What permissions are required by an Azure app to call a Teams powershell command?

Question

What permissions are required by an Azure app to call a Teams powershell command?

David - 10

I want to connect powershell to a Teams tenant using Application-based Access Tokens and then execute the Get-CsCallQueue cmdlet. I can connect successfully with my AppID but I get permission denied when I execute the cmdlet. Does anyone know what Azure AD permissions I need to give to the app in order for the cmdlet to run? If I connect powershell to the Teams tenant with my Azure user, I can execute the cmdlet successfully.

Sandeep G-MSFT 21,121 Reputation points Microsoft Employee Moderator

2023-03-31T05:55:38.6533333+00:00

@David -

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread.

2 answers

Your answer

Sandeep G-MSFT 21,121 Reputation points Microsoft Employee Moderator

2023-03-31T05:55:38.6533333+00:00

@David -

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread.

Answer 1

Anonymous

Hi @David - , to execute the Get-CsCallQueue cmdlet, you need to have the Teams.ManageCalls and Teams.ManageChats permissions in Azure Active Directory. You can add these permissions to your app by following these steps:

Go to the Azure Active Directory app in the Azure portal.
Select API permissions.
Select Add Permissions.
In the Add Permissions menu, select Azure Communication Services.
Select the permissions Teams.ManageCalls and Teams.ManageChats, then select Add permissions.

Please let me know if you have any questions. If this doesn't work please let me know and post a screenshot of your current permissions.

If this answer helped you please mark it as "Verified" so other users can reference it.

Thank you,

James

David - 10 Reputation points

2023-03-23T16:46:37.2933333+00:00

Hi James, this does not work in my scenario as the Teams.ManageCalls and Teams.ManageChats permissions are both delegated permissions - a user needs to sign into the application in order for them to be active (or am I missing something?) I want to be able to run the command from a background daemon app that has no user interaction.

I have found that if I create a group in Azure AD, add the application's service principal to the group and then assign the Teams Administrator role to the group, the powershell command will now run correctly when connected with the App ID. I'm not sure if there is a way to get this to work with a lower level of permissions though?

Answer 2

Alexandre Blanchette 26

I had the same issue. The Teams.ManageCalls and Teams.ManageChats don't help in this situation. You have to assign the Teams Communications Administrator role:

Log in to portal.azure.com, > Azure AD > Roles and administrators > search for 'Teams' in the role list > Select Teams Communications Administrator (Teams Administrator would work too).

Got the solution on this site: https://www.myteamslab.com/2022/12/teams-powershell-module-certificate.html

Share via

What permissions are required by an Azure app to call a Teams powershell command?

2 answers

Your answer