Microsoft Teams Development

Question

Microsoft Teams Development

Ian Cooke 20

Hello,

Our Azure application is configured with the following Microsoft Graph application permissions:

Chat.Read.All
Chat.ReadWrite.All

Admin consent has already been granted for these permissions.

The app runs as a backend service using application permissions. When calling:

GET https://graph.microsoft.com/v1.0/chats/{chat-id}/messages

we receive the following response:

403 Forbidden – InsufficientPrivileges

According to Microsoft documentation, Teams chat APIs accessed via application permissions are classified as Protected APIs and require explicit Microsoft approval.

Could someone please confirm the process to request Protected API access for this application, or advise on how to escalate this request to the Teams Graph approval team?

Any guidance would be greatly appreciated.

Thank you!

Rukmini 30,865 Reputation points Microsoft External Staff Moderator

2026-02-20T10:04:47.52+00:00

Hello Ian Cooke,

Can you please share the screenshot of API permissions granted to the Microsoft Entra ID application?
Ian Cooke 20 Reputation points

2026-02-20T10:17:07.95+00:00

Hello, below is the screenshot.
Rukmini 30,865 Reputation points Microsoft External Staff Moderator

2026-02-20T10:22:04.9066667+00:00

Hello Ian Cooke,

Lets continue over private messages!
Ian Cooke 20 Reputation points

2026-02-20T10:42:08.8166667+00:00

Hi Rukmini,

How would you like to do this? Over email?
Rukmini 30,865 Reputation points Microsoft External Staff Moderator

2026-02-20T10:43:37.5666667+00:00

Hello Ian Cooke,

Lets continue over private messages!, Please check private messages tab
Ian Cooke 20 Reputation points

2026-02-20T10:43:38.86+00:00

Hi Rukmini,

My email is PII, can you send it all there?
Rukmini 30,865 Reputation points Microsoft External Staff Moderator

2026-02-20T10:45:07.5566667+00:00

Ian Cooke, Can I schedule a meeting over teams now?
Ian Cooke 20 Reputation points

2026-02-20T11:39:17.1533333+00:00

Im free now

Answer accepted by question author

1 additional answer

Your answer

Rukmini 30,865 Reputation points Microsoft External Staff Moderator

2026-02-20T10:04:47.52+00:00

Hello Ian Cooke,

Can you please share the screenshot of API permissions granted to the Microsoft Entra ID application?
Ian Cooke 20 Reputation points

2026-02-20T10:17:07.95+00:00

Hello, below is the screenshot.
Rukmini 30,865 Reputation points Microsoft External Staff Moderator

2026-02-20T10:22:04.9066667+00:00

Hello Ian Cooke,

Lets continue over private messages!
Ian Cooke 20 Reputation points

2026-02-20T10:42:08.8166667+00:00

Hi Rukmini,

How would you like to do this? Over email?
Rukmini 30,865 Reputation points Microsoft External Staff Moderator

2026-02-20T10:43:37.5666667+00:00

Hello Ian Cooke,

Lets continue over private messages!, Please check private messages tab
Ian Cooke 20 Reputation points

2026-02-20T10:43:38.86+00:00

Hi Rukmini,

My email is PII, can you send it all there?
Rukmini 30,865 Reputation points Microsoft External Staff Moderator

2026-02-20T10:45:07.5566667+00:00

Ian Cooke, Can I schedule a meeting over teams now?
Ian Cooke 20 Reputation points

2026-02-20T11:39:17.1533333+00:00

Im free now

Answer 1

Hello Ian Cooke,

As discussed offline, Reading 1:1 chat messages within your tenant now works with application permissions (Chat.ReadWrite.All), as you confirmed.

For sending messages, you have implemented delegated auth using the OAuth Authorization Code flow where each user signs in once, store their tokens, and messages send as the user.

Regarding the group chat that was originally failing with 403 AclCheckFailed this was a cross-tenant chat. The participants include members from both tenants. As Application permissions are scoped to the app's home tenant, so accessing chats with external tenant participants is not possible.

Granted Chat.ReadWrite.All Application type API permission to the Microsoft Entra ID application:

User's image

Generated access token using client credential flow:

User's image

Make sure to generate the scope as https://graph.microsoft.com/.default

Using the above token, I am able to successfully call the API:

GET https://graph.microsoft.com/v1.0/chats/ChatID/messages

User's image

Answer 2

Ian Cooke 20

Unfortunately, I can’t see a way to make this work externally. It functions well within our own tenant, and we’ll continue building out the rest of the system internally — calendar, mail, and the broader integrations all look fine.

However, group chat with users outside our tenant doesn’t appear to be viable, so we’ll treat that as a closed route for now. Not ideal, but not a major issue either.

Share via

Microsoft Teams Development

1 additional answer

Your answer