Resource-specific consent (RSC)
Resource-specific consent (RSC) is a Microsoft Teams and Microsoft Graph API integration that enables your app to use API endpoints to manage specific teams within an organization. The resource-specific consent (RSC) permissions model enables team owners to grant consent for an application to access and/or modify a team's data. The granular, Teams-specific, RSC permissions define what an application can do within a specific team:
Resource-specific permissions
| Application permission | Action |
|---|---|
| TeamSettings.Read.Group | Get the settings for this team. |
| TeamSettings.ReadWrite.Group | Update the settings for this team. |
| ChannelSettings.Read.Group | Get the channel names, channel descriptions, and channel settings for this team. |
| ChannelSettings.ReadWrite.Group | Update the channel names, channel descriptions, and channel settings for this team. |
| Channel.Create.Group | Create channels in this team. |
| Channel.Delete.Group | Delete channels in this team. |
| ChannelMessage.Read.Group | Get this team's channel messages. |
| TeamsAppInstallation.Read.Group | Get a list of this team's installed apps. |
| TeamsTab.Read.Group | Get a list of this team's tabs. |
| TeamsTab.Create.Group | Create tabs in this team. |
| TeamsTab.ReadWrite.Group | Update this team's tabs. |
| TeamsTab.Delete.Group | Delete this team's tabs. |
| TeamMember.Read.Group | Get this team's members. |
Note
Resource-specific permissions are only available to Teams apps installed on the Teams client and are currently not part of the Azure Active Directory portal.
Enable resource-specific consent in your application
The steps for enabling RSC in your application are as follows:
- Configure group owner consent settings in the Azure Active Directory portal.
- Register your app with Microsoft identity platform via the Azure AD portal.
- Review your application permissions in the Azure AD portal.
- Obtain an access token from the Microsoft Identity platform.
- Update your Teams app manifest.
- Install your app directly in Teams.
- Check your app for added RSC permissions.
Configure group owner consent settings in the Azure AD portal
You can enable or disable group owner consent directly within the Azure portal:
- Sign in to the Azure portal as a Global Administrator/Company Administrator.
- Select Azure Active Directory => Enterprise applications => Consent and permissions => User consent settings.
- Enable, disable, or limit user consent with the control labeled Group owner consent for apps accessing data (The default is Allow group owner consent for all group owners). For a team owner to install an app using RSC, group owner consent must be enabled for that user.
To enable or disable group owner consent within the Azure portal using PowerShell, follow the steps outlined in Configure group owner consent using PowerShell.
Register your app with Microsoft identity platform via the Azure AD portal
The Azure Active Directory portal provides a central platform for you to register and configure your apps. Your app must be registered in the Azure AD portal to integrate with the Microsoft identity platform and call Microsoft Graph APIs. See Register an application with the Microsoft identity platform.
Warning
Do not register multiple Teams apps to the same Azure AD app id. The app id must be unique for each app. Attempts to install multiple apps to the same app id will fail.
Review your application permissions in the Azure AD portal
Navigate to the Home => App registrations page and select your RSC app. Choose API permissions from the left nav bar and examine the list of configured permissions for your app. If your app will only make RSC Graph API calls, delete all the permission on that page. If your app will also make non-RSC calls, keep those permissions as needed.
Important
The Azure AD portal cannot be used to request RSC permissions. RSC permissions are currently exclusive to Teams applications installed in the Teams client and are declared in the app manifest (JSON) file.
Obtain an access token from the Microsoft identity platform
To make Graph API calls, you must obtain an access token for your app from the identity platform. Before your app can get a token from the Microsoft identity platform, it must be registered in the Azure AD portal. The access token contains information about your app and the permissions it has for the resources and APIs available through Microsoft Graph.
You'll need to have the following values from the Azure AD registration process to retrieve an access token from the identity platform:
- The Application ID assigned by the app registration portal. If your app supports single sign-on (SSO) you should use the same Application ID for your app and SSO.
- The Client secret/password or a public/private key pair (Certificate). This is not required for native apps.
- A Redirect URI (or reply URL) for your app to receive responses from Azure AD.
See Get access on behalf of a user and Get access without a user
Update your Teams app manifest
The RSC permissions are declared in your app manifest (JSON) file. Add a webApplicationInfo key to your app manifest with the following values:
- id — your Azure AD app id. See Register your app in the Azure AD portal.
- resource — any string. This field has no operation in RSC, but must be added and have a value to avoid an error response; any string will do.
- application permissions — RSC permissions for your app. See Resource-specific Permissions.
Important
Non-RSC permissions are stored in the Azure portal. Do not add them to the app manifest.
"webApplicationInfo": {
"id": "XXxxXXXXX-XxXX-xXXX-XXxx-XXXXXXXxxxXX",
"resource": "https://RscBasedStoreApp",
"applicationPermissions": [
"TeamSettings.Read.Group",
"ChannelMessage.Read.Group",
"TeamSettings.Edit.Group",
"ChannelSettings.ReadWrite.Group",
"Channel.Create.Group",
"Channel.Delete.Group",
"TeamsApp.Read.Group",
"TeamsTab.Read.Group",
"TeamsTab.Create.Group",
"TeamsTab.ReadWrite.Group",
"TeamsTab.Delete.Group",
"Member.Read.Group",
"Owner.Read.Group"
]
}
Install your app directly in Teams
Once you've created your app you can upload your app package directly to a specific team. To do so, the Upload custom apps policy setting must be enabled as part of the custom app setup policies. See Custom app policy settings.
Check your app for added RSC permissions
Important
The RSC permissions are not attributed to a user. Calls are made with app permissions, not user delegated permissions. Thus, the app may be allowed to perform actions that the user cannot, such as creating a channel or deleting a tab. You should review the team owner's intent for your use case prior to making RSC API calls. See Microsoft Teams API overview.
Once the app has been installed to a team, you can use Graph Explorer to view the permissions that have been granted to the app in a team:
- Get the team's groupId from the Teams client.
- In the Teams client, select Teams from the far left nav bar.
- Select the team where the app is installed from the drop-down menu.
- Select the More options icon (⋯).
- Select Get link to team.
- Copy and save the groupId value from the string.
- Log into Graph Explorer.
- Make a GET call to the following endpoint:
https://graph.microsoft.com/beta/groups/{teamGroupId}/permissionGrants. The clientAppId field in the response will map to the appId specified in the Teams app manifest.