Validating a user's membership of a Team - Context object

Trinetra-MSFT Hi Trinetra, thank you for your reply!

I know the reasoning behind the admin-level permissions, but at the moment I'm not able to check the team id I get from the Context object. When launched as a team tab, I get a https://docs.microsoft.com/en-us/javascript/api/@microsoft/teams-js/microsoftteams.context?view=msteams-client-js-latest and https://docs.microsoft.com/en-us/javascript/api/@microsoft/teams-js/microsoftteams.context?view=msteams-client-js-latest from the Context object. So Teams suggests that this user at the moment has access to that team because otherwise the Context object would not contain these values.

As the Context object could be compromised, I need a way to ascertain that this person actually belongs to that Team. I should be able to use the me/joinedTeams endpoint on the Graph, but because of the admin-level permissions required, I cannot, which is strange as it is actually the "me" endpoint and you get very limited information back, not an actual array of Group objects (as also raised https://docs.microsoft.com/en-us/graph/api/user-list-joinedteams?view=graph-rest-1.0&tabs=http, but that is another discussion in itself).

I've raised this point to Bill Bliss, Platform Architect and Head of Developer Ecosystem Microsoft Teams, and https://twitter.com/bill_bliss/status/1164384562387927040 that more fine-grained permissions are coming. However, I'm wondering whether there is any other way I could ensure that a user belongs to a team.