Call to MS Teams Graph API from bot code results in 403 Request Forbidden

2
votes

I have a bot with Cortana channel added to it. I have configured Cortana connected account to get access token to Graph APIs. My bot code is using this token to call MS Teams APIs.

Cortana properly invokes my skill bot and prompts for user sign in. After a successful sign in, I have verified in the code that I am getting access token. Using this token, when my bot code makes a call to https://graph.microsoft.com/v1.0/me/joinedTeams, I get the response: 

{
  StatusCode: 403, 
  ReasonPhrase: 'Forbidden', 
  Version: 1.1, 
  Content: System.Net.Http.StreamContent, 
  Headers: {  
      Transfer-Encoding: chunked  
      request-id: b1f83dda-1ce4-4660-9950-d890123f5b27  
      client-request-id: b1f83dda-1ce4-4660-9950-d890123f5b27  
      x-ms-ags-diagnostic: {
          "ServerInfo":{
              "DataCenter":"West US",
              "Slice":"SliceC",
              "Ring":"5",
              "ScaleUnit":"003",
              "Host":"AGSFE_IN_4",
              "ADSiteName":"WUS"
            }
        }  
        Duration: 43.0296  
        Strict-Transport-Security: max-age=31536000  
        Cache-Control: private  
        Date: Wed, 23 Jan 2019 20:13:33 GMT  
        Content-Type: application/json
    }
}

I have set following permissions in the scope of Cortana channel Oauth Settings as well as in-app in the Azure portal:

  • Mail.Read
  • Mail.Send
  • openid
  • profile
  • User.Read
  • User.ReadBasic.All
  • User.Read.All
  • User.ReadWrite.All
  • Group.Read.All
  • Group.ReadWrite.All (Delegated + Application)

The same call through graph explorer with same sign in credentials returns me a list of my joined Teams.

What am I missing here? How do I debug this further?

enter image description here

1
c#microsoft-graph-apimicrosoft-teams
Have you gone through Admin Consent for these scopes?Marc LaFleur
Hi Marc, thanks for quick reply. Can you please elaborate on your comment. Bit confused about Admin Consent here. Where do I set this? Any documentation to understand this better?user2494444

1 Answers

2
votes

Before you can use certain permission scopes, you need to first obtain "Admin Consent". Note that this is a different process than the "User Consent". Admin Consent precedes User Consent and is effectively an Administrator saying "sure, users in my tenant can accept the scopes your app is asking for". You may find this article on understanding the difference between User and Admin Consent helpful.

How you execute Admin Consent depends a bit on your application. If you're a multi-tenant app (i.e. your app gets used by different organizations) then you need to provide a specific URI to each tenant's Admin to kick off the process. For this process, I'd suggest taking a look at Obtaining Administrative Consent for your application.

If you're a single-tenant application (i.e. an internal enterprise app) then things are a little simpler. The tenant Admin can simply click the "Grant consent" option from the application registration page in the Azure portal (it's found on the "API Permissions" page for your app).