Szerkesztés

Megosztás a következőn keresztül:


Resource-specific consent for your Teams app

Resource-specific consent (RSC) is an authorization framework built by Microsoft Teams and Microsoft identity platform that allows for granting scoped access to an app.

Through RSC, an authorized user can give an app access to the data of a specific instance of a resource type. They don't need to give app access to every instance of the resource type in the entire tenant.

For example, a person who owns both team A and team B can decide to give Contoso app access to the data of only team A and not team B. The same concept of scoped data access applies to chats and meetings as well.

Following are the types of RSC permissions:

  1. The resource type on which data access is being granted:

    • Teams (and the channels within those teams)
    • Chats (and meetings associated with those chats)
    • Users
  2. The mode of data access:

    • Application: The app accesses data without the presence of a signed-in user.
    • Delegated: The app only accesses data in the context of a signed-in user's sessions. It doesn't allow access in the absence of a signed-in user.
  Application context RSC permissions Delegated context RSC permissions
Resource type    
Team ✔️ ✔️
Chat or meeting ✔️ ✔️
User ✔️ ✔️

In this section, you'll learn more about:

Types of RSC permissions

Use RSC permissions to determine the data access methods for your app. A user's ability to grant RSC permissions varies based on resource types and access modes. The following are the types of RSC permissions for an app based on access mode:

  • Application context RSC permissions (application permission): Allows an app to access data without the user being signed in. Only resource owners can grant application RSC permissions.

  • Delegated context RSC permissions (delegated permission): Allows an app to access data only on behalf of a signed-in user. No access is allowed in the absence of a signed-in user. Only authorized users can install an app in a specific scope. They can also grant any delegated RSC permissions that the app requests in that specific scope at app installation. For example, if regular members have the permission to install an app inside a team, then they can also grant delegated RSC permission to the app in that specific team.

Basic RSC Permissions

A limited set of RSC permissions have been reviewed by Microsoft privacy and security teams and have been deemed low risk. These permissions can be consented to at all times by any user when they install and use an app. The following low-risk basic permissions are always consented to upon installation.

Permission name Action Type: Delegated Type: Application
TeamsActivity.Send.Group Send activity feed notifications to users in this team. NA Supported
TeamsActivity.Send.User Send activity feed notifications to the user. NA Supported

RSC-based data access APIs

Microsoft Graph SDK, Microsoft Bot Framework SDK, and Microsoft TeamsJS client library support fine-grained data access through RSC. The supported modes and resource types vary across the API surfaces.

RSC mode Supported SDKs App manifest version Resource types RSC-related controls for the entire tenant Who can consent to RSC permissions?
Application • Microsoft Graph
• Microsoft Bot Framework
>=v1.6 Teams, chats, and meetings • Microsoft Graph-based controls for chats and meetings
• Microsoft Entra admin center-based controls for Teams
• Team: A team owner or member
• Chat: A chat member
• Meeting: A meeting organizer or presenter
Delegated Microsoft Teams Client >=v1.12 Teams, chats, meetings, and users Always on Any user authorized to install an app in the specific scope.

Note

The TeamsActivity.Send RSC application permission is always enabled at the tenant level. App users don't need admin consent to use the permission.

Supported RSC permissions

The following list provides all the RSC permissions categorized based on resource type. Each table also states which data access modes are available for each permission.

Note

The features associated with some permissions listed here might not be generally available (GA).

RSC permissions for a team

The following table provides RSC application permissions for a team and their applicable data access mode:

Permission name Action Type: Delegated Type: Application
Channel.Create.Group Create channels in the team. NA Supported
Channel.Delete.Group Delete this team's channels. NA Supported
ChannelMeeting.ReadBasic.Group Read the basic properties of the channel meetings in this team. NA Supported
ChannelMeetingParticipant.Read.Group Read the participant information including name, role, ID, join and left time of channel meetings associated with this team. NA Supported
ChannelMeetingRecording.Read.Group Read the recordings of all channel meetings associated with this team. NA Supported
ChannelMeetingTranscript.Read.Group Read the transcripts of all channel meetings associated with this team. NA Supported
ChannelMeetingNotification.Send.Group Send notifications in all the channel meetings associated with this team. NA Supported
ChannelMessage.Read.Group Read this team's channel messages. NA Supported
ChannelSettings.Read.Group Read the names, descriptions, and settings of this team's channels​. NA Supported
ChannelSettings.ReadWrite.Group Update the names, descriptions, and settings of this team's channels.​ NA Supported
TeamsActivity.Send.Group Send activity feed notifications to users in this team. NA Supported
TeamsAppInstallation.Read.Group Read the apps that are installed in this team. NA Supported
TeamMember.Read.Group Read this team's members. NA Supported
TeamSettings.Read.Group Read this team's settings. NA Supported
TeamSettings.ReadWrite.Group Read and write this team's settings. NA Supported
TeamsTab.Create.Group Create tabs in this team. NA Supported
TeamsTab.Delete.Group Delete this team's tabs. NA Supported
TeamsTab.Read.Group Read this team's tabs. NA Supported
TeamsTab.ReadWrite.Group Manage this team's tabs. NA Supported
ChannelMeetingActiveSpeaker.Read.Group Reading the participants who are sending audio into the channel meetings associated with this team. Supported NA
ChannelMeetingAudioVideo.Stream.Group Stream audio-video content of channel meetings associated with this team. Supported NA
ChannelMeetingIncomingAudio.Detect.Group Detect incoming audio in channel meetings associated with this team. Supported NA
ChannelMeetingStage.Write.Group Show content on the meeting stage of channel meetings associated with this team. Supported NA
InAppPurchase.Allow.Group Show and complete in-app purchases for users in this team. Supported NA
LiveShareSession.ReadWrite.Group Allows the app to create and synchronize Live Share sessions for the team and get access related information, such as name and role, about the team's roster and any associated meetings.  Supported NA
MeetingParticipantReaction.Read.Group Read reactions of participants in channel meetings associated with this team. Supported NA

For more information, see team resource-specific consent permissions.

RSC permissions for a chat or meeting

Note

The RSC permissions for chat in personal scope is limited to ChatMessageReadReceipt.Read.Chat.

If a chat has a meeting or a call associated with it, then the relevant RSC permissions apply to those resources as well.

The following table provides RSC permissions for a chat or meeting and their applicable data access mode:

Permission name Action Type: Delegated Type: Application
Calls.AccessMedia.Chat Access media streams in calls associated with this chat or meeting. NA Supported
Calls.JoinGroupCalls.Chat Join calls associated with this chat or meeting. NA Supported
ChatSettings.Read.Chat Read this chat's settings. NA Supported
ChatSettings.ReadWrite.Chat Read and write this chat's settings. NA Supported
ChatMessage.Read.Chat Read this chat's messages. NA Supported
ChatMessageReadReceipt.Read.Chat Read the ID of the last seen message in this chat. NA Supported
ChatMember.Read.Chat Read this chat's members. NA Supported
Chat.Manage.Chat Manage this chat. NA Supported
TeamsTab.Read.Chat Read this chat's tabs. NA Supported
TeamsTab.Create.Chat Create tabs in this chat. NA Supported
TeamsTab.Delete.Chat Delete this chat's tabs. NA Supported
TeamsTab.ReadWrite.Chat Manage this chat's tabs. NA Supported
TeamsAppInstallation.Read.Chat Read the apps that are installed in the chat. NA Supported
TeamsActivity.Send.Chat Send activity feed notifications to users in this chat. NA Supported
OnlineMeetingTranscript.Read.Chat Read the transcripts of the meeting associated with this chat. NA Supported
OnlineMeeting.ReadBasic.Chat Read basic properties of meetings associated with this chat, such as name, schedule, organizer, join link, and start or end notifications. NA Supported
OnlineMeetingRecording.Read.Chat Read the recordings of the meetings associated with this chat. NA Supported
OnlineMeetingNotification.Send.Chat Send notifications in the meetings associated with this chat. NA Supported
InAppPurchase.Allow.Chat Show and complete in-app purchases for users in this chat and any associated meetings. Supported NA
LiveShareSession.ReadWrite.Chat Allows the app to create and synchronize Live Share sessions for the chat and get access related information, such as name and role, about the chat's roster and any associated meetings. Supported NA
MeetingStage.Write.Chat Show content on the meeting stage of meetings associated with this chat. Supported NA
MeetingParticipantReaction.Read.Chat Read the reactions of participants in meetings associated with this chat. Supported NA
OnlineMeetingIncomingAudio.Detect.Chat Detect incoming audio in meetings associated with this chat. Supported NA
OnlineMeetingActiveSpeaker.Read.Chat Read the participants who are sending audio into the meetings associated with this chat. Supported NA
OnlineMeetingAudioVideo.Stream.Chat Stream audio-video content of meetings associated with this chat. Supported NA
OnlineMeetingParticipant.Read.Chat Read participant information, including name, role, ID, joined and left times, of meetings associated with this chat. Supported Supported
OnlineMeetingParticipant.ToggleIncomingAudio.Chat Toggle incoming audio for participants in meetings associated with this chat. Supported NA

For more information, see chat resource-specific consent permissions.

Tip

RSC permissions are available only to Teams apps installed on the Teams client and not part of the Microsoft Entra admin center. If you want to know the RSC permissions associated with an app, see app installation or app information dialog within Teams client.

RSC permissions for user access

The following table provides RSC permissions for a user and their applicable data access mode:

Permission name Action Type: Delegated Type: Application
CameraStream.Read.User Read the user's camera stream. Supported NA
InAppPurchase.Allow.User Show and complete in-app purchases. Supported NA
MicrophoneStream.Read.User Read the user's microphone stream. Supported NA
MeetingParticipantReaction.Read.User Read the user's reactions while participating in a meeting. Supported NA
OutgoingVideoStream.Write.User Modify the user's outgoing video. Supported NA
TeamsActivity.Send.User Send activity notifications to the user. NA Supported
TeamsAppInstallation.Read.User Read the apps that are installed in the user's personal scope. NA Supported

Next step

See also