Graph token with MicrosoftTeams 2.0 module

Question

I am trying to use graph authentication token via app registration to query and update Teams collaboration parameters on user account.
Using the latest 2.0 MicrosoftTeams PS module.

I am able to connect and also able to execute Teams specific PS commands such as Get-Team
However I am getting an error running non Teams specific commands such Get-CsOnlineUser. Error appears to be permission specific.

I have granted all possible API permissions (application level), however nothing seems to work.

Any advice would be much appreciated.

Connection string looks as following:

$clientId = "XXXXX"
$tenantId = "YYYYY"
$clientSecret = "ZZZZZZ"

$uri = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
$body = @{
client_id = $clientId
scope = "https://graph.microsoft.com/.default"
client_secret = $clientSecret
grant_type = "client_credentials"
}

$tokenRequest = Invoke-WebRequest -Method Post -Uri $uri -Body $body -ContentType "application/x-www-form-urlencoded" -UseBasicParsing

$token = ($tokenRequest.Content | ConvertFrom-Json).access_token

Connect-MicrosoftTeams -AadAccessToken $token -MsAccessToken $token -Verbose -AccountId account123@365domain.com

API permissions granted:
Directory.Read.All
Group.Read.All
GroupMember.Read.All
MailboxSettings.Read
OnlineMeetings.Read.All
Organization.Read.All
People.Read.All
Team.ReadBasic.All
TeamMember.Read.All
TeamSettings.Read.All
User.Export.All
User.Read.All
User.ReadWrite.All

Microsoft Teams Graph Service (2)
Graph.ReadWrite.All
ResourceSpecificPermission.Read.All
Microsoft Teams Services (1)
User.Read.All
Skype and Teams Tenant Admin API (1)
application_access

Answer 1

Update: Still no improvement on the App Only (Unattended) front in the latest MicrosoftTeams 3.0.0. module. The only reported working method is by using Delegate permissions as stated in the Docs under 'AccessTokens' parameter directions.
If someone has an ETA on something more useful, please post here

Answer 2

@sikumars-msft Unfortunately, this is not what Alex is referring to.

In summary he, and other admins such as myself are experiencing an issue attempting to run "cs" cmndlets in the MicrosoftTeams PowerShell module when using App or Token authentication.

This is an issue now as the Skype4BOnline module was previously responsible for the "cs" cmdlets like Get-CsUser. That module has now been retired and cant connect to O365 at all. and all the "Cs" cmdlets have been moved into the MicrosoftTeams PS module.

When connecting using the Connect-MicrosoftTeams cmdlet. it silently stores the users credentials and effectively runs a "new-csonlinesession" cmdlet whenever we invoke a "CS" cmdlet

Thats fine if we are providing credentials in an interactive manner, but not effective if we are using automation or authenticating against multiple tenants.
I have seen some PG members suggest storing the username/password in the PowerShell script as a workaround, but this wont work around MFA (and is a massive security risk)

The reason we use AppAuthentication is that users never need to give us their credentials, we don't need to store them, we arent a security risk because all they have to do is approve our app in the Office365 admin centre.

So the question is, when are we going to see some form of app/token/certificate authentication for the CS cmdlets?

Answer 3

Hello @Alex Berin ,

I hope this thread may help you. Thanks.

--------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 4

Hi ..it works weird with Module version 2.3.1. When I execute script line by line it works!

But when I run the script .. it wont work..have all the permissions set exactly same. The error says " Run Connect-MicrosoftTeams before running cmdlets" even though am connected successfully.

Answer 5

You can only use app permissions to run the Teams cmdlets at this point. The non-Teams specific ones like Get-CsOnlineUser aren't supported for app permission at this point, support is being worked on.