MS GRAPH API - CREATE SUBSCRIPTIONS - 403 ERROR - Caller does not have access to resource

Carlos 101 Reputation points
2021-10-13T06:18:30.98+00:00

Background:
Hi, I'm trying to use the ms graph API with ROPC authentication (other auth methods were not working since I need a non-interactive login for delegated permissions) to faciliate sending channel messages back and forth from specific Teams channels and my chat application. This process is working on loading/sending messages but to get real time updates it looks like I need to be able to subscribe to a resource (outgoing webhooks require mentions and this isn't what I want, though I can set it up and it works).

Issue:
To subscribe to a resource (ms teams channel) I'm using the code below: 

  const token = VALID_TOKEN_HERE // from ROPC auth flow
  const url = `https://graph.microsoft.com/beta/subscriptions`
  const subscription = {
    changeType: 'created,updated',
    notificationUrl: `${MY_ENDPOINT}/api/teams/events`,
    resource: `teams/${MY_TENANT_ID}/channels/${MY_CHANNEL_ID}/messages`,
    expirationDateTime: moment().add(1, 'hours'),
    includeResourceData: false,
  }
  const config = {
    headers: {
      Authorization: `Bearer ${token}`
    }
  }

  const response = await axios.post(url, subscription, config).catch(e => console.log(e) )

My notificationUrl is set up like below. 

    router.post('/teams/events', async (req, res) => {
        if (req.query.validationToken) {
          res.set('Content-Type', 'text/plain');
          return res.status(200).send(req.query.validationToken);
        }

    // code that does things with notification below

Error:
However, the original request to create a subscription fails and I get the following:

'Operation: Create;Exception: [Status Code: Forbidden;Reason: Caller does not have access to '/teams('TEAM_ID_HERE')/channels('CHANNEL_ID_HERE')/messages' resource]'

Other info: It is a standard (not private) channel with my user as a member

I'm requesting these permissions when getting my auth token 'ChannelMessage.Read.All Group.ReadWrite.All Directory.ReadWrite.All ChannelMessage.Send user.read openid profile offline_access'

My API permissions look like this

What am I missing to be able to create a subscription?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,546 questions
Microsoft Teams Development
Microsoft Teams Development
Microsoft Teams: A Microsoft customizable chat-based workspace.Development: The process of researching, productizing, and refining new or existing technologies.
2,835 questions
Accepted answer
  1. Carlos 101 Reputation points
    2021-10-14T23:08:54.297+00:00

    After trying to make it work on the microsoft graph explorer I realized that the resource url path I was trying to access had the wrong id.

    teams/${MY_TENANT_ID}/channels/${MY_CHANNEL_ID}/messages

    should have been

    teams/${MY_GROUP_ID}/channels/${MY_CHANNEL_ID}/messages

    This was the source of the error and changing the id fixed it.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest