Reputation: 61
Unable to proactively install Microsoft teams app through Graph API
I'm trying to proactively install my Teams app, which is still in development and has not been fully published by Microsoft. I've installed it to my Teams org in the Teams admin center. When I try to install the app in the personal scope of my test user, I'm getting the following message (excluding my azure app id):
{
"error": {
"code": "Forbidden",
"message": "AAD App Id {My azure app ID} is not allowed to manage the Teams App '8782dd91-2afe-45e9-8906-858553f7675c'.",
"innerError": {
"date": "2021-09-12T21:19:56",
"request-id": "b50af1b2-b697-403f-b0be-4f66486f4ac1",
"client-request-id": "b50af1b2-b697-403f-b0be-4f66486f4ac1"
}
}
}
The request I'm sending:
POST https://graph.microsoft.com/v1.0/users/{{USERID}}/teamwork/installedApps
Body:
"[email protected]": "https://graph.microsoft.com/v1.0/appCatalogs/teamsApps/8782dd91-2afe-45e9-8906-858553f7675c"
}
What might the issue be? In the developer portal for my app (https://dev.teams.microsoft.com/apps/), my application client ID for my Teams app is set as the correct Azure app ID, so not sure why it isn't allowed to proactively install the Teams app here.
Thanks!
Upvotes: 6
Views: 1150
Answers (1)
Reputation: 12607
I've been able to successfully make this call in a similar setup, by granting the permission TeamsAppInstallation.ReadForUser.All to the Azure AD app on the client tenant (the tenant of the Teams user).
Update
Sorry in fact the truth is even more crazy than that. Turns out I only get this error when my application requires (and gets) the permission TeamsAppInstallation.ReadWriteSelfForUser.All.
That's right: by getting one additional permission, you have less abilities. I guess only Microsoft could pull that one off 🤣
Original TL;DR
Azure AD apps permissions don't seem to propagate reliably. Re-installing the app on the client tenant(s) may help.
By install I mean going to Azure portal as an admin, Enterprise Applications, selecting the app, then clicking Grant admin consent for <...>.
Original Details
For the record, I was getting the same error for another endpoint (trying to list chats). But after the following flow, the call was accepted by Microsoft Graph !
- removed all the permissions of the Azure AD app
- the app was still able to list Teams installations in the client tenant 🤯
- added a dummy permission to the app, so I could re-install it on client tenant
- now the call to list Teams installations was denied by MS Graph
- added back single permission
TeamsAppInstallation.ReadForUser.All - re-install on client tenant again
- now both calls (list Teams installations, list chats) work
Good luck 🍀
Upvotes: 2
Related Questions
- MS Graph Api missing permissions
- MS Teams Bot sign-in not working, says "This action can't be performed since the app does not exist or has been uninstalled."
- Why an installed app is not listed by Ms Graph API?
- Unable to access Microsoft Graph API's
- Create a teams team error when using Microsoft graph api
- microsoft graph installing app for other user returns "code": "Conflict"
- Problem with create team with Microsoft Graph Api
- How to integrate Microsoft Graph API for Microsoft Teams App published in Market Place?
- Unable to add app to teams using Microsoft graph API
- Using the Microsoft Team Beta API, provisioning Teams