Microsoft Graph Delegated permissions show all tenants data
I want to build an app that lists the teams that the current user is member of in Microsoft Teams using the Microsoft Graph API and the user should only be able to see her own teams.
The problem is that the app gets access to ALL teams on the tenant and not only the teams that the user already belongs to.
This is an issue because even just the naming of a private team can be confidential information in some organizations.
According to the documentation (https://learn.microsoft.com/en-us/graph/api/group-list?view=graph-rest-1.0&tabs=http) the least privileged permission for listing Groups is “GroupMember.Read.All”.
I therefore create an app with this permission and the type is “Delegated”.
Since the permission requires admin consent I manually give admin consent to the app in the AAD Portal.
I now ask the user to authorize the app on her behalf by having her follow this link:
`https://login.microsoftonline.com/[tenant]/
oauth2/v2.0/authorize?client_id=[clientId]
&redirect_uri=[redirectUri]
&response_type=code
&response_mode=query
&prompt=consent
&scope=https%3A%2F%2Fgraph.microsoft.com%2Fuser.read offline_access`
Through the OAUTH2 flow the server obtains an access token for the user and the delegated permissions. The access token is used to call the Graph API mentioned before:
https://graph.microsoft.com/v1.0/groups?$filter=resourceProvisioningOptions/Any(x:x eq 'Team')
The issue is that the request returns ALL teams on the tenant and not only the teams that the user has access to in MS Teams client - including a long list of private teams that the user should not be able to see at all.
How can it be that the access token obtained from the user approving the app gives the app access to all teams and not just the teams that the user is member of?
There are two endpoints that can be useful for you
First endpoint
GET /me/joinedTeams
gets the teams that the user is a direct member of.
The second one
GET /users/{user-id}/teamwork/associatedTeams
gets the list of teams that the user is a direct member of a team or is a member of a shared channel that is hosted inside a team.
Documentation:
- Error 400: invalid_scope with Postman and Google OAuth2
- Issues Adding SMTP.Send Permission to Azure Application for Office 365 SMTP
- PHP - How to get OAuth 2.0 Token
- UPS Outh Rating API return Invalid Authentication Information
- How to store sensitive data in React Native or expo code ? ( with Keychain and Keystore )
- How to get Optum sandbox to authenticate with OAuth 2.0 using Java and okhttp
- Spring Boot redirection back to login page
- New Google place api using google OAuth, ask failed to refresh token
- Getting OAuth code challenge on loopback server
- How do I solve audience (aud) invalid claim error for downstream api service?
- oauth 2 parameters can only have a single value: scope
- #oauth2 security expressions on method level
- Calling spring authorization server OAuth2 REST endpoints
- Google AdWords API authorization raising AdsCommon::Errors::AuthError
- Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console
- Passport - Node.js not returning Refresh Token
- AWS Cognito: Missing Scopes in Access Token with Custom UI and Device Remember Functionality for MFA
- Cross-client Google OAuth: Get auth code on iOS and access token on server
- How to generate GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET without a domain?
- Spring Gateway and OAuth
- OAuth Client Credential Flow - Refresh Tokens
- Django OAuth2 Authentication Failing in Unit Tests - 401 'invalid_client' Error
- Add OAuth authentication for HTTP request triggers
- OAuth2 implementation and user management Django
- How to enable a submit button if form fields are auto-filled by the browser using saved credentials on page load?
- AADSTS70000 Error When Requesting for Access Token
- Is storing an OAuth token in cookies bad practice?
- Spring OAuth2 client performs Back-Channel Logout with an expired ID token
- I/O error on GET request for "https://localhost/application/o/{name}/.well-known/openid-configuration": Connection refused
- Restrict Microsoft Azure App OAuth2.0 to Internal Users