Forum Discussion
Validating a user's membership of a Team - Context object
There seems to be a /checkMemberGroups endpoint which can be reached with the non-admin User.ReadBasic.All permission to which you can submit the user and the groupId provided by the Teams context object and it will return whether the user is actually in the group (thank you to the MVPs @paulschaeflein and @kevindockx !)
I'm still hopeful that at some point the /joinedTeams endpoint can also be reached with this User.ReadBasic.All permission, because that would actually "list" the joined teams with their id and could be used when you don't know the groupId upfront.
salvijansen, Thanks for reaching us. FYI,
Some high-privilege permissions in the Microsoft ecosystem can be set to admin-restricted. Examples of these kinds of permissions include the following:
- Read all user's full profiles by using
User.Read.All - Write data to an organization's directory by using
Directory.ReadWrite.All - Read all groups in an organization's directory by using
Groups.Read.All - Although a consumer user might grant an application access to this kind of data, organizational users are restricted from granting access to the same set of sensitive company data. If your application requests access to one of these permissions from an organizational user, the user receives an error message that says they're not authorized to consent to your app's permissions
For more information please have a look at documentation for Admin Restricted Permissions.
Trinetra-MSFT Hi Trinetra, thank you for your reply!
I know the reasoning behind the admin-level permissions, but at the moment I'm not able to check the team id I get from the Context object. When launched as a team tab, I get a groupId and userObjectId from the Context object. So Teams suggests that this user at the moment has access to that team because otherwise the Context object would not contain these values.
As the Context object could be compromised, I need a way to ascertain that this person actually belongs to that Team. I should be able to use the me/joinedTeams endpoint on the Graph, but because of the admin-level permissions required, I cannot, which is strange as it is actually the "me" endpoint and you get very limited information back, not an actual array of Group objects (as also raised here, but that is another discussion in itself).
I've raised this point to Bill Bliss, Platform Architect and Head of Developer Ecosystem Microsoft Teams, and he told me that more fine-grained permissions are coming. However, I'm wondering whether there is any other way I could ensure that a user belongs to a team.
salvijansen Yes, You can use your group id to fetch the list of members inside team. Please take a look at List memberOf for getting list of members in a team using Graph API. You can call this API endpoint https://graph.microsoft.com/v1.0/groups/{group-id-for-teams}/members.
- memberOf requires "Group.Read.All" which needs to be granted by an admin and as I have said twice now, that is not what I'm looking for.