How to subscribe to teams presence webhook from daemon app?

Simone Gaiarin 6 Reputation points
2021-03-08T08:52:01.79+00:00

Starting from the Java webhook example application I tried to subscribe to the web hook for the Teams Presence. I would like to obtain the presence in an application where the user does not logs in, but I can see here that the Application permissions are not supported for the Presence API. This means that the only way (I could figure out) to login without the user intervention, is to create a cloud user in active directory and use the UsernamePasswordProvider authenticator provider (see here).

When I execute the subscription request with the following piece of code

         private final List<String> scopes = Arrays.asList("https://graph.microsoft.com/.default");  

         final UsernamePasswordProvider authProvider = new UsernamePasswordProvider(this.clientId, this.scopes,  
             this.username, this.password, NationalCloud.Global, this.tenantId, this.clientSecret);  
      
        final IGraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider(authProvider).buildClient();  
        graphClient.setServiceRoot("https://graph.microsoft.com/beta");  
        Subscription subscription = new Subscription();  
        subscription.changeType = this.changeType;  
        subscription.notificationUrl = this.publicUrl + "/notification";  
        subscription.resource = this.resource;  
        subscription.expirationDateTime = Calendar.getInstance();  
        subscription.clientState = "secretClientValue";  
  
        subscription.expirationDateTime.add(Calendar.HOUR, 1);  
  
        if (this.resource.startsWith("teams")) {  
            subscription.additionalDataManager().put("includeResourceData", new JsonPrimitive(true));  
            subscription.additionalDataManager().put("encryptionCertificate",  
                    new JsonPrimitive(GetBase64EncodedCertificate()));  
            subscription.additionalDataManager().put("encryptionCertificateId", new JsonPrimitive(this.alias));  
            LOGGER.warn("encoded cert");  
            LOGGER.info(GetBase64EncodedCertificate());  
        }  
  
        subscription = graphClient.subscriptions().buildRequest().post(subscription);  

I obtain the following error

[Status Code: Forbidden; Reason: The request is not authorized for this user or application.]  

I also granted the Presence.Read and Presence.Read.All delegated permissions to the app.

My questions are:

  • is this the correct approach to subscribe to the presence notification in this scenario?
  • Why is the request unauthorized, am I missing to grant some permissions somewhere?
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,318 questions
Microsoft Teams Development
Microsoft Teams Development
Microsoft Teams: A Microsoft customizable chat-based workspace.Development: The process of researching, productizing, and refining new or existing technologies.
3,032 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Simone Gaiarin 6 Reputation points
    2021-03-09T14:25:40.997+00:00

    Granting the permissions with Grant admin permission solved the issue and it is now possible to subscribe to the presence webhook. From what I understand, granting the permissions as admin allows avoiding the display of the page where the single user is required to grant the permissions, which cannot work for a daemon app.

    I am still wondering if this is the correct authentication approach or if there is a better alternative.

    1 person found this answer helpful.

  2. Alex Grönholm (Haltian/EB) 1 Reputation point
    2021-04-16T08:38:16.867+00:00

    I'm also in the need of this functionality from a daemon service. If admin permissions are granted, does it mean the app can access the presence API on behalf of that admin user? Asking since that is what "delegated" permissions are, right?

    0 comments No comments