Graph token with MicrosoftTeams 2.0 module

Alex Berin 1 Reputation point
2021-04-05T13:36:29.233+00:00

I am trying to use graph authentication token via app registration to query and update Teams collaboration parameters on user account.
Using the latest 2.0 MicrosoftTeams PS module.

I am able to connect and also able to execute Teams specific PS commands such as Get-Team
However I am getting an error running non Teams specific commands such Get-CsOnlineUser. Error appears to be permission specific.

I have granted all possible API permissions (application level), however nothing seems to work.

Any advice would be much appreciated.

Connection string looks as following:

$clientId = "XXXXX"
$tenantId = "YYYYY"
$clientSecret = "ZZZZZZ"

$uri = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
$body = @{
client_id = $clientId
scope = "https://graph.microsoft.com/.default"
client_secret = $clientSecret
grant_type = "client_credentials"
}

$tokenRequest = Invoke-WebRequest -Method Post -Uri $uri -Body $body -ContentType "application/x-www-form-urlencoded" -UseBasicParsing

$token = ($tokenRequest.Content | ConvertFrom-Json).access_token

Connect-MicrosoftTeams -AadAccessToken $token -MsAccessToken $token -Verbose -AccountId account123@365domain.com

API permissions granted:
Directory.Read.All
Group.Read.All
GroupMember.Read.All
MailboxSettings.Read
OnlineMeetings.Read.All
Organization.Read.All
People.Read.All
Team.ReadBasic.All
TeamMember.Read.All
TeamSettings.Read.All
User.Export.All
User.Read.All
User.ReadWrite.All

Microsoft Teams Graph Service (2)
Graph.ReadWrite.All
ResourceSpecificPermission.Read.All
Microsoft Teams Services (1)
User.Read.All
Skype and Teams Tenant Admin API (1)
application_access

Microsoft Teams
Microsoft Teams
A Microsoft customizable chat-based workspace.
9,156 questions
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,716 questions
Microsoft Teams Development
Microsoft Teams Development
Microsoft Teams: A Microsoft customizable chat-based workspace.Development: The process of researching, productizing, and refining new or existing technologies.
2,886 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,390 questions

10 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. UCMadScientist 16 Reputation points MVP
    2021-06-13T12:01:39.223+00:00

    @sikumars-msft Unfortunately, this is not what Alex is referring to.

    In summary he, and other admins such as myself are experiencing an issue attempting to run "cs" cmndlets in the MicrosoftTeams PowerShell module when using App or Token authentication.

    This is an issue now as the Skype4BOnline module was previously responsible for the "cs" cmdlets like Get-CsUser. That module has now been retired and cant connect to O365 at all. and all the "Cs" cmdlets have been moved into the MicrosoftTeams PS module.

    When connecting using the Connect-MicrosoftTeams cmdlet. it silently stores the users credentials and effectively runs a "new-csonlinesession" cmdlet whenever we invoke a "CS" cmdlet

    Thats fine if we are providing credentials in an interactive manner, but not effective if we are using automation or authenticating against multiple tenants.
    I have seen some PG members suggest storing the username/password in the PowerShell script as a workaround, but this wont work around MFA (and is a massive security risk)

    The reason we use AppAuthentication is that users never need to give us their credentials, we don't need to store them, we arent a security risk because all they have to do is approve our app in the Office365 admin centre.

    So the question is, when are we going to see some form of app/token/certificate authentication for the CS cmdlets?

    3 people found this answer helpful.
    0 comments
  2. Alexander BerinA 6 Reputation points
    2021-05-04T13:10:28.58+00:00

    Not yet, no solution so far

    1 person found this answer helpful.
    0 comments
  3. Kartheek Raparthy 1 Reputation point
    2021-04-19T04:40:00.163+00:00

    Could you please share the cmdlets and error message what you are getting while running.
    could you please share the exact teams module version 2.0 or any preview version you are using

    0 comments
  4. Alex Berin 1 Reputation point
    2021-04-19T17:24:40.053+00:00

    Absolutely. On top of the commands listed in the original post, I as using these cmdlets:
    Get-Teams - successful
    Get-CsOnlineUser - failing

    Error message:
    Exception calling "GetSteppablePipeline" with "1" argument(s): "Exception calling "GetRemoteNewCsOnlineSession" with "1" argument(s): "Run either
    Connect-MicrosoftTeams or new-csonlinesession before running cmdlets.""
    At C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\2.0.0\net472\SfBORemotePowershellModule.psm1:9474 char:13

    • $steppablePipeline = $scriptCmd.GetSteppablePipeline($myI ...
    • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : NotSpecified: (:) [], ParentContainsErrorRecordException
    • FullyQualifiedErrorId : CmdletInvocationException

    Installed Teams module 2.0.0:
    2.0.0 MicrosoftTeams PSGallery

    0 comments
  5. Kartheek Raparthy 1 Reputation point
    2021-04-26T04:49:42.83+00:00

    Update: Microsoft has released a preview version (2.1.0) of the Teams PowerShell module which works properly with modern authentication. It’s likely that this version will be pushed through to general availability quite quickly.
    Please go through this link for more information.

    0 comments