Getting "AclCheckFailed" error while fetching channel messages for Teams

Tarun George Koshy 71

Hi,

WE get the following error while trying to get messages of a teams channel using the Graph API(channel-list-messages and chatmessage-list-replies )

Status Code: Forbidden   
{  
  "code": "Forbidden",  
  "message": {"errorCode":209,  
     "message":{  
     "subCode": "AclCheckFailed",  
     "details": "The initiator 28:app:22da2fa9-f8e7-4f8c-a588-a72b6896d459_2b99b040-b3...  
}

I have checked the Graph API documentation and there is no mention of the errorCode 209 or subCode "AclCheckFailed". I can confirm that the the Protected API's permission needed for this API has been requested and approved. Also, The necessary application permissions "ChannelMessage.Read.All" has been granted by admin for the app.

I don't have the request-id, client-request-id and the additional error details. I wanted to know, if there are any circumstances that might cause this error code for the above APIs. And if there is a solution to fix it.

CarlZhao-MSFT 36,976 Reputation points

2022-04-25T09:09:22.577+00:00

@Tarun George Koshy Can you use https://jwt.ms/ to parse the access token and share a screenshot?
Tarun George Koshy 71 Reputation points

2022-04-25T09:20:52.917+00:00

@CarlZhao-MSFT

Unfortunately, this error is not through the app we use in our dev environment. Hence, we will not able to get the token (or) other details apart from the error message mentioned above. Since, this might not be enough information, I was hoping to know if there is any information on the error code/subcode in general.
CarlZhao-MSFT 36,976 Reputation points

2022-04-25T09:27:02.977+00:00

@Tarun George Koshy OK, what authentication flow are you using to get the token?
Tarun George Koshy 71 Reputation points

2022-04-25T09:38:51.727+00:00

@CarlZhao-MSFT

Client Credentials flow, using clientid, client secret and tenant
CarlZhao-MSFT 36,976 Reputation points

2022-04-25T09:42:04.397+00:00

@Tarun George Koshy Can you use postman for testing?
Tarun George Koshy 71 Reputation points

2022-04-25T09:50:10.227+00:00

@CarlZhao-MSFT

Unforunately that is not possible as well. I understand it's not much debug information to go by. that's why I was hoping any general information of the error would be helpful
CarlZhao-MSFT 36,976 Reputation points

2022-04-25T10:25:30.697+00:00

@Tarun George Koshy I'm not sure if application permissions require that your team and channel must have been created in a migrated state, maybe you could try using delegated permissions to see result how.
Nivedipa-MSFT 2,806 Reputation points Microsoft Vendor

2022-04-26T06:49:57.98+00:00

@Tarun George Koshy - Could you please share request id,timestamp and API details to further investigate the issue?
Tarun George Koshy 71 Reputation points

2022-04-26T10:56:35.217+00:00

@CarlZhao-MSFT

Using application permissions is a requirement, so it is not possible to change and test that. Could you expand on part about migrated state (or) link to the documentation about it? If there is nothing more to add on the AclCheck, I think I am good for now.
Tarun George Koshy 71 Reputation points

2022-04-27T08:00:55.29+00:00

@Nivedipa-MSFT

I do not have the details of the request id since this has not occured in our environment. The API used that throws these error is (https://learn.microsoft.com/en-us/graph/api/channel-list-messages?view=graph-rest-1.0&tabs=http and https://learn.microsoft.com/en-us/graph/api/chatmessage-list-replies?view=graph-rest-1.0&tabs=http)

I am not looking for the solution through this question, but rather I would like to know what this error code ACLCheckFailed means or any information about it. Since there is no mention of it in the documentation: https://learn.microsoft.com/en-us/graph/errors
CarlZhao-MSFT 36,976 Reputation points

2022-04-27T08:30:40.06+00:00

@Tarun George Koshy The 209 error code doesn't seem to be documented in the documentation. I found a similar thread that you can refer to: https://stackoverflow.com/questions/71390248/graph-api-sending-message-to-a-channel-fails-as-forbidden-thread-is-not-marked
Tarun George Koshy 71 Reputation points

2022-04-27T13:07:39.327+00:00

@CarlZhao-MSFT

Thank you for that info, even though the error "ACLCheckFailed" is not the same, it gives some idea of the sub code 209 and what might be causing it. If I happen to get more information such as the request-id/timestamp , should I add it in this thread, or shall I create a new one then and mark this as answered?
CarlZhao-MSFT 36,976 Reputation points

2022-04-28T02:03:14.367+00:00

@Tarun George Koshy You should add it to this thread. If you already have the request-id/timestamp, maybe I can query the logs for you :)
Němečková Hana 1 Reputation point

2023-01-05T07:10:38.293+00:00

I had this error when my user was kicked from the chat.

Abdul Samad 0

I am getting the same error while sending the message to a channel.

{
  "code": "Forbidden",
  "message": "{\"errorCode\":209,\"message\":\"{\\\"subCode\\\":\\\"AclCheckFailed\\\",\\\"details\\\":\\\"The initiator 28:app:3985af47-bd3c-4c92-bf02-437e3141fd57_9a442054-a788-4540-a7f8-451b1e062641 is not a member of the roster 92:0cff03f0495f4823a51c506a6e4c40eb@thread.tacv2 in the generic thread 19:0cff03f0495f4823a51c506a6e4c40eb@thread.tacv2\\\",\\\"errorCode\\\":null,\\\"errorSubCode\\\":null}\",\"standardizedError\":{\"errorCode\":209,\"errorSubCode\":1,\"errorDescription\":\"AclCheckFailed-The initiator 28:app:3985af47-bd3c-4c92-bf02-437e3141fd57_9a442054-a788-4540-a7f8-451b1e062641 is not a member of the roster 92:0cff03f0495f4823a51c506a6e4c40eb@thread.tacv2 in the generic thread 19:0cff03f0495f4823a51c506a6e4c40eb@thread.tacv2\"}}",
  "innerError": {
    "date": "2023-01-26T05:59:39",
    "request-id": "0f45ee3c-3c7d-4207-af1e-f729ddae4001",
    "client-request-id": "25a55247-3810-9f10-f5af-b99c90b4e6a0"
  }
}

Is there any necessary permission I am missing?
I have given the following permissions

Channel.Create	Delegated	Create channels	Yes	Granted for MYTEAM
Channel.Delete.All	Delegated	Delete channels	Yes	Granted for MYTEAM
Channel.ReadBasic.All	Delegated	Read the names and descriptions of channels	No	Granted for MYTEAM
ChannelMessage.Edit	Delegated	Edit user's channel messages	No	Granted for MYTEAM
ChannelMessage.Read.All	Delegated	Read user channel messages	Yes	Granted for MYTEAM
ChannelMessage.ReadWrite	Delegated	Read and write user channel messages	Yes	Granted for MYTEAM
ChannelMessage.Send	Delegated	Send channel messages	No	Granted for MYTEAM
ChannelSettings.Read.All	Delegated	Read the names, descriptions, and settings of channels	Yes	Granted for MYTEAM
ChannelSettings.ReadWrite.All	Delegated	Read and write the names, descriptions, and settings of channels	Yes	Granted for MYTEAM
ChatMessage.Read	Delegated	Read user chat messages	No	Granted for MYTEAM
ChatMessage.Send	Delegated	Send user chat messages	No	Granted for MYTEAM
Directory.AccessAsUser.All	Delegated	Access directory as the signed in user	Yes	Granted for MYTEAM
Directory.ReadWrite.All	Delegated	Read and write directory data	Yes	Granted for MYTEAM
Group.Read.All	Delegated	Read all groups	Yes	Granted for MYTEAM
Group.ReadWrite.All	Delegated	Read and write all groups	Yes	Granted for MYTEAM
GroupMember.Read.All	Delegated	Read group memberships	Yes	Granted for MYTEAM
GroupMember.ReadWrite.All	Delegated	Read and write group memberships	Yes	Granted for MYTEAM
offline_access	Delegated	Maintain access to data you have given it access to	No	Granted for MYTEAM
Team.Create	Delegated	Create teams	No	Granted for MYTEAM
Team.ReadBasic.All	Delegated	Read the names and descriptions of teams	No	Granted for MYTEAM
UnifiedGroupMember.Read.AsGuest	Delegated	Read unified group memberships as guest	Yes	Granted for MYTEAM
User.Read	Delegated	Sign in and read user profile	No	Granted for MYTEAM
User.ReadWrite	Delegated	Read and write access to user profile	No	Granted for MYTEAM

4 answers

CarlZhao-MSFT 36,976 Reputation points

2022-04-26T09:58:44.28+00:00

Hi @Tarun George Koshy

I'm not sure if application permissions require that your team and channel must have been created in a migrated state, maybe you could try using delegated permissions to see result how.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment
ChetanSharmamsft 1,026 Reputation points Microsoft Vendor

2023-01-16T06:04:48.8633333+00:00

Hello Němečková Hana - Please let us know if you are still facing this issue?
If yes, could you please share the request id, timestamp and API details to further investigate the issue?
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Wilson Ricardo Olarte Martínez 21 Reputation points

2023-06-23T21:50:35.2333333+00:00

Hi. I have the same error message: AclCheckFailed-The initiator my app gets the token correctly but using the api: https://graph.microsoft.com/v1.0/chats/xxxxxxxxxxxxxxxxxx/messages it doesn't work anymore

Now i can reply this seach from Postman, i can see this error

Before it worked correctly

Before it worked correctly
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Naga Dheeraj M 20 Reputation points

2024-03-28T08:21:27.0533333+00:00

https://learn.microsoft.com/en-us/graph/api/chat-delete?view=graph-rest-1.0&tabs=http

Notes: This operation is not supported for non-admin users. Only tenant admins for the user who initiated the chat can delete the chat. For example, if a user from tenant A creates a thread and then adds a user from tenant B, only the admin from tenant A can delete the thread. This API deletes 1:1 chats, meeting chats, and group chat threads. It does not delete channel chat threads. After chats are deleted, tenant admins have seven days to restore them. Chats deleted for more than seven days can't be restored. One delete request per second per tenant is allowed.

I guess the problem is that the chat is initiated by a user who is under a different tenant and it can't be deleted by your tenant admin.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment