Forum Discussion

jrennefeld's avatar
jrennefeld
Copper Contributor
Nov 04, 2025

Issue with Teams RSC Permission TeamMember.Read.Group

I want to use Teams RSC to allow a bot to add and remove members of (private) teams channels. https://learn.microsoft.com/en-us/microsoftteams/platform/graph-api/rsc/resource-specific-consent#supported-rsc-permissions the API scope ChannelMember.ReadWrite.Group is appropriate for that.
-> "Read and write the members of this team's channels."

I have created a teams app and added the RSC API application scope (ChannelMember.ReadWrite.Group) to the App manifest and published the app to my org. 
The app has the "team" scope. Then I installed the app in a team and tested the API access. 
I sign-in with the Application SP using app-only auth.
What is working:
I can read the members of a public channel in the team using:

invoke-mggraphRequest -Uri https://graph.microsoft.com/v1.0/teams/[team id]/channels/[channel id]/members -Method Get


I can also read the members of a shared channel in the team using the same request.
What is not working:
I cannot access a private channel in the team: The above request yields the response:

"code":"Forbidden","message":"Caller does not have the required roles for accessing 'Private' channel data. To access 'Private' data, API requires one of 'ChannelMember.Read.All, ChannelMember.ReadWrite.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All'. Roles on the request 'Group.Selected'."

I cannot remove a member from a shared channel.
The request:

 invoke-mggraphRequest -Uri https://graph.microsoft.com/v1.0/teams/[team id]/channels/[channel id]/members/[member id] -Method Delete

 yields the error:

 "code":"Forbidden","message":"Caller app is not enabled for requesting the channel of 'Shared' channel type. To access channel data app has to be enabled in the requesting channel."


Has someone successfully used the RSC TeamMember.Read.Group in a shared or private channel?

Why does the API not work in private channels and only for read in shared channel?

The documentation says "of this team's channels", it does not mention any restriction to public channels.

Also a write scope only to public channels does not make sense, as members of a public channel are inherited from the team and cannot be managed seperately. What do I need to do differently to be able to read and modify members of private and shared channels in a team using RSC permissions?

GraphAPI
microsoft teams
RSC

3 Replies

  • Prasad_Das-MSFT's avatar
    Prasad_Das-MSFT
    Icon for Microsoft rankMicrosoft
    Nov 05, 2025

    Thanks for raising your issue. We will check this at our end and will update you accordingly.

  • DavidJacob's avatar
    DavidJacob
    Copper Contributor
    Nov 05, 2025

    That’s by design. RSC permissions like ChannelMember.ReadWrite.Group only work for standard (public) channels.
    Private and shared channels require application-level Graph permissions (ChannelMember.ReadWrite.All or Group.ReadWrite.All).
    RSC doesn’t cover those scopes yet.

    • jrennefeld's avatar
      jrennefeld
      Copper Contributor
      Nov 06, 2025

      The RSC Permission ChannelMember.ReadWrite.Group is also an application permission.
      As I mentioned, the write scope only to standard (public) channels makes no sense, because there is nothing to write. All members of a team are automatically members of all public channels in a team.
      Can you give me an example what the API is supposed to be used for?

       

Resources