Requesting TeamsAppInstallation.ReadWriteForTeam.All permission via Adminconsent v2 flow

Question

When trying the https://graph.microsoft.com/TeamsAppInstallation.ReadWriteForTeam.All application permission via the Adminconsent v2 flow I'm getting issue

AADSTS650053: The application 'APP NAME' asked for scope 'TeamsAppInstallation.ReadWriteForTeam.All' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'. Contact the app vendor.

The resource is the ID of Microsoft Graph and the permission is listed as "https://graph.microsoft.com/TeamsAppInstallation.ReadWriteForTeam.All" on Azure (AAD Registered Apps page).

Granting this permission works via Adminconsent flow v1 but I'm trying to only ask for only some scopes via the flow which is not possible via the v1 version.

The same issue seems to affect https://graph.microsoft.com/Calendars.ReadBasic.All as well.

This seems to be a bug in the authentication flow.

Answer 1

Hello , Welcome to MS Q&A

The error AADSTS650053 occurs because application permissions like TeamsAppInstallation.ReadWriteForTeam.All and Calendars.ReadBasic.All do not support dynamic consent using the scope parameter in the v2.0 /adminconsent flow.

Application permissions must be pre-configured in the app registration and consented together by a tenant admin — they cannot be requested individually via scope

Correct way of use:

• Either use below call for V1 endpoint: https://login.microsoftonline.com/{tenant}/adminconsent?client_id=6731de76-14a6-49ae-97bc-6eba6914391e&state=12345&redirect_uri=http://localhost/myapp/permissions
• Or use below call with V2 endpoint: https://login.microsoftonline.com/{tenant}/v2.0/adminconsent?client_id=6731de76-14a6-49ae-97bc-6eba6914391e&scope=https://graph.microsoft.com/.default&state=12345&redirect_uri=http://localhost/myapp/permissions

Do NOT USE:

&scope=https://graph.microsoft.com/TeamsAppInstallation.ReadWriteForTeam.All

This treats the scope as delegated, which is not valid for application permissions.

Microsoft Documentation

• Admin Consent Workflow – Microsoft Docs
• Permissions and Consent Overview
• Scopes and Permissions

Pls let us know if further ques

Thanks
Deepanshu

Answer 2

Hello @Khaled Goweily,

Thank you for reaching out to MS Q&A. I'm here to assist you with your concerns.

The Admin Consent v2.0 flow does not allow for requesting application permissions (.default or static roles) through the scope parameter, unlike delegated permissions. Instead, it necessitates using scope=/.default, and all requested application permissions must have been pre-consented in Azure.

When you access: https://login.microsoftonline.com/{tenant-id}/v2.0/adminconsent?client_id=...&scope=https://graph.microsoft.com/TeamsAppInstallation.ReadWriteForTeam.All&redirect_uri=...

You are attempting to treat TeamsAppInstallation.ReadWriteForTeam.All as a delegated scope, whereas it is actually an application permission. The scope parameter in the v2 flow becomes invalid for application roles unless you use scope=/.default.

This leads to: AADSTS650053: The application 'APP NAME' requested the scope 'TeamsAppInstallation.ReadWriteForTeam.All', which does not exist on the resource '00000003-0000-0000-c000-000000000000'.

This is due to the fact that it does not accept application permissions in that format.

To utilize Admin consent v2 for application permissions:

Employ the scope=/.default parameter.

Ensure that the application permissions are already set up in your app's API permissions list in AAD.

Use the adminconsent endpoint in the following format: https://login.microsoftonline.com/{tenant-id}/v2.0/adminconsent?client_id={app-id}&scope=/.default&redirect_uri={redirect-uri}

This will grant all application permissions assigned to the app and listed in the manifest

Docs

https://learn.microsoft.com/en-us/entra/identity-platform/v2-admin-consent

https://learn.microsoft.com/en-us/entra/identity-platform/permissions-consent-overview

https://learn.microsoft.com/en-us/answers/questions/431784/how-to-grant-application-permissions-with-dynamic

Please remember to "Accept Answer" if the answer helped you. This will help us and others in the community researching similar questions.

Siri