question

DenisSumin-8978 avatar image
0 Votes"
DenisSumin-8978 asked DenisSumin-8978 answered

Access denied for appCatalogs/teamsApps

I'm calling https://graph.microsoft.com/v1.0/appCatalogs/teamsApps to find id of my app, but I'm getting AccessDenied error.

This looks like a Graph bug because my app has all the necessary permissions to access the Teams Apps list.

The application flow description:
1. Ask for the Admin consent using https://login.microsoftonline.com/${tenantId}/adminconsent?client_id=${clientId}&redirect_uri=${redirectUrl}
2. Obtain the access token from Graph API /api/getToken?tenantId=${tenantId}&secret=${secret}
3. Use "@microsoft/microsoft-graph-client" to access /appCatalogs/teamsApps
4. Receive { "error": { "code": "Forbidden", "message": "Forbidden" } }

App permissions:
AppCatalog.Read.All
Chat.Read.All
Directory.AccessAsUser.All
Directory.Read.All
Group.Read.All
TeamsAppInstallation.ReadWriteForUser.All
TeamsAppInstallation.ReadWriteSelfForUser.All
User.Read.All
TeamsApp.Read.All




office-teams-app-devmicrosoft-graph-teamwork
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Adding right tags/teams to assist.

In the meantime to isolate the issue and outside of your code, can you repro the issue with POSTMAN/Graph Explorer as well?

0 Votes 0 ·

@Deva-MSFT No, I can't reproduce it with Graph Explorer.
It works when I use MSAL and it doesn't when I request a token from https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token

I have other queries working, I can read all users and their installed apps, this is the only query when I'm getting access denied.

0 Votes 0 ·

@DenisSumin-8978 - List teamsApp does not support the application permissions. Could you please try adding the delegated permissions ? try if that helps.

0 Votes 0 ·
Show more comments

1 Answer

DenisSumin-8978 avatar image
0 Votes"
DenisSumin-8978 answered

MS Graph, for now, doesn't support this query from the autonomous application, and only the user can query this data.
My workaround is: get installed applications from the user who has already installed the app and read the id from the result.

const { Client } = require("@microsoft/microsoft-graph-client");
const client = Client.init({ ... });
const response = await client
  .api(`/users/${userId}/teamwork/installedApps`)
  .expand("teamsApp")
  .filter(`teamsApp/displayName eq '${appName}'`)
  .get();
const internalAppId = response?.value[0]?.teamsApp.id;


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.