Enable resource-specific consent in Teams - Teams

Article
07/08/2022
10 minutes to read

Note

Resource-specific consent for chat scope is available in public developer preview only.

Resource-specific consent (RSC) is a Microsoft Teams and Microsoft Graph API integration that enables your app to use API endpoints to manage specific resources, either teams or chats, within an organization. The RSC permissions model enables team owners and chat owners to grant consent for an application to access and modify a team's data and a chat's data, respectively.

Note: If a chat has a meeting or a call associated with it, then the relevant RSC permissions apply to those resources as well.

Resource-specific permissions

The granular, Teams-specific, RSC permissions define what an application can do within a specific resource.

Resource-specific permissions for a team

Application permission	Action
TeamSettings.Read.Group	Get this team's settings.
TeamSettings.ReadWrite.Group	Update this team's settings.
ChannelSettings.Read.Group	Get this team's channel names, channel descriptions, and channel settings.
ChannelSettings.ReadWrite.Group	Update this team's channel names, channel descriptions, and channel settings.
Channel.Create.Group	Create channels in this team.
Channel.Delete.Group	Delete channels in this team.
ChannelMessage.Read.Group	Get this team's channel messages.
TeamsAppInstallation.Read.Group	Get a list of this team's installed apps.
TeamsTab.Read.Group	Get a list of this team's tabs.
TeamsTab.Create.Group	Create tabs in this team.
TeamsTab.ReadWrite.Group	Update this team's tabs.
TeamsTab.Delete.Group	Delete this team's tabs.
TeamMember.Read.Group	Get this team's members.
TeamsActivity.Send.Group	Create new notifications in the activity feeds of the users in this team.

For more details, see team resource-specific consent permissions.

Resource-specific permissions for a chat

The following table provides resource-specific permissions for a chat:

Application permission	Action
ChatSettings.Read.Chat	Get this chat's settings.
ChatSettings.ReadWrite.Chat	Update this chat's settings.
ChatMessage.Read.Chat	Get this chat's messages.
ChatMember.Read.Chat	Get this chat's members.
Chat.Manage.Chat	Manage this chat.
TeamsTab.Read.Chat	Get this chat's tabs.
TeamsTab.Create.Chat	Create tabs in this chat.
TeamsTab.Delete.Chat	Delete this chat's tabs.
TeamsTab.ReadWrite.Chat	Manage this chat's tabs.
TeamsAppInstallation.Read.Chat	Get which apps are installed in this chat.
OnlineMeeting.ReadBasic.Chat	Read basic properties, such as name, schedule, organizer, join link, and start/end notifications, of a meeting associated with this chat.
Calls.AccessMedia.Chat	Access media streams in calls associated with this chat or meeting.
Calls.JoinGroupCalls.Chat	Join calls associated with this chat or meeting.
TeamsActivity.Send.Chat	Create new notifications in the activity feeds of the users in this chat.
OnlineMeetingTranscript.Read.Chat	Read the transcripts of the meeting associated with this chat.

For more details, see chat resource-specific consent permissions.

Note

Resource-specific permissions are only available to Teams apps installed on the Teams client and are currently not part of the Azure Active Directory (AAD) portal.

Enable RSC in your application

Configure consent settings.
1. Configure group owner consent settings for RSC in a team using the Azure AD portal.
2. Configure chat owner consent settings for RSC in a chat using the Microsoft Graph APIs.
Register your app with Microsoft identity platform using the Azure AD portal.
Review your application permissions in the Azure AD portal.
Obtain an access token from the identity platform.
Update your Teams app manifest.
Install your app directly in Teams.
Check your app for added RSC permissions.
1. Check your app for added RSC permissions in a team.
2. Check your app for added RSC permissions in a chat.

You can enable or disable group owner consent directly within the Microsoft Azure portal:

Sign in to the Azure portal as a Global Administrator or Company Administrator.
Select Azure Active Directory > Enterprise applications > Consent and permissions > User consent settings.
Enable, disable, or limit user consent with the control labeled Group owner consent for apps accessing data. The default is Allow group owner consent for all group owners. For a team owner to install an app using RSC, group owner consent must be enabled for that user.

In addition, you can enable or disable group owner consent using PowerShell, follow the steps outlined in configure group owner consent using PowerShell.

You can enable or disable RSC for chats using Graph API. The property isChatResourceSpecificConsentEnabled in teamsAppSettings governs whether chat RSC is enabled in the tenant.

Graph RSC team configuration

The default value of the property isChatResourceSpecificConsentEnabled is based on whether user consent settings is turned on or off in the tenant when RSC for chats is first used. This can be the first time a) retrieving teamsAppSettings or b) installing a Teams app with resource-specific permissions in a chat/meeting.

Register your app with Microsoft identity platform using the Azure AD portal

The Azure AD portal provides a central platform for you to register and configure your apps. Your app must be registered in the Azure AD portal to integrate with the identity platform and call Microsoft Graph APIs. For more information, see register an application with the identity platform.

Warning

An Azure AD app ID must not be shared across multiple Teams apps. There must be a 1:1 mapping between a Teams app and an Azure AD app. Attempts to install multiple Teams apps which are associated with the same Azure AD app ID will cause installation or runtime failures.

Review your application permissions in the Azure AD portal

Go to the Home > App registrations page and select your RSC app.
Choose API permissions from the left pane and go through the list of Configured permissions for your app. If your app only makes RSC Graph API calls, delete all the permissions on that page. If your app also makes non-RSC calls, keep those permissions as required.

Important

The Azure AD portal cannot be used to request RSC permissions. RSC permissions are currently exclusive to Teams applications installed in the Teams client and are declared in the Teams app manifest (JSON) file.

Obtain an access token from the Microsoft identity platform

To make Graph API calls, you must obtain an access token for your app from the identity platform. Before your app can get a token from the identity platform, it must be registered in the Azure AD portal. The access token contains information about your app and the permissions it has for the resources and APIs available through Microsoft Graph.

You must have the following values from the Azure AD registration process to retrieve an access token from the identity platform:

The Application ID assigned by the app registration portal. If your app supports single sign-on (SSO) you must use the same Application ID for your app and SSO.
The Client secret/password or a public or private key pair that is Certificate. This is not required for native apps.
A Redirect URI or reply URL for your app to receive responses from Azure AD.

For more information, see get access on behalf of a user and get access without a user.

Update your Teams app manifest

The RSC permissions are declared in your app manifest JSON file.

Important

Non-RSC permissions are stored in the Azure portal. Do not add them to the app manifest.

RSC permissions for app manifest version 1.12

Add a webApplicationInfo key to your app manifest with the following values:

Name	Type	Description
`id`	String	Your Azure AD app ID. For more information, see register your app in the Azure AD portal.
`resource`	String	This field has no operation in RSC, but must be added and have a value to avoid an error response; any string will do.

Specify permissions needed by the app.

Name	Type	Description
`authorization`	Object	List of permissions that the app needs to function. For more information, see [placeholder for link- authorization in manifest]

Example for RSC in a team

"webApplicationInfo": {
    "id": "XXxxXXXXX-XxXX-xXXX-XXxx-XXXXXXXxxxXX",
    "resource": "https://RscBasedStoreApp"
    },
"authorization": {
    "permissions": {
        "resourceSpecific": [
            {
                "name": "TeamSettings.Read.Group",
                "type": "Application"
            },
            {
                "name": "TeamSettings.ReadWrite.Group",
                "type": "Application"
            },
            {
                "name": "ChannelSettings.Read.Group",
                "type": "Application"
            },
            {
                "name": "ChannelSettings.ReadWrite.Group",
                "type": "Application"
            },
            {
                "name": "Channel.Create.Group",
                "type": "Application"
            },
            {
                "name": "Channel.Delete.Group",
                "type": "Application"
            },
            {
                "name": "ChannelMessage.Read.Group",
                "type": "Application"
            },
            {
                "name": "TeamsAppInstallation.Read.Group",
                "type": "Application"
            },
            {
                "name": "TeamsTab.Read.Group",
                "type": "Application"
            },
            {
                "name": "TeamsTab.Create.Group",
                "type": "Application"
            },
            {
                "name": "TeamsTab.ReadWrite.Group",
                "type": "Application"
            },
            {
                "name": "TeamsTab.Delete.Group",
                "type": "Application"
            },
            {
                "name": "TeamMember.Read.Group",
                "type": "Application"
            },
            {
                "name": "TeamsActivity.Send.Group",
                "type": "Application"
            }
        ]    
    }
}

Example for RSC in a chat

"webApplicationInfo": {
    "id": "XXxxXXXXX-XxXX-xXXX-XXxx-XXXXXXXxxxXX",
    "resource": "https://RscBasedStoreApp"
    },
"authorization": {
    "permissions": {
        "resourceSpecific": [
            {
                "name": "ChatSettings.Read.Chat",
                "type": "Application"
            },
            {
                "name": "ChatSettings.ReadWrite.Chat",
                "type": "Application"
            },
            {
                "name": "ChatMessage.Read.Chat",
                "type": "Application"
            },
            {
                "name": "ChatMember.Read.Chat",
                "type": "Application"
            },
            {
                "name": "Chat.Manage.Chat",
                "type": "Application"
            },
            {
                "name": "TeamsTab.Read.Chat",
                "type": "Application"
            },
            {
                "name": "TeamsTab.Create.Chat",
                "type": "Application"
            },
            {
                "name": "TeamsTab.Delete.Chat",
                "type": "Application"
            },
            {
                "name": "TeamsTab.ReadWrite.Chat",
                "type": "Application"
            },
            {
                "name": "TeamsAppInstallation.Read.Chat",
                "type": "Application"
            },
            {
                "name": "OnlineMeeting.ReadBasic.Chat",
                "type": "Application"
            },
            {
                "name": "Calls.AccessMedia.Chat",
                "type": "Application"
            },
            {
                "name": "Calls.JoinGroupCalls.Chat",
                "type": "Application"
            },
            {
                "name": "TeamsActivity.Send.Chat",
                "type": "Application"
            }
        ]    
    }
}

Note

If the app is meant to support installation in both team and chat scopes, then both team and chat permissions can be specified in the same manifest under authorization.

RSC permissions for app manifest version 1.11 or earlier

Add a webApplicationInfo key to your app manifest with the following values:

Name	Type	Description
`id`	String	Your Azure AD app ID. For more information, see register your app in the Azure AD portal.
`resource`	String	This field has no operation in RSC, but must be added and have a value to avoid an error response; any string will do.
`applicationPermissions`	Array of strings	RSC permissions for your app. For more information, see resource-specific permissions.

Example for RSC in a team

"webApplicationInfo": {
    "id": "XXxxXXXXX-XxXX-xXXX-XXxx-XXXXXXXxxxXX",
    "resource": "https://RscBasedStoreApp",
    "applicationPermissions": [
        "TeamSettings.Read.Group",
        "TeamSettings.ReadWrite.Group",
        "ChannelSettings.Read.Group",
        "ChannelSettings.ReadWrite.Group",
        "Channel.Create.Group",
        "Channel.Delete.Group",
        "ChannelMessage.Read.Group",
        "TeamsAppInstallation.Read.Group",
        "TeamsTab.Read.Group",
        "TeamsTab.Create.Group",
        "TeamsTab.ReadWrite.Group",
        "TeamsTab.Delete.Group",
        "TeamMember.Read.Group",
        "TeamsActivity.Send.Group"
    ]
  }

Example for RSC in a chat

"webApplicationInfo": {
    "id": "XXxxXXXXX-XxXX-xXXX-XXxx-XXXXXXXxxxXX",
    "resource": "https://RscBasedStoreApp",
    "applicationPermissions": [
        "ChatSettings.Read.Chat",
        "ChatSettings.ReadWrite.Chat",
        "ChatMessage.Read.Chat",
        "ChatMember.Read.Chat",
        "Chat.Manage.Chat",
        "TeamsTab.Read.Chat",
        "TeamsTab.Create.Chat",
        "TeamsTab.Delete.Chat",
        "TeamsTab.ReadWrite.Chat",
        "TeamsAppInstallation.Read.Chat",
        "OnlineMeeting.ReadBasic.Chat",
        "Calls.AccessMedia.Chat",
        "Calls.JoinGroupCalls.Chat",
        "TeamsActivity.Send.Chat"
    ]
  }

Note

If the app is meant to support installation in both team and chat scopes, then both team and chat permissions can be specified in the same manifest under applicationPermissions.

Sideload your app in Teams

If your Teams admin allows custom app uploads, you can sideload your app directly to a specific team or chat.

Check your app for added RSC permissions

Important

The RSC permissions are not attributed to a user. Calls are made with app permissions, not user delegated permissions. The app can be allowed to perform actions that the user cannot, such as deleting a tab. You must review the team owner's or chat owner's intent for your use before making RSC API calls. For more information, see Microsoft Teams API overview.

After the app has been installed to a resource, you can use Graph Explorer to view the permissions that have been granted to the app in the resource.

Check your app for added RSC permissions in a team

Get the team's groupId from Teams.
In Teams, select Teams from the leftmost pane.
Select the team where the app is to be installed.
Select the ellipses ●●● for that team.
Select Get link to team from the team dropdown menu.
Copy and save the groupId value from the Get a link to the team pop-up dialog box.
Sign in to Graph Explorer.
Make a GET call to this endpoint: https://graph.microsoft.com/beta/teams/{teamGroupId}/permissionGrants. The clientAppId field in the response will map to the webApplicationInfo.id specified in the Teams app manifest.

For more information on how to get details of the apps installed in a specific team, see get the names and other details of apps installed in the specified team.

Check your app for added RSC permissions in a chat

Get the chat thread ID from the Teams web client.
In the Teams web client, select Chat from the leftmost pane.
Select the chat where the app is installed from the dropdown menu.
Copy the web URL and save the chat thread ID from the string.
Sign in to Graph Explorer.
Make a GET call to the following endpoint: https://graph.microsoft.com/beta/chats/{chatId}/permissionGrants. The clientAppId field in the response will map to the webApplicationInfo.id specified in the Teams app manifest.

For more information on how to get details of apps installed in a specific chat, see get the names and other details of apps installed in the specified chat.

Code sample

Sample name	Description	.NET	Node.js
Resource-Specific Consent (RSC)	Use RSC to call Graph APIs.	View	View

Resource-specific permissions

Resource-specific permissions for a team

Resource-specific permissions for a chat

Enable RSC in your application

Register your app with Microsoft identity platform using the Azure AD portal

Review your application permissions in the Azure AD portal

Obtain an access token from the Microsoft identity platform

Update your Teams app manifest

Sideload your app in Teams

Check your app for added RSC permissions

Check your app for added RSC permissions in a team

Check your app for added RSC permissions in a chat

Code sample

See also

Feedback

Resource-specific consent

Resource-specific permissions

Resource-specific permissions for a team

Resource-specific permissions for a chat

Enable RSC in your application

Configure consent settings

Configure group owner consent settings for RSC in a team using the Azure AD portal

Configure chat owner consent settings for RSC in a chat using the Microsoft Graph APIs

Register your app with Microsoft identity platform using the Azure AD portal

Review your application permissions in the Azure AD portal

Obtain an access token from the Microsoft identity platform

Update your Teams app manifest

Manifest changes for resource-specific consent

Sideload your app in Teams

Check your app for added RSC permissions

Check your app for added RSC permissions in a team

Check your app for added RSC permissions in a chat

Code sample

See also

Feedback