Forum Discussion

saminc's avatar
saminc
Copper Contributor
Mar 13, 2024

Resource-specific consent not showing up in permission grants

I've got an Azure app registration, and a Teams application with a manifest that specifies that ID in the 

webApplicationInfo. I also have the following permissions specified in the manifest:
 
 
I then hit "Publish" within https://dev.teams.microsoft.com/, and publish the app into my organisation, which I am fairly sure is a Microsoft 365 Developer tenant. Once I've approved the app and added it to Teams, I see the following permissions:
I have a backend for my Teams app, and I'd like it to be able to create channels. I do this by using my app's ID and secret, and hitting the OAuth2 token endpoint for the developer tenant, with a scope of "https://graph.microsoft.com/.default". This gives me back a JWT token, that when I decode it using jwt.ms, has Group.Selected in the roles array. This all seems correct so far!
 
When I then use that token to create a channel, I get the following error:
Missing role permissions on the request. API requires one of 'Channel.Create, Teamwork.Migrate.All, Group.ReadWrite.All, Directory.ReadWrite.All, Channel.Create.Group'. Roles on the request 'TeamsAppInstallation.ReadWriteSelfForTeam.All, Group.Selected, TeamsAppInstallation.ReadForTeam.All'. Resource specific consent grants on the request ''.

 

I would expect to be getting Channel.Create.Group as a resource-specific consent grant. How can I find out why this isn't happening? I've been following this guide but when I use the Graph Explorer to call https://graph.microsoft.com/beta/teams/{team-id}/permissionGrants for the team I installed the app into, I get back an empty array.

 

Hopefully someone can spot what I'm doing wrong.

Resources