MS Graph permissions - do the ones we have right now HAVE to be application level?

Copper Contributor

We developed an MS Teams app that makes two Graph calls:

 

 

 

https://graph.microsoft.com/v1.0/chats/${chatId}/members
https://graph.microsoft.com/v1.0/teams/${groupId}/Members

 

 

 

In the manifest, there are two Application level permissions: TeamMember.Read.Group and ChatMember.Read.Chat. In Azure there are also two Application level permissions: ChatMember.Read.All and TeamMember.Read.All.

 

One of our clients wants to use the app, but their IT team does not like these Application level permissions and wants us to make them Delegated instead, or remove them.

 

The app seems to work when we remove the ResourceSpecific permissions from the manifest, but it does not work if we remove the Application level permissions from Azure, or try to change them to Delegated versions. It won't install and we get a permission error.

 

Is there something else that we can try that we may have missed? Do these Graph calls simply require Application level permissions to work and there's nothing we can do about that? We are not MS engineers and are not deeply experienced with Graph permissions.

4 Replies
@joshuabrown -Thanks for reporting your issue.
We will check this at our end and will get back to you.

@joshuabrown -If you are using the Application Permission only, then Before calling this API with application permissions, you must request access. For details, see Protected APIs in Microsoft Teams.

GET /chats/{chat-id}/members
GET /users/{user-id | user-principal-name}/chats/{chat-id}/members

Reference Document- List members of a chat - Microsoft Graph v1.0 | Microsoft Learn

@Sayali-MSFT I'm sorry, but that really doesn't answer my question. We are requesting access already, using application level permissions. Our client doesn't like the application level and wants us to remove them or downgrade them to delegated. When we tried doing that the app stopped working. I'm trying to find out if there are other permissions we can use than the ones we currently have, or if we are stuck with the ones that exist right now. I'm sorry if this is confusing, as I said, I'm not an MS engineer and this is pretty complicated stuff to me.

Hi @joshuabrown,

 

If I understand correctly, I think there is confusion between the scope you declare on your Azure AD App and the RSC permissions in the Teams App Manifest.

The model will depend on your Teams application scenario: if you install your app and use it in a specific context like a chat or a channel, you can use RSC and declare scopes in the manifest (You can find more details in this documentation), the user can access to a limited set of resources.

Otherwise, If you want to request Microsoft Graph from your backend and request several resources, you have to use permissions on Azure AD Applications.

For Azure AD App, there are two types of permissions: delegated and application. Application permissions give access to your app and you don't need to have a user access token to request resources. Delegated permissions are used to request Graph on behalf of the user. (details)

 

So from a customer point of view, it's better to use delegated permissions because you can only access the services and data in the scope of each user.