Search code examples
authenticationazure-active-directorymicrosoft-graph-apidocumentationhttp-status-code-403

Microsoft flow:ForbiddenError-403, when trying to create private channel in MS teams

I am trying to make an HTTP request into MS teams in order to create private channel like in the following example. https://learn.microsoft.com/en-us/graph/api/channel-post?view=graph-rest-1.0&tabs=http

In order to authenticate it, the HTTP request, with option of "Active Directory oauth", it needs some info. 1) Cliend ID, 2) Tenant ID, 3) Audience & 4) Credential Type. Therefore, I register an app at Registration App Azure page, where I have all this info + create a secret to provide it. In addition I give permissions. My task is to create/delete private channels and add/drop members. Why is there a 403-statusCode error called it "Forbidden"?

Also, in a lot of docs, a token is mentioned, but I donot know how to create&use it, as there is also not an accurate, step-by-step example for all this authentication/authorization/permissions.

Can someone provide that? Or explain why is that error there, as the info microsoft.docs is inefficient?

https://learn.microsoft.com/en-us/graph/resolve-auth-errors

https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow

https://learn.microsoft.com/en-us/graph/resolve-auth-errors

Solution

  • The 403 error indicates that your token lacks the permission to call the api. Each api document clearly explains what permissions are required to call the api. Take the create channel as an example: It lists the permissions you need to call the api. These permissions are arranged from small to large, and you only need to select one of them. Then you need to add the permission to your application, and then grant the administrator consent for the permission.

    Go to Azure portal>Azure AD>App registrations>your app>API permissions.

    enter image description here

    What you need to note is that permissions are divided into application permissions and delegated permissions.

    Delegated permission is the authorization of the service principal on behalf of the user. It usually involves user interaction. If you need to log in to the user, you can choose to grant the permission, and then you need to use the auth code flow to obtain an access token.

    Application permission is the authorization of the service principal on their own behalf. It is usually used in a daemon where no user is logged in. If you do not need to log in to the user, you can choose to grant the permission, and then you need to use the client credential flow to obtain an access token.