Test RSC Permissions Using Postman - Teams

Чланак
14.11.2023.

Resource-specific consent (RSC) is an authorization framework built by Microsoft Teams and Microsoft identity that allows for granting scoped access to an application.

Through RSC, an authorized user can give an application access to the data of a specific instance of a resource type instead of every instance in the entire tenant. For example, a person who owns both team A and team B can decide to give the data for the Contoso app to only team A and not team B. The same concept of scoped data access applies to chats and meetings. For more information, see Resource-specific consent (RSC).

Prerequisites

Ensure that you verify the following app manifest changes for resource-specific consent before testing:

RSC permissions for app manifest version 1.12 and later

Add a webApplicationInfo key to your app manifest with the following values:

Name	Type	Description
`id`	String	Your Microsoft Entra app ID. For more information, see register your app in the Microsoft Entra admin center.
`resource`	String	This field has no operation in RSC, but must be added and have a value to avoid an error response; any string will do.

Specify permissions needed by the app.

Name	Type	Description
`authorization`	Object	List of permissions that the app needs to function. For more information, see authorization.

Example for RSC in a team

JSON

"webApplicationInfo": {
    "id": "XXxxXXXXX-XxXX-xXXX-XXxx-XXXXXXXxxxXX",
    "resource": "https://RscBasedStoreApp"
    },
"authorization": {
    "permissions": {
        "resourceSpecific": [
            {
                "name": "TeamSettings.Read.Group",
                "type": "Application"
            },
            {
                "name": "TeamSettings.ReadWrite.Group",
                "type": "Application"
            },
            {
                "name": "ChannelSettings.Read.Group",
                "type": "Application"
            },
            {
                "name": "ChannelSettings.ReadWrite.Group",
                "type": "Application"
            },
            {
                "name": "Channel.Create.Group",
                "type": "Application"
            },
            {
                "name": "Channel.Delete.Group",
                "type": "Application"
            },
            {
                "name": "ChannelMessage.Read.Group",
                "type": "Application"
            },
            {
                "name": "ChannelMeeting.ReadBasic.Group",
                "type": "Application"
            },
            {
                "name": "TeamsAppInstallation.Read.Group",
                "type": "Application"
            },
            {
                "name": "TeamsTab.Read.Group",
                "type": "Application"
            },
            {
                "name": "TeamsTab.Create.Group",
                "type": "Application"
            },
            {
                "name": "TeamsTab.ReadWrite.Group",
                "type": "Application"
            },
            {
                "name": "TeamsTab.Delete.Group",
                "type": "Application"
            },
            {
                "name": "TeamMember.Read.Group",
                "type": "Application"
            },
            {
                "name": "TeamsActivity.Send.Group",
                "type": "Application"
            }
        ]    
    }
}

Example for RSC in a chat

JSON

"webApplicationInfo": {
    "id": "XXxxXXXXX-XxXX-xXXX-XXxx-XXXXXXXxxxXX",
    "resource": "https://RscBasedStoreApp"
    },
"authorization": {
    "permissions": {
        "resourceSpecific": [
            {
                "name": "ChatSettings.Read.Chat",
                "type": "Application"
            },
            {
                "name": "ChatSettings.ReadWrite.Chat",
                "type": "Application"
            },
            {
                "name": "ChatMessage.Read.Chat",
                "type": "Application"
            },
            {
                "name": "ChatMember.Read.Chat",
                "type": "Application"
            },
            {
                "name": "Chat.Manage.Chat",
                "type": "Application"
            },
            {
                "name": "TeamsTab.Read.Chat",
                "type": "Application"
            },
            {
                "name": "TeamsTab.Create.Chat",
                "type": "Application"
            },
            {
                "name": "TeamsTab.Delete.Chat",
                "type": "Application"
            },
            {
                "name": "TeamsTab.ReadWrite.Chat",
                "type": "Application"
            },
            {
                "name": "TeamsAppInstallation.Read.Chat",
                "type": "Application"
            },
            {
                "name": "OnlineMeeting.ReadBasic.Chat",
                "type": "Application"
            },
            {
                "name": "Calls.AccessMedia.Chat",
                "type": "Application"
            },
            {
                "name": "Calls.JoinGroupCalls.Chat",
                "type": "Application"
            },
            {
                "name": "TeamsActivity.Send.Chat",
                "type": "Application"
            }
        ]    
    }
}

Напомена

If the app is meant to support installation in both team and chat scopes, then both team and chat permissions can be specified in the same manifest under authorization.

RSC permissions for app manifest version 1.11 and earlier

Add a webApplicationInfo key to your app manifest with the following values:

Name	Type	Description
`id`	String	Your Microsoft Entra app ID. For more information, see register your app in the Microsoft Entra admin center.
`resource`	String	This field has no operation in RSC, but must be added and have a value to avoid an error response; any string will do.
`applicationPermissions`	Array of strings	RSC permissions for your app. For more information, see Supported RSC permissions.

Example for RSC in a team

JSON

"webApplicationInfo": {
    "id": "XXxxXXXXX-XxXX-xXXX-XXxx-XXXXXXXxxxXX",
    "resource": "https://RscBasedStoreApp",
    "applicationPermissions": [
        "TeamSettings.Read.Group",
        "TeamSettings.ReadWrite.Group",
        "ChannelSettings.Read.Group",
        "ChannelSettings.ReadWrite.Group",
        "Channel.Create.Group",
        "Channel.Delete.Group",
        "ChannelMessage.Read.Group",
        "ChannelMeeting.ReadBasic.Group",
        "TeamsAppInstallation.Read.Group",
        "TeamsTab.Read.Group",
        "TeamsTab.Create.Group",
        "TeamsTab.ReadWrite.Group",
        "TeamsTab.Delete.Group",
        "TeamMember.Read.Group",
        "TeamsActivity.Send.Group"
    ]
  }

Example for RSC in a chat

JSON

"webApplicationInfo": {
    "id": "XXxxXXXXX-XxXX-xXXX-XXxx-XXXXXXXxxxXX",
    "resource": "https://RscBasedStoreApp",
    "applicationPermissions": [
        "ChatSettings.Read.Chat",
        "ChatSettings.ReadWrite.Chat",
        "ChatMessage.Read.Chat",
        "ChatMember.Read.Chat",
        "Chat.Manage.Chat",
        "TeamsTab.Read.Chat",
        "TeamsTab.Create.Chat",
        "TeamsTab.Delete.Chat",
        "TeamsTab.ReadWrite.Chat",
        "TeamsAppInstallation.Read.Chat",
        "OnlineMeeting.ReadBasic.Chat",
        "Calls.AccessMedia.Chat",
        "Calls.JoinGroupCalls.Chat",
        "TeamsActivity.Send.Chat"
    ]
  }

Напомена

If the app is meant to support installation in both team and chat scopes, then both team and chat permissions can be specified in the same manifest under applicationPermissions.

Важно

In your app manifest, only include the RSC permissions that you want your app to have.

Напомена

If the app is meant to access calling or media APIs, then the webApplicationInfo.Id should be the Microsoft Entra app ID of an Azure Bot Service.

Test added RSC permissions to a team using the Postman app

To check whether the RSC permissions are being honored by the API request payload, you need to copy the RSC JSON test code for team into your local environment and update the following values:

azureADAppId: Your app's Microsoft Entra app ID.
azureADAppSecret: Your Microsoft Entra app password.
token_scope: The scope is required to get a token. Set the value to https://graph.microsoft.com/.default.
teamGroupId: You can get the team group ID from the Teams client as follows:
1. In the Teams client, select Teams from the far left navigation bar.
2. Select the team where the app is installed from the dropdown menu.
3. Select the More options icon (⋯).
4. Select Get link to team.
5. Copy and save the groupId value from the string.

Test added RSC permissions to a chat using the Postman app

To check whether the RSC permissions are being honored by the API request payload, you need to copy the RSC JSON test code for chats into your local environment and update the following values:

azureADAppId: Your app's Microsoft Entra app ID.
azureADAppSecret: Your Microsoft Entra app password.
token_scope: The scope is required to get a token. Set the value to https://graph.microsoft.com/.default.
tenantId: The name or the Microsoft Entra Object ID of your tenant.
chatId: You can get the chat thread ID from the Teams web client as follows:
1. In the Teams web client, select Chat from the far left navigation bar.
2. Select the chat where the app is installed from the dropdown menu.
3. Copy the web URL and save the chat thread ID from the string.

Use Postman

Open the Postman app.
Select File > Import > Import file to upload the updated JSON file from your environment.
Select the Collections tab.
Select the chevron > next to the Test RSC to expand the details view and see the API requests.

Execute the entire permissions collection for each API call. The permissions that you specified in your app manifest must succeed, while those not specified must fail with an HTTP 403 status code. Check all of the response status codes to confirm that the behavior of the RSC permissions in your app meets expectations.

Напомена

To test specific DELETE and READ API calls, add those instance scenarios to the JSON file.

Test revoked RSC permissions using Postman

Uninstall the app from the specific resource.
Follow the steps for either chat or team:
1. Test added RSC permissions to a team using Postman.
2. Test added RSC permissions to a chat using Postman.
Check all the response status codes to confirm that the specific API calls have failed with an HTTP 403 status code.

Додатни ресурси

Документација

Know about Developer Portal for Teams - Teams

Learn how to create a brand new app, import an existing or published app in Developer Portal, and changelog for Developer Portal.
App Manifest Reference - Teams

In this article, you'll have the latest version of the public manifest schema for Microsoft Teams reference, schema, and sample full manifest.
Test Resource-specific Consent for Chat - Teams

Learn how to test resource-specific consent (RSC) for a chat in Microsoft Teams using Postman collection with a sample JSON file.
Resource-specific Consent for Apps - Teams

Learn about resource-specific consent (RSC) permissions, types of RSC and supported RSC permissions, and how to grant RSC permissions to an app.
Microsoft Teams Developer Documentation - Teams

Learn about Microsoft Teams developer documentation, how to build apps for Teams, and create collaborative workspaces for effective communication.
Manage Teams app permissions - Teams

Learn how Teams apps are managed in Microsoft Entra ID and resource-specific consent (RSC) based on the feature and capability wise management.
Manage Apps with Developer Portal - Teams

Learn how to configure, develop, publish, manage, validate against Microsoft's test cases, and publish your apps using the Developer Portal for Teams.
Microsoft Teams Developer Documentation - Teams

Microsoft Teams platform makes it easy for developers to build apps on Teams. Developers can integrate their own apps and services to improve productivity.

Обука

Модул

Retrieve Microsoft 365 data for Microsoft Teams apps using Microsoft Graph - Training

Learn how to authenticate users with Microsoft identity platform, configure permissions, and retrieve user data for your Microsoft Teams app using the Microsoft Graph API.

Цертификација

Microsoft 365 Certified: Teams Administrator Associate - Certifications

Demonstrate skills to plan, deploy, configure, and manage Microsoft Teams to focus on efficient and effective collaboration and communication in a Microsoft 365 environment.

Делите путем

Prerequisites

Test added RSC permissions to a team using the Postman app

Test added RSC permissions to a chat using the Postman app

Use Postman

Test revoked RSC permissions using Postman

See also

Додатни ресурси

Делите путем

Test resource-specific consent permissions in Teams

Prerequisites

Test added RSC permissions to a team using the Postman app

Test added RSC permissions to a chat using the Postman app

Use Postman

Test revoked RSC permissions using Postman

See also

Додатни ресурси