question

AlexBerin-0572 avatar image
0 Votes"
AlexBerin-0572 asked saldana-msft edited

Graph token with MicrosoftTeams 2.0 module

I am trying to use graph authentication token via app registration to query and update Teams collaboration parameters on user account.
Using the latest 2.0 MicrosoftTeams PS module.

I am able to connect and also able to execute Teams specific PS commands such as Get-Team
However I am getting an error running non Teams specific commands such Get-CsOnlineUser. Error appears to be permission specific.

I have granted all possible API permissions (application level), however nothing seems to work.

Any advice would be much appreciated.


Connection string looks as following:

$clientId = "XXXXX"
$tenantId = "YYYYY"
$clientSecret = "ZZZZZZ"

$uri = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
$body = @{
client_id = $clientId
scope = "https://graph.microsoft.com/.default"
client_secret = $clientSecret
grant_type = "client_credentials"
}

$tokenRequest = Invoke-WebRequest -Method Post -Uri $uri -Body $body -ContentType "application/x-www-form-urlencoded" -UseBasicParsing

$token = ($tokenRequest.Content | ConvertFrom-Json).access_token

Connect-MicrosoftTeams -AadAccessToken $token -MsAccessToken $token -Verbose -AccountId account123@365domain.com


API permissions granted:
Directory.Read.All
Group.Read.All
GroupMember.Read.All
MailboxSettings.Read
OnlineMeetings.Read.All
Organization.Read.All
People.Read.All
Team.ReadBasic.All
TeamMember.Read.All
TeamSettings.Read.All
User.Export.All
User.Read.All
User.ReadWrite.All

Microsoft Teams Graph Service (2)
Graph.ReadWrite.All
ResourceSpecificPermission.Read.All
Microsoft Teams Services (1)
User.Read.All
Skype and Teams Tenant Admin API (1)
application_access

office-teams-windows-itprowindows-server-powershelloffice-teams-app-devmicrosoft-graph-sdk
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@AlexBerin-0572,

As we are mainly responsible for general problem of Microsoft Teams, your question related to script is not supported by us. I will add office-teams-app-dev tag. Thanks for your understanding.

Currently, Skype for Business Online Connector is part of the latest Teams PowerShell. Please check if you follow the correct installation steps as this article.




Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 Votes 0 ·
KartheekRaparthy-6860 avatar image
0 Votes"
KartheekRaparthy-6860 answered

Could you please share the cmdlets and error message what you are getting while running.
could you please share the exact teams module version 2.0 or any preview version you are using

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AlexBerin-0572 avatar image
0 Votes"
AlexBerin-0572 answered

Absolutely. On top of the commands listed in the original post, I as using these cmdlets:
Get-Teams - successful
Get-CsOnlineUser - failing

Error message:
Exception calling "GetSteppablePipeline" with "1" argument(s): "Exception calling "GetRemoteNewCsOnlineSession" with "1" argument(s): "Run either
Connect-MicrosoftTeams or new-csonlinesession before running cmdlets.""
At C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\2.0.0\net472\SfBORemotePowershellModule.psm1:9474 char:13
+ $steppablePipeline = $scriptCmd.GetSteppablePipeline($myI ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : CmdletInvocationException

Installed Teams module 2.0.0:
2.0.0 MicrosoftTeams PSGallery

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KartheekRaparthy-6860 avatar image
0 Votes"
KartheekRaparthy-6860 answered

Update: Microsoft has released a preview version (2.1.0) of the Teams PowerShell module which works properly with modern authentication. It’s likely that this version will be pushed through to general availability quite quickly.
Please go through this link for more information.



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AlexBerin-0572 avatar image
0 Votes"
AlexBerin-0572 answered SajeewaWarnakulasuriya-1263 commented

Hi Kaktheek,

I don't believe this is an MA issue as I am able to execute Teams specific cmdlets, but not voice related (previous SFBO module) cmdlets. To me it looks that Graph API permissions are missing for the "application" level.
Tried installing latest preview module and getting the same result. Teams cmdlets work, but voice cmdlets don't.

Get-CsOnlineUser returns:
Get-CsOnlineSession : Run Connect-MicrosoftTeams before running cmdlets.
At C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\2.2.0\net472\SfBORemotePowershellModule.psm1:57 char:22
+ $remoteSession = & (Get-CsOnlineSessionCommand)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-CsOnlineSession], UnauthorizedAccessException
+ FullyQualifiedErrorId : UnauthorizedAccessException,Microsoft.Teams.ConfigApi.Cmdlets.GetCsOnlineSession


Invoke-Command : Cannot validate argument on parameter 'Session'. The argument is null or empty. Provide an argument that is not null or empty, and then try the
command again.
At C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\2.2.0\net472\SfBORemotePowershellModule.psm1:9480 char:38
+ ... -Session (Get-PSImplicitRemotingSession -CommandName 'Get-CsOnline ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Invoke-Command], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.InvokeCommandCommand

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi all,

Has anyone been able to resolve this issue?

Kind Regards,

0 Votes 0 ·
AlexanderBerinA-2515 avatar image
1 Vote"
AlexanderBerinA-2515 answered

Not yet, no solution so far

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Wajeed-MSFT avatar image
0 Votes"
Wajeed-MSFT answered syedafzalali2 commented

You can only use app permissions to run the Teams cmdlets at this point. The non-Teams specific ones like Get-CsOnlineUser aren't supported for app permission at this point, support is being worked on.

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you. Is there a rough timeline for when this is coming?

0 Votes 0 ·

Thank you Wajeed! Is there rough timeline on this being released as a preview version? We manage many tenancies and this is currently severely affecting us.

0 Votes 0 ·
Mamatha-MSFT avatar image Mamatha-MSFT SajeewaWarnakulasuriya-1263 ·

@ SajeewaWarnakulasuriya-1263, @AlexanderBerinA-2515 - we don't have any ETA to share with you.

0 Votes 0 ·

Our ability to support 150 plus Microsoft customers for calling via direct routing is critically degraded. It is urgent that app permission is made available in the new module.

Module version 2.3.1


0 Votes 0 ·

Do we have a solution to use non teams cmdlets?
We can see the Get-CS commands are working if we use Connect-MicrosoftTeams with credentials but using AadAccessToken, it is not working. Please assist on how to run Get-CsTenant or Get-CsOnlineUser commands when we are using AadAccessToken using silent auth.

0 Votes 0 ·
AZondAbhinandan-8835 avatar image
0 Votes"
AZondAbhinandan-8835 answered

Hi ..it works weird with Module version 2.3.1. When I execute script line by line it works!
98425-image.png


But when I run the script .. it wont work..have all the permissions set exactly same. The error says " Run Connect-MicrosoftTeams before running cmdlets" even though am connected successfully.
98451-image.png



image.png (74.0 KiB)
image.png (215.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sikumars avatar image
0 Votes"
sikumars answered

Hello @AlexBerin-0572,

I hope this thread may help you. Thanks.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Atreidae avatar image
3 Votes"
Atreidae answered

@sikumars-msft Unfortunately, this is not what Alex is referring to.

In summary he, and other admins such as myself are experiencing an issue attempting to run "cs" cmndlets in the MicrosoftTeams PowerShell module when using App or Token authentication.

This is an issue now as the Skype4BOnline module was previously responsible for the "cs" cmdlets like Get-CsUser. That module has now been retired and cant connect to O365 at all. and all the "Cs" cmdlets have been moved into the MicrosoftTeams PS module.

When connecting using the Connect-MicrosoftTeams cmdlet. it silently stores the users credentials and effectively runs a "new-csonlinesession" cmdlet whenever we invoke a "CS" cmdlet

Thats fine if we are providing credentials in an interactive manner, but not effective if we are using automation or authenticating against multiple tenants.
I have seen some PG members suggest storing the username/password in the PowerShell script as a workaround, but this wont work around MFA (and is a massive security risk)

The reason we use AppAuthentication is that users never need to give us their credentials, we don't need to store them, we arent a security risk because all they have to do is approve our app in the Office365 admin centre.

So the question is, when are we going to see some form of app/token/certificate authentication for the CS cmdlets?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SjoerdV999 avatar image
0 Votes"
SjoerdV999 answered

Update: Still no improvement on the App Only (Unattended) front in the latest MicrosoftTeams 3.0.0. module. The only reported working method is by using Delegate permissions as stated in the Docs under 'AccessTokens' parameter directions.
If someone has an ETA on something more useful, please post here


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.