Graph API - Create subscription for channel on other tenant. Response: 403.

Question

Hello everyone,
I submitted form to access protected APIs on my tenants with following data:

6. App id(s) to enable application permissions for
   App_A_id; App_B_id; App_C_id
7. What are the tenant ID's that this app needs to run in? (semicolon-separated. Put "all" if you're writing software for other organizations to use.)
   Tenant_A_id; Tenant_B_id; Tenant_C_id

Then I got approval via email.
After that, I tried to use Graph API to create subscription for channel messages. This is my process:

• Get access token:
  Post to url: https://login.microsoftonline.com/{Tenant_A\_id}/oauth2/v2.0/token
  Request params: { grant_type: "client_credentials", client_id: {App_A_id}, client_secret: {App_A_password}, scope: "https://graph.microsoft.com/.default" }

- Create subscription to channel in Tenant_A (App_A is in Tenant_A also) -> It's work perfectly.

But I got error when I try like this:

• Get access token:
  Post to url: https://login.microsoftonline.com/{**Tenant_B\_id**}/oauth2/v2.0/token
  Request params: { grant_type: "client_credentials", client_id: {App_A_id}, client_secret: {App_A_password}, scope: "https://graph.microsoft.com/.default" }

- Create subscription to channel in Tenant_B (App_A is in Tenant_A) -> It response 403.

Operation: Create; Exception: [Status Code: Forbidden; Reason: Caller does not have access to '/teams({team_id})/channels({channel_id})/messages' resource

I think after my request to access protected API has been approved, I can access from my Applications (A, B ,C) to my tenants (A, B, C).
Is there something I need to setting ? I hope someone can help me to fix this issue.

Thank you guys for reading.
Best regards,

Huska

Answer 1

First, you need to set App_A as a multi-tenant application, go to the manifest of App_A, find the signInAudience attribute, set it with AzureADandPersonalMicrosoftAccount or AzureADMultipleOrgs.

Next, run admin consent url in the browser, and then you need to log in with tenant B administrator account and consent. The multi-tenant application will then be added to the target tenant as an enterprise application. https://login.microsoftonline.com/{tenant_B_id}/adminconsent?client_id={App_A_client_id}.

Then you can find App_A in the enterprise application of tenant B and view its permissions (this permission is granted by you in tenant A). Next you will be able to use the client credential flow to obtain a token, and then using that token you will be able to create a subscription for the channel on tenant B.