question

Carlos-7980 avatar image
0 Votes"
Carlos-7980 asked Carlos-7980 answered

MS GRAPH API - CREATE SUBSCRIPTIONS - 403 ERROR - Caller does not have access to resource

Background:
Hi, I'm trying to use the ms graph API with ROPC authentication (other auth methods were not working since I need a non-interactive login for delegated permissions) to faciliate sending channel messages back and forth from specific Teams channels and my chat application. This process is working on loading/sending messages but to get real time updates it looks like I need to be able to subscribe to a resource (outgoing webhooks require mentions and this isn't what I want, though I can set it up and it works).

Issue:
To subscribe to a resource (ms teams channel) I'm using the code below:

   const token = VALID_TOKEN_HERE // from ROPC auth flow
   const url = `https://graph.microsoft.com/beta/subscriptions`
   const subscription = {
     changeType: 'created,updated',
     notificationUrl: `${MY_ENDPOINT}/api/teams/events`,
     resource: `teams/${MY_TENANT_ID}/channels/${MY_CHANNEL_ID}/messages`,
     expirationDateTime: moment().add(1, 'hours'),
     includeResourceData: false,
   }
   const config = {
     headers: {
       Authorization: `Bearer ${token}`
     }
   }
    
   const response = await axios.post(url, subscription, config).catch(e => console.log(e) )

My notificationUrl is set up like below.

     router.post('/teams/events', async (req, res) => {
         if (req.query.validationToken) {
           res.set('Content-Type', 'text/plain');
           return res.status(200).send(req.query.validationToken);
         }
    
     // code that does things with notification below

Error:
However, the original request to create a subscription fails and I get the following:

'Operation: Create;Exception: [Status Code: Forbidden;Reason: Caller does not have access to '/teams('TEAM_ID_HERE')/channels('CHANNEL_ID_HERE')/messages' resource]'

Other info: It is a standard (not private) channel with my user as a member

I'm requesting these permissions when getting my auth token 'ChannelMessage.Read.All Group.ReadWrite.All Directory.ReadWrite.All ChannelMessage.Send user.read openid profile offline_access'

My API permissions look like this

What am I missing to be able to create a subscription?



office-teams-app-devmicrosoft-graph-teamworkmicrosoft-graph-permissionsmicrosoft-graph-notifications
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @Carlos-7980,

As we are mainly responsible for general question of Microsoft Teams, your question is more related to Teams development. So I will also remove teams tag from your thread. Thanks for your understanding!

0 Votes 0 ·

1 Answer

Carlos-7980 avatar image
0 Votes"
Carlos-7980 answered

After trying to make it work on the microsoft graph explorer I realized that the resource url path I was trying to access had the wrong id.

teams/${MY_TENANT_ID}/channels/${MY_CHANNEL_ID}/messages

should have been

teams/${MY_GROUP_ID}/channels/${MY_CHANNEL_ID}/messages

This was the source of the error and changing the id fixed it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.