Forum Discussion
Issue with Teams RSC Permission TeamMember.Read.Group
I want to use Teams RSC to allow a bot to add and remove members of (private) teams channels. https://learn.microsoft.com/en-us/microsoftteams/platform/graph-api/rsc/resource-specific-consent#supported-rsc-permissions the API scope ChannelMember.ReadWrite.Group is appropriate for that.
-> "Read and write the members of this team's channels."
I have created a teams app and added the RSC API application scope (ChannelMember.ReadWrite.Group) to the App manifest and published the app to my org.
The app has the "team" scope. Then I installed the app in a team and tested the API access.
I sign-in with the Application SP using app-only auth.
What is working:
I can read the members of a public channel in the team using:
invoke-mggraphRequest -Uri https://graph.microsoft.com/v1.0/teams/[team id]/channels/[channel id]/members -Method Get
I can also read the members of a shared channel in the team using the same request.
What is not working:
I cannot access a private channel in the team: The above request yields the response:
"code":"Forbidden","message":"Caller does not have the required roles for accessing 'Private' channel data. To access 'Private' data, API requires one of 'ChannelMember.Read.All, ChannelMember.ReadWrite.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All'. Roles on the request 'Group.Selected'."
I cannot remove a member from a shared channel.
The request:
invoke-mggraphRequest -Uri https://graph.microsoft.com/v1.0/teams/[team id]/channels/[channel id]/members/[member id] -Method Delete yields the error:
"code":"Forbidden","message":"Caller app is not enabled for requesting the channel of 'Shared' channel type. To access channel data app has to be enabled in the requesting channel."
Has someone successfully used the RSC TeamMember.Read.Group in a shared or private channel?
Why does the API not work in private channels and only for read in shared channel?
The documentation says "of this team's channels", it does not mention any restriction to public channels.
Also a write scope only to public channels does not make sense, as members of a public channel are inherited from the team and cannot be managed seperately. What do I need to do differently to be able to read and modify members of private and shared channels in a team using RSC permissions?
6 Replies
Prasad_Das-MSFTMicrosoft
Thanks for raising your issue. We will check this at our end and will update you accordingly.
- Prasad_Das-MSFT
RSC permissions only work for standard channels. To manage private/shared channel members, you must use broader Graph permissions with admin consent. This is a platform limitation, not a configuration issue.
Why doesn’t ChannelMember.ReadWrite.Group work for private/shared channels?
- RSC permissions (like ChannelMember.ReadWrite.Group) are designed for standard (public) channels only.
- Private channels and shared channels have separate membership and stricter security boundaries. The RSC model does not grant bots/applications access to manage or read members of private/shared channels, even if the app is installed at the team level.
The error messages you see are expected:- For private channels, you need Directory-wide or Group-wide permissions (e.g., ChannelMember.ReadWrite.All, Group.ReadWrite.All), which are not RSC and require admin consent.
- For shared channels, the app must be installed in the specific channel, and even then, management is limited.
Thanks for the explanation.
So the RSC permissions are only for standard channel.
Then I can see a usecase for ChannelMember.Read.Group
But ChannelMember.ReadWrite.Group makes no sense in that context.
Members of Standard channels cannot be written. All team members are automatically members of all standard channels. The "write" scope makes no sense.
Can you given one example what I could do with this api? I guess I can do the same thing as with only the read scope. I can read the channel membes, but what can write with this API?
That’s by design. RSC permissions like ChannelMember.ReadWrite.Group only work for standard (public) channels.
Private and shared channels require application-level Graph permissions (ChannelMember.ReadWrite.All or Group.ReadWrite.All).
RSC doesn’t cover those scopes yet.The RSC Permission ChannelMember.ReadWrite.Group is also an application permission.
As I mentioned, the write scope only to standard (public) channels makes no sense, because there is nothing to write. All members of a team are automatically members of all public channels in a team.
Can you give me an example what the API is supposed to be used for?
