Forum Discussion
Authenticating with an access token Connect-MicrosoftTeams
- FYI - I raised a ticket, and it should be fixed by mid november.
Issue description:
Cannot properly run Connect-MicrosoftTeams -AccessTokens
Resolution Steps:
Escalated case with our engineering Team
Issue is known bug and currently being fixed
Expecting a fix to go out by NOV mid
"Cmdlets Supported
All Non *-Cs cmdlets (for example, Get-Team), Get-CsTenant, Get-CsOnlineUser, Get-CsOnlineVoiceUser & *-CsOnlineSipDomain cmdlets are already supported. Other cmdlets will be gradually rolled out."
I was able to connect with CertificateThumbprint and run a Get-CsOnlineUser. However, I need several other -Cs cmdlets. I suppose I need some more patience!
i'm getting "access denied" for Get-CsOnlineUser, Get-Team works.
what permissions did you add to your app ?
i'm working with a developer account, do you know if that would be a constraint ?
thanks
- if you have two tenants (one acting as provider of app and another acting as consumer) you can try it and it works. get consent admin from consumer for provider app, then add the AD Role to the principal created on consumer tenant. you can now manage both tenants (just change the -TenantId). what we're expecting is that the admin consent from the consumer will give the provider permissions for mange the teams settings without extra setup (asking the consumer to add the service principal to AD Role).
- Its working now, but I was expecting this to work with multi-tenants. I guess we will have to wait.
- you may need to re-apply the admin consent and remove the extra permission. it works only for the tenant where you assigned the AD Role which is pretty bad and does not address the initial issue reported more than a year go. to manage other tenants you need to go into the other tenant and assign the AD Roles there too to the service principal.
- i had the same, remove the permission for "Skype and Teams Tenant Admin API" and use ad roles
- *-Cs cmdlets are not working for me. I keep getting the same error: "Tenant Domain is empty".
I am trying to authenticate using tokens. Any idea on what am I missing?
Thank you, Hi All,
Here is my Blog how to do App Authentication with a Certificate in the Microsoft Teams PowerShell Module in Preview
For now only a few commandlets work.
All Non *-Cs cmdlets (for example, Get-Team), Get-CsTenant, Get-CsOnlineUser, Get-CsOnlineVoiceUser & *-CsOnlineSipDomain cmdlets are already supported. Other cmdlets will be gradually rolled out.
Regards
Andres
Hi, assigning "Teams Administrator" to service principal (appid) does work.
but this is not going to solve the user experience part.
Tenant A - creates the app and publishes it
Tenant B - grants admin consent on the app
Tenant A - tries to manage teams settings and gets unauthorized
Tenant A - cannot get into Tenant B and add the service principal to Tenant Administrators, Tenant B admin needs to do this
this should be done automatically when Tenant B admin grants admin consent but there's no permission available that Tenant A could provide that would do this.
getting better but still this ux is not what we're seeking for over a year.
Answer to question 2: Azure Portal > Azure Active Directory > Roles and Administrators > Search for the Teams Administrator role and select it > Add assignments > Click on the "No member selected" link > Search for your teams management service principle previously set up > Click on its tile > Click Select > Click Next > Select Active > Check Permanently Assigned or set start and end dates as needed > Type in a justification > Click Assign. Azure global administrators will get an email an a minute or two from the Azure Privileged Identity Management service when it's set up. This makes Get-CsOnlineUser work with both token-based and certificate-based authentication as described in the above article. Adding the service principle to the Skype for Business Administrator role does not appear to be necessary, at least for present purposes.
- In the article "Application-based authentication in Teams PowerShell Module" (https://learn.microsoft.com/en-us/microsoftteams/teams-powershell-application-authentication), in the "Setup Application-based authentication" section, can anyone clarify/elaborate:
1. "Assign API permissions to the application": Do the listed permissions need to be application permissions with subsequent admin consent granted or delegated permissions?
2. "Assign Azure AD roles to the application": How do you do this? Can anyone provide links to additional documentation?
Like lazedo, I get "access denied" with Get-CsOnlineUser, and suspect permissions and roles aren't set up properly. I'm using MicrosoftTeams v4.7.1 and authenticating via access tokens. Thanks.
