lync at play. OnlineApplicationInstances especially are a mess in the background, but things are slowly improving.


@NicCarlos @GarmanK @VadymPavliuk I know of a way to allow an existing Teams Administrator user to delegate his permission to an application entirely in the browser. It's a simple OAuth2 flow and knowing the correct scopes to request that will allow an administrator to grant an application to perform configuration changes on his behalf for an extended period of time (I believe at least a year). I know this is not 100% what you want, but I'm trying to offer a way that reduces the friction. If you want to know more about it, please contact me privately. Since I spent company time on this research, I won't be able to give this away for free on here.


unfortunately it's our only option from a security standpoint for this multi tenant solution.

@GarmanK It is not clear to me how a user having to sign in to perform a configuration change reduces the security. I would agree if you said that it makes things more complicated than they need to be. Complexity can be a catalyst for bad security practices, but that's up to you. It is perfectly possible to build a secure way to automate configuration changes with delegated user permissions.


@GarmanK Lastly, I'm not affiliated with Microsoft. The details I provide are from working with Teams bots extensively over the past 4+ years. I'm just trying to help here. It would be nice to not get downvotes for my effort. If this negativity comes only from frustration on the state of the Teams platform, then state that. A generic down vote is not a clear way to communicate that. Thank you.