I am developing a Teams bot/app that needs to receive all messages from a private channel without requiring a direct @mention.

I am currently using Resource-Specific Consent (RSC) with the following permissions:

• ChannelMessage.Read.Group
• ChannelMessage.Send.Group

Current Status

1. Standard Channels (Success): Everything works as expected. The bot can read and receive messages without being mentioned. (too, it can mention or subscribe to messages from standard channels without problems)
2. Private Channels (Read Only): My bot can read messages from private channels using a GET request to /teams/{id}/channels/{id}/messages with the same RSC permissions.
3. Private Channels (Receiving/Subscription Failure): I am unable to receive real-time messages from Private or Shared channels, only if the bot is mentioned in the message.When I try to set up a subscription (as I do with standard channels), the API returns a 403 Forbidden (ExtensionError) (no problem with application permissions).

Subscription

Api request:

curl -s -X POST "[https://graph.microsoft.com/v1.0/subscriptions](https://graph.microsoft.com/v1.0/subscriptions)" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
  "changeType": "created,updated",
  "notificationUrl": "[https://your-api-endpoint.com/webhook](https://your-api-endpoint.com/webhook)",
  "resource": "/teams/{team-id}/channels/{channel-id}/messages",
  "includeResourceData": false,
  "expirationDateTime": "2026-03-31T11:00:00Z",
  "clientState": "SecretState"
}'

Response:

{
  "error": {
    "code": "ExtensionError",
    "message": "Operation: Create; Exception: [Status Code: Forbidden; Reason: Caller is not allowed to subscribe to /teams('...')/channels('...')/messages for Shared/Private channel.]"
  }
}

Questions

It's a known problem the difference behavior between standard and private channels, but:

• Is there any specific RSC scope or configuration that allows a bot to receive/stream messages from Private Channels in real-time?
• Given that ChannelMessage.Read.Group (RSC) already allows the bot to read these messages via GET, why is the proactive reception of messages restricted?

Hi Jesus GL

To directly answer your technical questions:

1/ Is there any specific RSC scope or configuration that allows a bot to receive/stream messages from Private Channels in real-time?

Currently, No, there is no RSC scope or configuration that supports this. Microsoft explicitly blocks message change notifications (subscriptions) for private and shared channels when using Resource-Specific Consent.

As stated in the official Microsoft documentation under Apps for shared and private channels

That said, to receive real-time streams of messages across all channel types (including private), you cannot use RSC. You must use the tenant-wide application permission ChannelMessage.Read.All, which requires tenant admin consent and submission of the Microsoft Graph protected APIs request form.

2/ Given that ChannelMessage.Read.Group (RSC) already allows the bot to read these messages via GET, why is the proactive reception of messages restricted?

As far as I know, the restriction stems from the distinct architectural and security boundaries of private and shared channels within the Microsoft Graph notification infrastructure.

Standard channels share the parent team's SharePoint site and group mailbox, allowing RSC consent applied at the team level to easily encompass the channel's events. Private and shared channels, conversely, are provisioned with their own isolated SharePoint sites and storage to strictly silo access.

While a synchronous GET request (a pull operation) validates your RSC authorization against the team resource at the exact moment of the call, the Graph change notification pipeline (a push operation) utilizes a separate, stricter authorization model.

Hope my answer will help you.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".   

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.  

That said, to receive real-time streams of messages across all channel types (including private), you cannot use RSC. You must use the tenant-wide application permission ChannelMessage.Read.All, which requires tenant admin consent and submission of the Microsoft Graph protected APIs request form.

Where can I find the Microsoft Graph protected APIs request form?

Also, if I’m granted this access, is it applied at the app level? In other words, would all organizations that install my app automatically allow me to receive events (including shared channels), or does each tenant still need to fill the form separately?

Hi deepak nayak

Apologize for delayed response

As far as I know, the Microsoft Graph protected APIs request form for Teams endpoints such as ChannelMessage.Read.All is available at this LINK.

If access is granted, the approval is scoped per tenant, not globally. Although the approval is tied to your app’s client (application) ID, each organization must still explicitly consent and be approved before your app can receive events such as channel or shared channel messages in that tenant. Installing the app in another tenant does not automatically grant message access unless that tenant has also completed the protected API approval and admin consent process.

For your information

There is no additional RSC permission or configuration in the provided documentation that enables a bot or agent to receive or subscribe to all messages from private or shared channels in real time.

From the context, RSC for bots and agents is described as follows:

• ChannelMessage.Read.Group and ChatMessage.Read.Chat allow:
  • A specified Graph application to get all messages in channels and chats.
  • A bot defined in the app manifest to receive all conversation messages without being @mentioned in the relevant contexts.
• This behavior is documented and demonstrated for:
  • Standard channels and chats (including sample apps and upload flows).
  • The guidance and samples focus on “channels” and “chats” generically, without exposing any special handling or extra scopes for private/shared channels.

The documentation explicitly shows:

• How to declare RSC permissions in the app manifest (authorization.permissions.resourceSpecific with ChannelMessage.Read.Group and/or ChatMessage.Read.Chat).
• How to upload and validate a bot that receives all channel or chat messages without being @mentioned.
• That services needing access to all Teams message data must use Graph REST APIs to access archived data in channels and chats.

However, nothing in the provided material indicates:

• Any separate RSC scope for private or shared channels beyond ChannelMessage.Read.Group.
• Any support for creating Graph subscriptions on /teams/{team-id}/channels/{channel-id}/messages for private/shared channels using RSC.
• Any configuration that would change the 403 “Caller is not allowed to subscribe … for Shared/Private channel” behavior.

Given this, the behavior described is consistent with the documented model:

• ChannelMessage.Read.Group lets the bot/app read messages (for example, via GET on the messages resource), including in private channels where it is allowed.
• Real-time delivery and subscription semantics for private/shared channels are not documented as supported with RSC in the provided content, which explains why proactive reception via subscription is restricted even though direct GET access works.

There is no documented way in the supplied context to enable real-time subscriptions for private/shared channel messages using RSC beyond the existing capabilities, nor any additional scope that would change the 403 restriction.

---

References:

• Context # Receive all messages for bots and agents