Forum Discussion
Authenticating with an access token Connect-MicrosoftTeams
- FYI - I raised a ticket, and it should be fixed by mid november.
Issue description:
Cannot properly run Connect-MicrosoftTeams -AccessTokens
Resolution Steps:
Escalated case with our engineering Team
Issue is known bug and currently being fixed
Expecting a fix to go out by NOV mid
Answer to question 2: Azure Portal > Azure Active Directory > Roles and Administrators > Search for the Teams Administrator role and select it > Add assignments > Click on the "No member selected" link > Search for your teams management service principle previously set up > Click on its tile > Click Select > Click Next > Select Active > Check Permanently Assigned or set start and end dates as needed > Type in a justification > Click Assign. Azure global administrators will get an email an a minute or two from the Azure Privileged Identity Management service when it's set up. This makes Get-CsOnlineUser work with both token-based and certificate-based authentication as described in the above article. Adding the service principle to the Skype for Business Administrator role does not appear to be necessary, at least for present purposes.
Hi, assigning "Teams Administrator" to service principal (appid) does work.
but this is not going to solve the user experience part.
Tenant A - creates the app and publishes it
Tenant B - grants admin consent on the app
Tenant A - tries to manage teams settings and gets unauthorized
Tenant A - cannot get into Tenant B and add the service principal to Tenant Administrators, Tenant B admin needs to do this
this should be done automatically when Tenant B admin grants admin consent but there's no permission available that Tenant A could provide that would do this.
getting better but still this ux is not what we're seeking for over a year.
- if you have two tenants (one acting as provider of app and another acting as consumer) you can try it and it works. get consent admin from consumer for provider app, then add the AD Role to the principal created on consumer tenant. you can now manage both tenants (just change the -TenantId). what we're expecting is that the admin consent from the consumer will give the provider permissions for mange the teams settings without extra setup (asking the consumer to add the service principal to AD Role).
- Its working now, but I was expecting this to work with multi-tenants. I guess we will have to wait.
- you may need to re-apply the admin consent and remove the extra permission. it works only for the tenant where you assigned the AD Role which is pretty bad and does not address the initial issue reported more than a year go. to manage other tenants you need to go into the other tenant and assign the AD Roles there too to the service principal.
- i had the same, remove the permission for "Skype and Teams Tenant Admin API" and use ad roles
- *-Cs cmdlets are not working for me. I keep getting the same error: "Tenant Domain is empty".
I am trying to authenticate using tokens. Any idea on what am I missing?
Thank you, Hi All,
Here is my Blog how to do App Authentication with a Certificate in the Microsoft Teams PowerShell Module in Preview
For now only a few commandlets work.
All Non *-Cs cmdlets (for example, Get-Team), Get-CsTenant, Get-CsOnlineUser, Get-CsOnlineVoiceUser & *-CsOnlineSipDomain cmdlets are already supported. Other cmdlets will be gradually rolled out.
Regards
Andres
