question

Maxim-6116 avatar image
0 Votes"
Maxim-6116 asked Mamatha-MSFT commented

Why is the access request required for Protected APIs in Microsoft Teams?

According to the resources: https://docs.microsoft.com/en-us/graph/api/subscription-post-subscriptions?view=graph-rest-beta&tabs=http https://github.com/microsoftgraph/java-spring-webhooks-sample I've created the notification endpoints in my MS Teams bot, created two subscriptions for two different organizations, using the access token received by the client credentials flow for corresponding tenantId. And I could receive the notification of adding new messages in channels of two organization. Regarding to the documentation https://docs.microsoft.com/en-us/graph/teams-protected-apis I need to request the access for the protected API of subscription creating, but everything works well for two different organizations without such request. Why is such request required? And why is Creating subscription for new channel messages is protected?

office-teams-app-devmicrosoft-graph-teamworkmicrosoft-graph-sdk
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Maxim-6116 : Taking this for internal discussion with team, I will update you with resolution.

0 Votes 0 ·

Hi @Maxim-6116 I have raised a bug and concern team is working on it.

0 Votes 0 ·

1 Answer

Deva-MSFT avatar image
0 Votes"
Deva-MSFT answered Maxim-6116 commented

Microsoft Teams APIs in Microsoft Graph that access sensitive data are considered protected APIs. So these APIs require that you have additional validation, beyond permissions and consent, before you can use them. For more info, refer and the list of APIs.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

"Create subscription for new channel messages" is protected API according to your documentation link. And we have to request access to this protected API:

To request access to these protected APIs, complete the following request form. We review access requests every Wednesday and deploy approvals every Friday, except during major holiday weeks in the U.S. Submissions during those weeks will be processed the following non-holiday week.

As I described above, I could create sush subscription without creating the access request for this protected API. Why should I complete the following request form if everything works without it?



0 Votes 0 ·