Reputation: 51
Missing role permissions on the request even though it is added
I am testing sending activity feed notifications to users.
I have configured my app in Azure AD app registrations to have delegated permission: TeamsActivity.Send
I first obtain auth token by calling: POST https://login.microsoftonline.com/common/oauth2/v2.0/token
with client_id, client_secret, scope = https://graph.microsoft.com/.default, and grant_type = client_credentials
I then call activity feed notification endpoint: https://graph.microsoft.com/v1.0/users/{userId}/teamwork/sendActivityNotification with the auth token as part of Authorization: Bearer {authToken} header.
However, I am getting the following error:
"Missing role permissions on the request. API requires one of 'TeamsActivity.Send'. Roles on the request ''."
May someone help with this? I am not sure why I am getting this error.
Upvotes: 3
Views: 4189
Answers (1)
Reputation: 2050
There are 2 different types of permissions
- Delegated (scope)
- Application (role)
Take a look at the TeamsActivity.Send permission from the MS Graph reference.
| Permission | Type | Display String | Description |
|---|---|---|---|
| TeamsActivity.Send | Delegated | Send a teamwork activity as the user | Allows the app to create new notifications in users' teamwork activity feeds on behalf of the signed in user. These notifications may not be discoverable or be held or governed by compliance policies. |
| TeamsActivity.Send | Application | Send a teamwork activity to any user | Allows the app to create new notifications in users' teamwork activity feeds without a signed in user. These notifications may not be discoverable or be held or governed by compliance policies. |
See the difference? Delegated permission requires a user to be logged into the application, and the application will send a message on behalf of the user (as the user). Application permission will send the message on behalf of the application (as itself).
You're using the client_credentials flow, which is a non-interactive flow. You can't use delegated permissions because there is no user signed-in.
You need to assign the same TeamsActivity.Send permission, but of the Application type instead, and grant admin consent for this permission as well.
Reference
Microsoft identity platform and the OAuth 2.0 client credentials flow - Application permissions
Introduction to permissions and consent - Types of permissions
Upvotes: 1
Related Questions
- Accessing Outlook Calendar Graph API from background service
- Get Token call to Microsoft Graph REST Api gives 400 error
- Microsoft graph - adding an event to default calendar gives back "Resource could not be discovered." error
- Microsoft Graph API token expiring after 3600 seconds - NodeJS
- Why does my request to consent admin permissions ask all permissions?
- Unable to generate access token for microsoft graph online meeting api
- Unable to obtain access token for calling Microsoft Graph APIs
- MS Teams Get Roster returns "The bot is not part of the conversation roster."
- POST request to Graph API fails with Bad Request
- 401 Unauthorized - token not being accepted