hello12345
hello12345

Reputation: 51

Missing role permissions on the request even though it is added

I am testing sending activity feed notifications to users.

I have configured my app in Azure AD app registrations to have delegated permission: TeamsActivity.Send

I first obtain auth token by calling: POST https://login.microsoftonline.com/common/oauth2/v2.0/token

with client_id, client_secret, scope = https://graph.microsoft.com/.default, and grant_type = client_credentials

I then call activity feed notification endpoint: https://graph.microsoft.com/v1.0/users/{userId}/teamwork/sendActivityNotification with the auth token as part of Authorization: Bearer {authToken} header.

However, I am getting the following error:

"Missing role permissions on the request. API requires one of 'TeamsActivity.Send'. Roles on the request ''."

May someone help with this? I am not sure why I am getting this error.

Upvotes: 3

Views: 4189

Answers (1)

scottwtang
scottwtang

Reputation: 2050

There are 2 different types of permissions

  • Delegated (scope)
  • Application (role)

Take a look at the TeamsActivity.Send permission from the MS Graph reference.

Permission Type Display String Description
TeamsActivity.Send Delegated Send a teamwork activity as the user Allows the app to create new notifications in users' teamwork activity feeds on behalf of the signed in user. These notifications may not be discoverable or be held or governed by compliance policies.
TeamsActivity.Send Application Send a teamwork activity to any user Allows the app to create new notifications in users' teamwork activity feeds without a signed in user. These notifications may not be discoverable or be held or governed by compliance policies.

See the difference? Delegated permission requires a user to be logged into the application, and the application will send a message on behalf of the user (as the user). Application permission will send the message on behalf of the application (as itself).

You're using the client_credentials flow, which is a non-interactive flow. You can't use delegated permissions because there is no user signed-in.

You need to assign the same TeamsActivity.Send permission, but of the Application type instead, and grant admin consent for this permission as well.

Reference

Microsoft identity platform and the OAuth 2.0 client credentials flow - Application permissions

Introduction to permissions and consent - Types of permissions

Upvotes: 1

Related Questions