Team Access Issue using Microsoft graph API

Question

My usecase is to perform below operations:

 

1. Create chatrooms with mutlipe users (reporter, assignee, default leads — so 4-5 members will be part of that Chatroom)
2. Also, after creating CR - it need to post summary, desc from itrack to Chatroom
3. Towards the close of day > It should consolidate the chat history for the day and post it back to itrack

 

When I run my code > It throws below error:

"Delegated Microsoft Graph sign-in is required for Chatroom Creation. Open https://login.microsoft.com/device and complete the sign-in with code XXXXXXXXXXX"

 

**But when I Open the link and pass the code > below error is displayed "Need Admin Approval to access the app"

Note: I have a registered Azure Entra ID with below API permissions already granted
Chat.Create**

Chat.Read
Chat.ReadWrite
ChatMessage.Send

Answer 1

The error occurs because the app requires delegated Microsoft Graph permissions that only an administrator can consent to, and that consent has not been granted.

Key points from the scenario and context:

1. The Authorization_RequestDenied / "Need admin approval" behavior is caused by insufficient privileges or missing admin consent for the requested delegated permissions.
2. For Microsoft Graph, both of the following must be satisfied:
   • The app registration must have the required delegated permissions (for example, Chat.Create, Chat.Read, Chat.ReadWrite, ChatMessage.Send).
   • An administrator must grant consent for those permissions to the app.

Required actions for the tenant administrator:

1. Sign in to the Azure portal as a Microsoft Entra administrator.
2. Go to Microsoft Entra admin center → Identity → Applications → App registrations → select the app.
3. Under API permissions:
   • Verify that the delegated permissions Chat.Create, Chat.Read, Chat.ReadWrite, and ChatMessage.Send are configured.
   • If any required permission is missing, select Add a permission, choose Microsoft Graph, then add the missing delegated permissions.
4. Still under API permissions, select Grant admin consent for <tenant name> and confirm. This grants tenant-wide admin consent for the delegated permissions.
5. After admin consent is granted, repeat the device-code sign-in flow. The sign-in should now succeed without the "Need Admin Approval" prompt, and the delegated token can be used to create chats and send messages.

If Authorization_RequestDenied or similar errors still appear when calling Graph:

1. Confirm that the signed-in account has the appropriate Microsoft Entra role for the operations being performed (for example, some operations require specific roles as described in Microsoft Graph documentation).
2. Confirm that no new permissions were added after admin consent; if new scopes were added, admin consent must be granted again.

This pattern (missing or unconsented delegated permissions) is the same root cause described in the Authorization_RequestDenied troubleshooting guidance: the app must have the correct Graph permissions and admin consent before the calls will succeed.

---

References:

• Troubleshoot Authorization_RequestDenied error with Microsoft Graph
• Microsoft Graph permissions reference
• Quickstart: Set up and manage access tokens for Teams users (programming-language-javascript)
• Quickstart: Set up and manage access tokens for Teams users (programming-language-java)
• Quickstart: Set up and manage access tokens for Teams users (programming-language-python)
• Teams App / Bot 'Unauthorized' error when responding to an activity - Microsoft Q&A
• Corporate account apps registration error: AADSTS90094 - Microsoft Q&A
• The Graph connector agent has failed to register due to insufficient permissions - Microsoft Q&A
• New-MgDomainFederationConfiguration - Insufficient privileges to complete the operation. - Microsoft Q&A
• Error message: interaction_required: AADSTS5000225: This tenant has been blocked due to inactivity - Microsoft Q&A