Share via

Adding team owner through Graph API causes 403 error

Dmytro_dev 0 Reputation points
2024-09-10T07:53:53.3233333+00:00

Hi guys! I have faced an issue with Team Graph API. Some times ago (approximately 3 month ago) API that adds team owner just stopped working. Here is a brief investigation. Our application is used Application type of permissions for performing API operations. For example, team creation requires “Team.Create” scope. It is granted for our application. POST that is used for Team creation:

POST https://graph.microsoft.com/v1.0/teams
Headers: 
"Content-Type: application/json"
"Authorization: BEARER token"
Body: {"@microsoft.graph.teamCreationMode":"migration","template@odata.bind":"https://graph.microsoft.com/v1.0/teamsTemplates('standard')","displayName":"Restored by SpinOne for restore at Sep 06, 2024 05-43 PM","description":"for restore","createdDateTime":"2022-02-21T16:35:36.032Z"}

This query is executed successfully, team is created. But for the query that suppose to add member the same approach doesn’t work anymore. It requires “TeamMember.ReadWrite.All” scope which is present for application.

POST: https://graph.microsoft.com/v1.0/teams/{teamId}/members
Headers: 
"Content-Type: application/json"
"Authorization: BEARER token"
Body: {"@odata.type":"#microsoft.graph.aadUserConversationMember","roles":["owner"],"user@odata.bind":"https://graph.microsoft.com/v1.0/users('userId')"}

Response:

Response code: 403
Body:{"error":{"code":"Forbidden","message":"You do not have permission to perform this operation.","innerError": {"code":"AccessDenied","message":"You do not have permission to perform this operation.","details":[],"date":"2024-09-06T15:05:25","request-id":"b2aaa7b4-3632-4cf0-93cb-bc4e5b4337f7","client-request-id":"b2aaa7b4-3632-4cf0-93cb-bc4e5b4337f7"}}}

But all permissions are correct according to https://learn.microsoft.com/en-us/graph/api/team-post-members?view=graph-rest-1.0&tabs=http Were there any changes in API? Could you please help me with this problem?

Microsoft Teams
Microsoft Teams
A Microsoft customizable chat-based workspace.
10,618 questions
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,722 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Hitesh Pachipulusu - MSFT 3,545 Reputation points Microsoft Vendor
    2024-09-10T12:16:46.05+00:00

    Hello Dmytro_dev,

    Thank you for reaching to Microsoft Support!

    A 403 Forbidden error typically indicates that the client does not have permission to access the requested resource. Here are some possible reasons why you might be encountering this error when trying to add a team owner using the Microsoft Graph API:

    1. Insufficient Permissions: Even though you have the TeamMember.ReadWrite.All permission, it might not be correctly applied or granted admin consent. Double-check the permissions in the Azure portal. Additionally provide Directory.ReadWrite.All, Group.ReadWrite.All scopes.
    2. Role Assignment Issues: The user or application might not have the necessary roles assigned. Ensure that the application has the required roles to perform the operation.
    3. Token Scope: The access token might not include the necessary scopes. Decode the JWT token (you can use tools like jwt.io) to ensure it contains the correct scopes and roles. Verify that the token includes all scopes.
    4. User Licensing: The user you’re trying to add as an owner might not have the necessary licenses. Ensure that the user has the appropriate Microsoft 365 licenses.

    By following these steps, you should be able to gather more information and fix the root cause of the 403 error.

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

  2. CarlZhao-MSFT 44,356 Reputation points
    2024-09-11T08:52:46.3533333+00:00

    Hi @Dmytro_dev

    I just conducted some local tests, and it worked very well.

    I suggest you create a new application and only grant the TeamMember.ReadWrite.All application permission to avoid permission conflicts. Then, use the new application to request a new access token and try again.

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

  3. CarlZhao-MSFT 44,356 Reputation points
    2024-09-13T10:02:10.81+00:00

    Hi @Dmytro_dev

    After multiple tests, I was able to reproduce your issue locally.

    User's image

    This is because the team you created is in a migration state, and currently, adding members to a team in this state is not supported.

    You should create a team that is not in a migration state.

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.