2
votes

Problem

I get

Microsoft\Graph\Exception\GraphException: [0]: Received 403 for call to https://graph.microsoft.com/beta/me/chats/[id]@unq.gbl.spaces/members

I fail to understand why.


Research

permissions in Azure

enter image description here

how the exception appears in my queue

enter image description here

Additional information

Just to be clear: this same request with other users of our company is working, so it's not something that always fails. It might be worth noting that the permissions starting with Chat are from the beta version of the graph api. Also retrieving info about the user (ownUser getGivenName) is working for all users.

App scopes

The scopes defined in the application are:

openid profile offline_access user.read mailboxsettings.read calendars.readwrite Chat.ReadBasic Chat.Read Chat.ReadWrite

Response of the server

The response completely:

{
    "error": {
        "code": "Forbidden",
        "message": "Forbidden",
        "innerError": {
            "date": "2021-05-04T12:05:41",
            "request-id": "xxxxxxx-f7ea-4912-a23b-676002d0912d",
            "client-request-id": "xxxxxxx-f7ea-4912-a23b-676002d0912d"
        }
    }
}

The response headers also don't reveal anything:

enter image description here

Also tried

I also tried re-visiting https://login.microsoftonline.com/common/adminconsent?client_id=[id] and give my (admin) consent, however this doesn't change anything.

JWT token

Also I decoded both a working users jwt token and a non-working one and they have the same scp (scopes) configured. Here is the diff

used endpoints

  • /me/chats
  • /me
  • /me/chats/$chatId/messages
  • /me/chats/$chatId/members
1
What admins are trying to access the event - and are they attendees or owners of the chat? - Diana
@Diana They are owners. My application is creating backups of teams chats of the logged in user. It's working for most of the users, just for some it gives the 403 forbidden, while the required permissions stay the same. It's a real headscratcher. - online Thomas
Would you share the request-id for further debugging? I can see you've added the complete response to the question. - Diana
@Diana the request id is dd4afa4a-f7ea-4912-a23b-676002d0912d, I doubt this id is dangerous to post in any way, however I tried to keep as mich private as possible - online Thomas
I think this is caused by the lack of Office365 license for your users. Try to grant Office365 license to your users before calling the api. - Carl Zhao

1 Answers

0
votes

Just some observations and workarounds to help out others who come on this post through google:

  • Only the /me/chats/$chatId/members fails, without an apparant reason. It might be a mistake in in the beta implementation. Maybe it's better to use the $expand argument to see them to mitigate this problem.

  • for another subgroup of users retrieving all the chats with the endpoint /me/chats with the php sdk also fails with the recommended code

  public function listChats(): array
    {
        $graph = $this->getGraph();
        $chats = [];
        $response = $graph->setApiVersion("beta")
            ->createCollectionRequest("GET", "/me/chats")
            ->setReturnType(Chat::class);
        while (!$response->isEnd()) {
            $chats = array_merge($chats, $response->getPage());
        }

        return $chats;
    }

because the while loop never stops. @odata.nextLink is always present in the response for these users. Probably also a bug as by design the sdk checks if it's present.

  $maxRequests = 10;
   while (!$response->isEnd() && $maxRequests > 0) {
     $chats = array_merge($chats, $response->getPage());
     $maxRequests--;
   }