Forum Discussion

Haekal_Arif_Rozikin's avatar
Haekal_Arif_Rozikin
Copper Contributor
Nov 24, 2025

❓ Can't remove member from Microsoft Teams Group Chat using Graph API with Application Permission

Hi everyone,

I’m currently working on creating a Teams group chat using Microsoft Graph API with application permissions, and I’ve run into several issues that I hope someone here can help clarify.

Creating group chat with members and installed app (works)

I followed the documentation here:
“Create a one-on-one chat with installed apps”
➜ https://learn.microsoft.com/en-us/graph/api/chat-post?view=graph-rest-1.0&tabs=http#example-3-create-a-one-on-one-chat-with-installed-apps

Using application permissions, I successfully:

- Created a group chat

- Added multiple members

- Installed my Teams app into the chat automatically

My application has already been granted the following permissions:

ChatMember.ReadWrite.All  
ChatMember.ReadWrite.WhereInstalled


The purpose is to allow the app to add or remove chat members without requiring a signed-in user, since I am using fully non-delegated application permissions.

However, when I try to remove a member from the group chat using Graph API with the application token, the request fails and returns an error.

Trying RSC-granted approach – app not installed

Next, I tried creating a group chat using the RSC-granted app approach:

https://learn.microsoft.com/en-us/graph/api/chat-post?view=graph-rest-1.0&tabs=http#example-4-create-a-one-on-one-chat-with-rsc-granted-apps

With the following permission:

- ChatMember.ReadWrite.All

And permission type: application

The group chat is created successfully, but the app is not installed inside the chat, which means I still can’t proceed with removing a member using the app context.

So this solution also stops midway.

Creating chat first, then installing the app (also fails)

Lastly, I attempted another method:

Create the group chat normally

After creation, install the app into it using this endpoint:
https://learn.microsoft.com/en-us/graph/api/chat-post-installedapps?view=graph-rest-1.0&tabs=http

I used an application access token again, but the request returns the same error as case #1 when attempting to remove a member.

 

developer
Microsoft Graph Api
microsoft teams

2 Replies

  • Nivedipa-MSFT's avatar
    Nivedipa-MSFT
    Icon for Microsoft rankMicrosoft
    Nov 27, 2025

    Hello Haekal_Arif_Rozikin,
    The error in your screenshot—"403 Forbidden" with "InsufficientPrivileges" and "AclCheckFailed-The initiator 28:app ... is not a member of the roster in the generic thread"—means the app (28:app...) isn’t recognized as a chat member and lacks permission to remove members, even with ChatMember.ReadWrite.All application permissions.

    Root cause:
    The app isn’t listed as a participant in the chat roster, so it doesn’t have the necessary rights to manage members.

    Why this happens:

    1. App installation is required:
      • For ChatMember.ReadWrite.WhereInstalled to work, the app must be added to the chat as a participant.
      • Application permissions alone aren’t enough; roster membership is also needed.
         
    2. Application permissions might be limited:
      • ChatMember.ReadWrite.All might not support removing members in every chat scenario.
      • The Graph API may require the app to be installed or restrict member removal actions without user context.
    3. RSC (Resource-Specific Consent) permissions:
      • RSC permissions only apply if the app is installed in the chat.
      • If the app isn’t in the roster, RSC permissions won’t grant access.

    How to resolve:

    1. Install the app in the chat (recommended)

    When creating a chat, add the app in the installedApps section so it becomes a roster member:

    POST https://graph.microsoft.com/v1.0/chats
Content-Type: application/json

{
  "chatType": "group",
  "members": [
    {
      "@odata.type": "#microsoft.graph.aadUserConversationMember",
      "roles": ["owner"],
      "user@odata.bind": "https://graph.microsoft.com/v1.0/users('user-id-1')"
    },
    {
      "@odata.type": "#microsoft.graph.aadUserConversationMember",
      "roles": ["owner"],
      "user@odata.bind": "https://graph.microsoft.com/v1.0/users('user-id-2')"
    }
  ],
  "installedApps": [
    {
      "teamsApp@odata.bind": "https://graph.microsoft.com/v1.0/appCatalogs/teamsApps/YOUR-APP-ID"
    }
  ]
}

     

    1. Try delegated permissions
    • If application permissions don’t work, use delegated permissions with a service account that’s a chat member.
    1. Check app permissions in the manifest

    Verify your Teams app manifest includes the necessary RSC permissions for chat member management:

    "authorization": {
  "permissions": {
    "resourceSpecific": [
      {
        "name": "ChatMember.ReadWrite.Chat",
        "type": "Application"
      }
    ]
  }
}

     

    References:

    Create chat - Microsoft Graph v1.0 | Microsoft Learn

    Remove member from chat - Microsoft Graph v1.0 | Microsoft Learn

    Resource-specific Consent for Apps - Teams | Microsoft Learn

    Please let us know if you face any further issue here.

Resources