Microsoft Teams
A Microsoft customizable chat-based workspace.
9,980 questions
Here it is
Adding team owner through Graph API causes 403 error
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 57.99999999999999%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
Dmytro_dev
0
Reputation points
Hi guys! I have faced an issue with Team Graph API. Some times ago (approximately 3 month ago) API that adds team owner just stopped working. Here is a brief investigation. Our application is used Application type of permissions for performing API operations. For example, team creation requires “Team.Create” scope. It is granted for our application. POST that is used for Team creation:
POST https://graph.microsoft.com/v1.0/teams
Headers:
"Content-Type: application/json"
"Authorization: BEARER token"
Body: {"@microsoft.graph.teamCreationMode":"migration","template@odata.bind":"https://graph.microsoft.com/v1.0/teamsTemplates('standard')","displayName":"Restored by SpinOne for restore at Sep 06, 2024 05-43 PM","description":"for restore","createdDateTime":"2022-02-21T16:35:36.032Z"}
This query is executed successfully, team is created. But for the query that suppose to add member the same approach doesn’t work anymore. It requires “TeamMember.ReadWrite.All” scope which is present for application.
POST: https://graph.microsoft.com/v1.0/teams/{teamId}/members
Headers:
"Content-Type: application/json"
"Authorization: BEARER token"
Body: {"@odata.type":"#microsoft.graph.aadUserConversationMember","roles":["owner"],"user@odata.bind":"https://graph.microsoft.com/v1.0/users('userId')"}
Response:
Response code: 403
Body:{"error":{"code":"Forbidden","message":"You do not have permission to perform this operation.","innerError": {"code":"AccessDenied","message":"You do not have permission to perform this operation.","details":[],"date":"2024-09-06T15:05:25","request-id":"b2aaa7b4-3632-4cf0-93cb-bc4e5b4337f7","client-request-id":"b2aaa7b4-3632-4cf0-93cb-bc4e5b4337f7"}}}
But all permissions are correct according to https://learn.microsoft.com/en-us/graph/api/team-post-members?view=graph-rest-1.0&tabs=http Were there any changes in API? Could you please help me with this problem?
Microsoft Teams
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,882 questions
{count} votes
-
CarlZhao-MSFT 41,291 Reputation points2024-09-10T10:19:13.0466667+00:00 Hi @Dmytro_dev
Use jwt.ms to decode your access token and share screenshots.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 65%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
Meghana-MSFT 3,871 Reputation points Microsoft Vendor2024-09-19T05:29:45.82+00:00 Hi @Dmytro_dev - Could you please the request-id and timestamp details of more recent repro. Engineering team is investigating this issue, and the logs have expired for the above request-id.
-
Dmytro_dev 0 Reputation points
2024-09-19T07:46:54.43+00:00 Hi @Meghana_MSFT,
Here it is
Response code: 403 { "error": { "code": "Forbidden", "message": "You do not have permission to perform this operation.", "innerError": { "code": "AccessDenied", "message": "You do not have permission to perform this operation.", "details": [], "date": "2024-09-19T07:45:06", "request-id": "121c9654-52e3-42ad-8b7a-4bf7b97d789a", "client-request-id": "121c9654-52e3-42ad-8b7a-4bf7b97d789a" } } }
Sign in to comment
4 answers
Sort by: Most helpful
-
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 86%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHP%3C/text%3E%3C/svg%3E)
Hitesh Pachipulusu - MSFT 1,490 Reputation points Microsoft Vendor2024-09-10T12:16:46.05+00:00 Hello Dmytro_dev,
Thank you for reaching to Microsoft Support!
A 403 Forbidden error typically indicates that the client does not have permission to access the requested resource. Here are some possible reasons why you might be encountering this error when trying to add a team owner using the Microsoft Graph API:
- Insufficient Permissions: Even though you have the
TeamMember.ReadWrite.Allpermission, it might not be correctly applied or granted admin consent. Double-check the permissions in the Azure portal. Additionally provideDirectory.ReadWrite.All,Group.ReadWrite.Allscopes. - Role Assignment Issues: The user or application might not have the necessary roles assigned. Ensure that the application has the required roles to perform the operation.
- Token Scope: The access token might not include the necessary scopes. Decode the JWT token (you can use tools like jwt.io) to ensure it contains the correct scopes and roles. Verify that the token includes all scopes.
- User Licensing: The user you’re trying to add as an owner might not have the necessary licenses. Ensure that the user has the appropriate Microsoft 365 licenses.
By following these steps, you should be able to gather more information and fix the root cause of the 403 error.
Hope this helps.
If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.
-
Dmytro_dev 0 Reputation points
2024-09-10T12:44:14.9633333+00:00 Ok, thanks, let me check.
But do you have any idea why it can just stop working? I believe no changes were made into scopes\roles for application itself -
Hitesh Pachipulusu - MSFT 1,490 Reputation points Microsoft Vendor
2024-09-10T13:22:36.73+00:00 Hello Dmytro_dev,
Using application permissions to add guest members to a team is not supported. Please check the user details.
-
Dmytro_dev 0 Reputation points
2024-09-10T13:54:40.8166667+00:00 edited: posted by mistake, pls, see below
-
Dmytro_dev 0 Reputation points
2024-09-10T14:11:15.3133333+00:00 Hi Hitesh,
What kind of user details do you mean?
Please, note, that I'm adding owner, not guest user. Also I was able to do it using exactly this endpoint some time ago. -
Hitesh Pachipulusu - MSFT 1,490 Reputation points Microsoft Vendor
2024-09-11T05:51:11.05+00:00 Hello Dmytro_dev,
Can you please share the request-id and timestamp details.
-
Dmytro_dev 0 Reputation points
2024-09-11T08:17:04.9133333+00:00 Hi Hitesh,
Response code: 403 Body:{"error":{"code":"Forbidden","message":"You do not have permission to perform this operation.","innerError": {"code":"AccessDenied","message":"You do not have permission to perform this operation.","details":[],"date":"2024-09-06T15:05:25","request-id":"b2aaa7b4-3632-4cf0-93cb-bc4e5b4337f7","client-request-id":"b2aaa7b4-3632-4cf0-93cb-bc4e5b4337f7"}}} -
Dmytro_dev 0 Reputation points
2024-09-11T08:49:57.4033333+00:00 Hi Hitesh,
Response code: 403
Body:{"error":{"code":"Forbidden","message":"You do not have permission to perform this operation.","innerError": {"code":"AccessDenied","message":"You do not have permission to perform this operation.","details":[],"date":"2024-09-06T15:05:25","request-id":"b2aaa7b4-3632-4cf0-93cb-bc4e5b4337f7","client-request-id":"b2aaa7b4-3632-4cf0-93cb-bc4e5b4337f7"}}}Btw, it looks like there is some glitch on a forum, I should post a comment twice to make it visible... Not related to the issue though :)
-
Hitesh Pachipulusu - MSFT 1,490 Reputation points Microsoft Vendor
2024-09-11T10:10:52.9233333+00:00 Hello Dmytro_dev,
Sorry for the inconvenience caused. Thank you for providing the details. I am looking this internally. Please allow me sometime.
Sign in to comment - Insufficient Permissions: Even though you have the
-
CarlZhao-MSFT 41,291 Reputation points
2024-09-11T08:52:46.3533333+00:00 Hi @Dmytro_dev
I just conducted some local tests, and it worked very well.
I suggest you create a new application and only grant the
TeamMember.ReadWrite.Allapplication permission to avoid permission conflicts. Then, use the new application to request a new access token and try again.Hope this helps.
If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.
-
Dmytro_dev 0 Reputation points
2024-09-11T14:04:15.25+00:00 Hello,
Unfortunately, it's not a case for me to create another application.
I believe, TeamMember.ReadWrite.All is not enough, because I need to create Team iteself before.
What can cause the conflict in permissions? Are there any chance to understand which scopes are the clashing ones?Thanks
Sign in to comment -
-
CarlZhao-MSFT 41,291 Reputation points
2024-09-13T10:02:10.81+00:00 Hi @Dmytro_dev
After multiple tests, I was able to reproduce your issue locally.
This is because the team you created is in a migration state, and currently, adding members to a team in this state is not supported.
You should create a team that is not in a migration state.
Hope this helps.
If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.
-
Dmytro_dev 0 Reputation points
2024-09-17T07:42:16.4+00:00 Hello!
Thanks for the idea. I've checked one more time my solution.
Migration mode is used indeed but before adding owner migration is completed by corresponding API call.
And one more time, it worked some time ago.
Is there any changes in this process now?
Sign in to comment -