MSGraph API Teams Application permissions

Andrew Kennard 116 Reputation points
2023-10-05T09:51:12.8733333+00:00

Form my limited knowledge so far there seems to be an inconsistency in the GraphAPI

With the Mail API you can do most things you would want to do as the application. Read Inbox contents, Send email etc

The Calendar API is similar you can create appointments etc

But when it comes to the Teams (and Excel) APIs they are very limited in terms of what you can do with application permissions. You can't ask an application to send a message to a Chat or a Channel for example, you can't do things as another user like you can with the Mail API

Why is that?

How can web applications hosted on a server interact with Graph API to do automated things like this without needing User level permissions and all the login/tokens/expiry/renewal faff

Microsoft Teams Development
Microsoft Teams Development
Microsoft Teams: A Microsoft customizable chat-based workspace.Development: The process of researching, productizing, and refining new or existing technologies.
2,907 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Prasad-MSFT 5,706 Reputation points Microsoft Vendor
    2023-10-06T07:11:10.0866667+00:00

    For web applications hosted on a server to interact with Graph API without needing User level permissions, you can use application permissions. These permissions are used by apps that run without a signed-in user present. For example, apps that run as background services or daemons. Application permissions can only be consented by an administrator.

    However, please note that not all operations and APIs support application permissions. Some operations and APIs require delegated permissions, which means they need to be performed on behalf of a user. This is especially true for operations that involve user data.

    In such cases, you would need to handle token acquisition, renewal, and expiry. Microsoft provides libraries like MSAL (Microsoft Authentication Library) to simplify this process. You can also use the 'on-behalf-of' flow to acquire tokens for APIs that do not support application permissions.

    Thanks, 

    Prasad Das

    ************************************************************************* 

    If the response is helpful, please click "Accept Answer" and upvote it.