Add Team Member via Graph API. Response: 403

1
votes

I have a guest user on Azure Active Directory (fully redeemed - invite accepted etc) that I am attempting to add to a Team (in Microsoft Teams) via the Graph API.

Following the documentation I have set all necessary permissions for my app, however I receive a 403 response from my POST request.

{
    "error": {
        "code": "Forbidden",
        "message": "An unknown error has occurred.",
        "innerError": {
            "date": "2020-12-09T15:52:30",
            "request-id": "X-X-X-X-X",
            "client-request-id": "XXX-XXX-XX-XXX-XXX"
        }
    }
}

Here's my decoded MS auth token below confirming the necessary permissions which should allow my call to add a Team member (the app does a few other things too, hence the extra perms):

{
  ...
  "roles" : [ "Teamwork.Migrate.All", "TeamMember.ReadWriteNonOwnerRole.All", "User.ReadWrite.All", "Directory.ReadWrite.All", "TeamMember.ReadWrite.All", "ChannelMember.ReadWrite.All", "GroupMember.ReadWrite.All", "Channel.Create" ],
  ...
}

Strangely enough if I use the PowerShell module (microsoftteams) it successfully adds this user to the necessary Team. I understand this module uses the Graph API so I'm not sure why a straight forward POST is failing (tried hunting for the modules source code to see what request they are using but had no luck).

For the purpose of finding a solution to this problem I'm just using Postman so I don't have any code to share. I am also able to add channel members (Guests), create channels, etc via the API but this 403 issue only occurs when attempting to add the Guest to the Team.

My POST:

POST https://graph.microsoft.com/v1.0/teams/{TEAM ID}/members

HEADER

{
    "Content-Type": "application/json",
    "Authorization": "Bearer {TOKEN}"
}

BODY

{
    "@odata.type": "#microsoft.graph.aadUserConversationMember",
    "roles": ["member"],
    "[email protected]": "https://graph.microsoft.com/v1.0/users('{GUEST_MEMBER_ID}')"
}

I have tried both v1.0 and beta endpoints. Both are giving the same 403.

I am happy to provide any further information that may be required.

Any suggestions / information to point me in the right direction would be greatly appreciated.

Thanks.

1
azure-active-directorymicrosoft-graph-api
(1) HTTP 403 points issue with permissions or roles that the user who is trying to make the API call. So Make sure you have the necessary roles assigned for the user so that they can perform the operation (apart from your permissions) (2)Outside of your code, i would try suggesting to use Microsoft Graph explorer/POSTMAN with the same Graph API call and see if it works (3) Test your token (i see that already you did that) and its scopes/permissions etcDev
Hi, Do you have the opportunity to research my answer? was it useful to you?Carl Zhao
Does Carl's answer useful to you ? If also have any questions, you can tell us. If his solution helps you, you can mark his answer as accepted, you can help more forum users.Joseph Xu

1 Answers

2
votes

The first thing you need to know is that you must be a global administrator or a team administrator and team owner to add guests to the team, so you must log in as a user with the role of administrator before you can add guest users.

So you can't use the application permission to get the token, because it has no user login, you can use it to add member users, but it cannot be used to add guests. You need to add TeamMember.ReadWrite.All delegates permissions, and then grants admin consent, and then you need to use auth code flow to obtain an access token.

enter image description here

enter image description here