@Robert Leist 

i'm getting "access denied" for Get-CsOnlineUser, Get-Team works.

what permissions did you add to your app ?

i'm working with a developer account, do you know if that would be a constraint ?

thanks

@Andres Bohren 

GET-TEAM works fine for me. However I get below error for Get-CsOnlineUser. Have given RBAC role to the app. I am using Pwsh on linux.

Get-CsOnlineUser: Connecting to remote server api.interfaces.records.teams.microsoft.com failed with the following error message : MI_RESULT_FAILED For more information, see the about_Remote_Troubleshooting Help topic.

Answer to question 2: Azure Portal > Azure Active Directory > Roles and Administrators > Search for the Teams Administrator role and select it > Add assignments > Click on the "No member selected" link > Search for your teams management service principle previously set up > Click on its tile > Click Select > Click Next > Select Active > Check Permanently Assigned or set start and end dates as needed > Type in a justification > Click Assign. Azure global administrators will get an email an a minute or two from the Azure Privileged Identity Management service when it's set up. This makes Get-CsOnlineUser work with both token-based and certificate-based authentication as described in the above article. Adding the service principle to the Skype for Business Administrator role does not appear to be necessary, at least for present purposes.

@Dr. Jeffry A. Spain 

Hi, assigning "Teams Administrator" to service principal (appid) does work.

but this is not going to solve the user experience part.

Tenant A - creates the app and publishes it

Tenant B - grants admin consent on the app

Tenant A - tries to manage teams settings and gets unauthorized

Tenant A - cannot get into Tenant B and add the service principal to Tenant Administrators, Tenant B admin needs to do this

this should be done automatically when Tenant B admin grants admin consent but there's no permission available that Tenant A could provide that would do this.

getting better but still this ux is not what we're seeking for over a year.

Hi All,

Here is my Blog how to do App Authentication with a Certificate in the Microsoft Teams PowerShell Module in Preview 

https://blog.icewolf.ch/archive/2022/09/28/microsoft-teams-powershell-module-4-7-1-preview-with-azur...

For now only a few commandlets work.

All Non *-Cs cmdlets (for example, Get-Team), Get-CsTenant, Get-CsOnlineUser, Get-CsOnlineVoiceUser & *-CsOnlineSipDomain cmdlets are already supported. Other cmdlets will be gradually rolled out.

Regards

Andres

@lazedo I removed the "Skype and Teams Tenant Admin API" from my app permissions and assigned the AD Role "Skype for Business administrator" to my app. Still the same error.

Does this work on multi-tenant cases? Or this will only work with the tenant that owns the app?