Here it is
Adding team owner through Graph API causes 403 error
Hi guys! I have faced an issue with Team Graph API. Some times ago (approximately 3 month ago) API that adds team owner just stopped working. Here is a brief investigation. Our application is used Application type of permissions for performing API operations. For example, team creation requires “Team.Create” scope. It is granted for our application. POST that is used for Team creation:
POST https://graph.microsoft.com/v1.0/teams
Headers:
"Content-Type: application/json"
"Authorization: BEARER token"
Body: {"@microsoft.graph.teamCreationMode":"migration","template@odata.bind":"https://graph.microsoft.com/v1.0/teamsTemplates('standard')","displayName":"Restored by SpinOne for restore at Sep 06, 2024 05-43 PM","description":"for restore","createdDateTime":"2022-02-21T16:35:36.032Z"}
This query is executed successfully, team is created. But for the query that suppose to add member the same approach doesn’t work anymore. It requires “TeamMember.ReadWrite.All” scope which is present for application.
POST: https://graph.microsoft.com/v1.0/teams/{teamId}/members
Headers:
"Content-Type: application/json"
"Authorization: BEARER token"
Body: {"@odata.type":"#microsoft.graph.aadUserConversationMember","roles":["owner"],"user@odata.bind":"https://graph.microsoft.com/v1.0/users('userId')"}
Response:
Response code: 403
Body:{"error":{"code":"Forbidden","message":"You do not have permission to perform this operation.","innerError": {"code":"AccessDenied","message":"You do not have permission to perform this operation.","details":[],"date":"2024-09-06T15:05:25","request-id":"b2aaa7b4-3632-4cf0-93cb-bc4e5b4337f7","client-request-id":"b2aaa7b4-3632-4cf0-93cb-bc4e5b4337f7"}}}
But all permissions are correct according to https://learn.microsoft.com/en-us/graph/api/team-post-members?view=graph-rest-1.0&tabs=http Were there any changes in API? Could you please help me with this problem?
4 answers
Sort by: Most helpful
-
-
Hitesh Pachipulusu - MSFT 2,225 Reputation points Microsoft Vendor
2024-09-10T12:16:46.05+00:00 Hello Dmytro_dev,
Thank you for reaching to Microsoft Support!
A 403 Forbidden error typically indicates that the client does not have permission to access the requested resource. Here are some possible reasons why you might be encountering this error when trying to add a team owner using the Microsoft Graph API:
- Insufficient Permissions: Even though you have the
TeamMember.ReadWrite.All
permission, it might not be correctly applied or granted admin consent. Double-check the permissions in the Azure portal. Additionally provideDirectory.ReadWrite.All
,Group.ReadWrite.All
scopes. - Role Assignment Issues: The user or application might not have the necessary roles assigned. Ensure that the application has the required roles to perform the operation.
- Token Scope: The access token might not include the necessary scopes. Decode the JWT token (you can use tools like jwt.io) to ensure it contains the correct scopes and roles. Verify that the token includes all scopes.
- User Licensing: The user you’re trying to add as an owner might not have the necessary licenses. Ensure that the user has the appropriate Microsoft 365 licenses.
By following these steps, you should be able to gather more information and fix the root cause of the 403 error.
Hope this helps.
If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.
- Insufficient Permissions: Even though you have the
-
CarlZhao-MSFT 42,046 Reputation points
2024-09-11T08:52:46.3533333+00:00 Hi @Dmytro_dev
I just conducted some local tests, and it worked very well.
I suggest you create a new application and only grant the
TeamMember.ReadWrite.All
application permission to avoid permission conflicts. Then, use the new application to request a new access token and try again.Hope this helps.
If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.
-
CarlZhao-MSFT 42,046 Reputation points
2024-09-13T10:02:10.81+00:00 Hi @Dmytro_dev
After multiple tests, I was able to reproduce your issue locally.
This is because the team you created is in a migration state, and currently, adding members to a team in this state is not supported.
You should create a team that is not in a migration state.
Hope this helps.
If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.