question

MihaiNicolae avatar image
0 Votes"
MihaiNicolae asked Meghana-MSFT answered

Application permission for React TeamsFx Tab App

Hello,

I have a project in which I am developing a Microsoft Teams app in React using TeamsFx and Graph API. The users of the app will be able to edit information of other AD users. Because the users of the app don't have the required permissions I cannot use delegated permissions, so I have to use application permissions.

I have tried using createMicrosoftGraphClient with TeamsUserCredential but the token is rejected with the error: "The user or administrator has not consented to use the application with ID 'xyz' named 'abc'. Send an interactive authorization request for this user and resource"

I have granted all the API permissions for the app in Azure.
181960-image.png

This is how permission.json file looks:

 [
     {
         "resource": "Microsoft Graph",
         "delegated": [],
         "application": [
             "User.ReadWrite.All",
             "Sites.ReadWrite.All",
             "Domain.ReadWrite.All",
             "Directory.ReadWrite.All",
             "TeamMember.ReadWrite.All",
             "TeamSettings.ReadWrite.All"
         ]
     }
 ]

Does TeamsFx provide a way to get a Graph API authentication token for a Teams tab application that has permissions specified in permission.json file under application?


office-teams-app-devmicrosoft-graph-authentication
image.png (47.0 KiB)
· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

We are looking into this, we will update you.

1 Vote 1 ·

Can you please try with delegated permissions once and check again. Also please share the documentation of using permission.json?

0 Votes 0 ·

Delegated permission are not an option because of the way delegated permission work and I quote from Microsoft documentation(https://docs.microsoft.com/en-us/graph/auth/auth-concepts):

"For delegated permissions, the effective permissions of your app are the least-privileged intersection of the delegated permissions the app has been granted (by consent) and the privileges of the currently signed-in user. Your app can never have more privileges than the signed-in user."

The users of the app do not have permissions to modify AD user information that's why I need to use application permissions.

permissions.json file is created automatically by using TeamsFx solution scaffolding. I don't understand what you mean by documentation. Maybe you can share some example.

Thanks.

0 Votes 0 ·
Show more comments

1 Answer

Meghana-MSFT avatar image
0 Votes"
Meghana-MSFT answered

We discussed this with the engineering team and got the below reply -

The permission is granted to the application instead of user. So we should use application identity to get the token to call graph API instead of user. Here is the link to use application credential https://github.com/OfficeDev/TeamsFx/tree/main/packages/sdk#invoke-graph-api-without-user-application-identity . One thing needs to be noticed is since we are using application credential, the token could not be got from front end. There should be an backend service to store the app credential and use the credential to exchange token.

FYI - Could you please post the Teams toolkit or teamfx questions on https://github.com/OfficeDev/TeamsFx/issues


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.