question

alexandreg avatar image
0 Votes"
alexandreg asked martamasson edited

Connecting a Logic App to Microsoft Teams with Managed Identity

I'm currently creating a Logic App workflow to send a message to a Microsoft Teams canal when it is triggered by a HTTP request. I am using the "Post a message to a canal as the flow bot" action.

However, I'm currently using my personal account as a connection, which is a bad practice regarding long term maintainability.

I see that there is an option to connect with a Managed Identity. I successfully enabled the system-assigned Managed Identity for my Logic App by going to the Settings and then the Identity part. However, I do not know how to allow this Managed Identity access to a specific canal on Microsoft Teams to post messages to it. I could not find anything on the web.

58396-logic-app.png



office-teams-windows-itproazure-logic-apps
logic-app.png (33.3 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi alexandreg,

Did you already get it working? I'm also struggling with managed identities. I've created a user-managed identity in a resource group and assigned some roles to it. But I really don't now which role I need to add to the identity.

If you have some information, I would love to hear it!

Regards,

Gerco

0 Votes 0 ·

Hi! Unfortunately no, I was unsuccessful. I moved to the Incoming Webhook connector to send messages to Teams. I hope that Microsoft will improve this feature and create some docs around it, as it's clearly lacking ATM. They should not release something when it's not finished, it's frustrating for the end user.

0 Votes 0 ·
Sam-Cogan avatar image
2 Votes"
Sam-Cogan answered martamasson edited

Your managed identity needs permissions to talk to the Teams API, in particular it needs to be able to access the Teams parts of the Graph API. A managed identity is just an AAD application behind the scenes so you can grant API rights to it. This article shows a script for granting access to Managed Identities to the Graph API. This page details the various Teams API's.


· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you Sam, I'm going to try that!

0 Votes 0 ·

Did you figure out which Graph API permissions was needed to post messages as the Flow bot? I am struggling to find any information about posting as Flow bot in the Graph API Teams documentation.

0 Votes 0 ·

hi! I suggest that you use the Incoming Webhook connector in your Teams canal instead. You can send messages easily through an HTTP POST request, with the following body (markdown supported):

{
"title": "My message title",
"text": "Hello everyone"
}

1 Vote 1 ·

So, what I can gather by following the Teams API page Sam-Cogan posted above, to here: https://docs.microsoft.com/en-us/graph/api/channel-post-messages?view=graph-rest-1.0&tabs=http, It looks like the Application:Teamwork.Migrate.All is the permission needed for a system-assigned identity to be able to send chatMessage in a Teams channel. I tried using the other article he mentioned for granting access to the Graph API to add that specific permission to my managed identity. I still receive an error trying to configure the connector, that it does not have permissions. I checked the audit log for my managed identity and it is successfully authenticating, so I believe that this is still an authorization issue somewhere. Can anybody detail the exact permissions to configure on the managed identity to be able to post a message to a Teams channel? Am I at least on the right track here and just missing some base level permission for accessing Teams in the first place?

0 Votes 0 ·

It will not work. It is not supported yet. This permission is to migration purposes only :/
We will need to wait a little bit more or use delegated which requires someone´s credentials.

193462-image.png


193370-image.png



That´s what means migration: https://docs.microsoft.com/en-us/microsoftteams/platform/graph-api/import-messages/import-external-messages-to-teams

0 Votes 0 ·
image.png (59.4 KiB)
OJAAE-9234 avatar image
0 Votes"
OJAAE-9234 answered MSKP-2732 commented

Assigned literally every API-permission to the managed identity. Doesn't work.
That said, the feature is still in preview.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Was anyone able to get this working? I have a similar requirement.

0 Votes 0 ·