Forum Discussion

joshuabrown's avatar
joshuabrown
Copper Contributor
Jun 29, 2023

MS Graph permissions - do the ones we have right now HAVE to be application level?

We developed an MS Teams app that makes two Graph calls:       https://graph.microsoft.com/v1.0/chats/${chatId}/members https://graph.microsoft.com/v1.0/teams/${groupId}/Members       In th...
microsoft teams
alexisconia's avatar
alexisconia
MVP
Jul 05, 2023

Hi joshuabrown,

 

If I understand correctly, I think there is confusion between the scope you declare on your Azure AD App and the RSC permissions in the Teams App Manifest.

The model will depend on your Teams application scenario: if you install your app and use it in a specific context like a chat or a channel, you can use RSC and declare scopes in the manifest (You can find more details in this documentation), the user can access to a limited set of resources.

Otherwise, If you want to request Microsoft Graph from your backend and request several resources, you have to use permissions on Azure AD Applications.

For Azure AD App, there are two types of permissions: delegated and application. Application permissions give access to your app and you don't need to have a user access token to request resources. Delegated permissions are used to request Graph on behalf of the user. (details)

 

So from a customer point of view, it's better to use delegated permissions because you can only access the services and data in the scope of each user.

Resources