Share via

Sending Messages with Group Tags in MS Teams Channel - Missing Role `Teamwork.Migrate.All`

Suparerk Angkawattanawit 0 Reputation points
2024-11-05T22:08:47.88+00:00

I am trying to send messages with group tags to a Microsoft Teams channel. So far, I have tested webhooks and adaptive cards, both of which allow me to send messages, but unfortunately, they do not support group tagging.

I found that Microsoft Graph API supports sending messages with group tags. I tested this using my personal access token in Microsoft Graph Explorer, as well as through a PowerShell script, and both methods worked successfully. There was no any error of missing role permission at all.

However, when I tried to use an access token from my application/service principal (registered in Azure AD), I received an error indicating that the Teamwork.Migrate.All permission is required. I initially considered asking an admin to grant this permission, but I found out that this permission could allow someone with the token to post messages on behalf of any users, even with custom timestamps, which raises security concerns.

Is there a secure way to achieve this without the need of the Teamwork.Migrate.All permission? Any guidance would be greatly appreciated.

The commands I am using are:

Connect-MgGraph -AccessToken $AccessToken -NoWelcome

New-MgTeamChannelMessage -TeamId $teamId -ChannelId $channelId -BodyParameter $params | Out-Null

This is the error message I received when using the access token from the application/service principal:

User's image

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,437 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. CarlZhao-MSFT 43,011 Reputation points
    2024-11-07T03:07:15.98+00:00

    Hi @Suparerk Angkawattanawit

    No, the Teamwork.Migrate.All application permission will be necessary when you try to import messages using an application token.

    Please note that application permissions are only supported for migration, which means you need to create teams and channels in a migrated state and import messages from third-party platform.

    User's image

    If you are just sending channel messages, then you should use delegated permissions.

    User's image

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.