'Unauthorized' error when requesting '/joinedTeams' from Microsoft Graph

4
votes

I am setting up an app for modifying a Microsoft Teams account (teams/channels) through the Microsoft Graph API, but I can't get responses from all of the endpoints which I need to call. I have followed the guide for creating an app with application permissions and acquired access (and refresh) token(s) succesfully.

Calling the https://graph.microsoft.com/v1.0/users/<user guid>/joinedTeams endpoint yields a response as follows:

{
  "error": {
    "code": "Unauthorized",
    "message": "Unauthorized",
    "innerError": {
      "date": "2020-06-24T12:37:53",
      "request-id": <guid>
    }
  }
}

while calling endpoints such as https://graph.microsoft.com/v1.0/users works as described. It would seem that the app hasn't gotten consent and/or permissions to access these, but after signup they are listed on the API permissions in the azure portal enterprise applications page, and the access token JWT contains the specified permissions as a roles object.

From the JWT:

"roles": [
    "TeamSettings.ReadWrite.All",
    "User.ReadWrite.All",
    "Directory.ReadWrite.All",
    "Group.ReadWrite.All",
    "TeamMember.ReadWrite.All",
    "Team.ReadBasic.All",
    "GroupMember.ReadWrite.All",
    "Member.Read.Hidden"
  ]

I have tried with the Directory.ReadWrite.All permission and also with the full permission list listed on the permissions page for the /joinedTeams endpoint and they all elicit the same error.

Curiously, according to this a 401 - Unauthorized response would be given for expired (or similarly invalid) tokens, however that seems to clearly not be the case as I can call other endpoints with that very token.

What am I missing?

1
azuremicrosoft-graph-apimicrosoft-teams
kind of weird, besides the token validation, they decided to add an additional validation. Additionally this error may occur, if you try to use a delegated access token granted to a personal Microsoft account, to access an API that only supports work or school accounts (organizational accounts)., if that's not the case, would suggest to open an issue hereabestrad
Along with the @abestrad's point, can you also check if you have granted "Admin consent" for the permissions if required.Subhasish
@abestrad Yes i saw that note, but I have set it up with application permissions.Krukke
Most recent unauthorized response: {"error": { "code": "Unauthorized", "message": "Unauthorized", "innerError": { "date": "2020-06-29T06:32:46", "request-id": "88edfa84-df64-4f53-9f9f-f1b3db0fc23d" }}}Krukke
@Krukke That was the same situation that I had. I believe you have two directories tied to your Azure Portal email. If you log into Azure portal, go to top right and drop down your identity, you'll see a Switch Directory choice. If you switch, you should see a directory that has Microsoft Teams license. That's the directory that you have to add your MS Teams app - then the tokens you get for it should be valid. I believe this is a quirk as to how free sign up for MS Teams works, it creates a new directory attached to your email vs. allowing you to choose an existing oneMike Oliver

1 Answers

0
votes

Solved thanks to @MikeOliver When I signed up for Teams it created another directory. Only that second directory had a Teams "license" (visible from the azure portal's License page).