Azure AD Permissions to fetch User email using Graph API

Question

We’ve developed a simple app for Microsoft Teams, designed to be installed for a Team, which uses a Bot and an Action-based Messaging Extension. The bot is granted the User.Read.All permission for the tenant via the Azure AD portal and works fine for our organization. We need to send this to our customers and we are curious if all our customers using their own MS Teams workspaces would be required to give this permission from Azure Portal?

Below is a summary of how our Bot works.

When the user interacts with our messaging extension,

• A fetchTask is sent to our server
• Our server uses the Microsoft Graph API to fetch the user’s email address in node
• First, an access token is obtained for the user’s tenant from the URL https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token
• The token is used to fetch the user details from the URL https://graph.microsoft.com/v1.0/users/${userId}

Our server determines the input choices for the user and responds with a TaskModule.

Once the user submits the modal:

• Our server once again uses the Graph API to fetch the user’s email address
• Executes the appropriate business logic
• An Incoming Webhook is used to send an appropriate message to a channel in the user’s team

Answer 1

If you want to use your application for multiple tenants you need to register your application as a multitenant in Azure. Please go through this documentation to update registration to multi tenant.

To get authorization request use tenant value as common ex: https://login.microsoftonline.com/common. Check this doc for more info

Answer 2

@Sridevi-MSFT

We have confirmed that our app is already registered as a multi-tenant app in Azure AD.

• As for the login endpoint, we do know the user's tenantID, as the Bot sends it to us in the activity.conversation.tenantId field. We use this tenantID in the URL https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token to get the token. We also tried using the URL https://login.microsoftonline.com/common/oauth2/v2.0/token. Either way, we are able to get the token for the Bot.
• However, when we try accessing the user's profile from this URL https://graph.microsoft.com/v1.0/users/${userId} (the ID comes from activity.from.aadObjectId), we get an Authorization_IdentityNotFound error with the message: "The identity of the calling application could not be established."

The user's profile call works for the same tenant where this Bot was created and if the user.read.all application permissions were assigned.

Can you please recommend how we can get this to work for other tenants?

Answer 3

@Sridevi-MSFT can you please check our latest response in the other thread above and guide us forward?