Test resource-specific consent permissions in Teams

Resource-specific consent (RSC) is a Microsoft Teams and Graph API integration that enables your app to use API endpoints to manage specific teams within an organization. Please see Resource-specific consent (RSC) — Microsoft Teams Graph API.

Note

To test the RSC permissions, your Teams app manifest file must include a webApplicationInfo key populated with the following fields:

"webApplicationInfo":{
      "id":"XXxxXXXXX-XxXX-xXXX-XXxx-XXXXXXXxxxXX",
      "resource":"https://AnyString",
      "applicationPermissions":[
         "Channel.Create.Group",
         "Channel.Delete.Group",
         "ChannelMessage.Read.Group",
         "ChannelSettings.Read.Group",
         "ChannelSettings.Edit.Group",
         "Member.Read.Group",
         "Owner.Read.Group",
         "TeamsApp.Read.Group",
         "TeamsTab.Read.Group",
         "TeamsTab.Create.Group",
         "TeamsTab.Edit.Group",
         "TeamsTab.Delete.Group",
         "TeamSettings.Read.Group",
         "TeamSettings.Edit.Group"
      ]
   }

Important

In your app manifest, only include the RSC permissions that you want your app to have.

Test added RSC permissions using the Postman app

To check whether the RSC permissions are being honored by the API request payload, you'll need to copy the RSC JSON test code into your local environment and update the following values:

  1. azureADAppId — your app's Azure AD app id.
  2. azureADAppSecret — your Azure AD app secret (password)
  3. token_scope — the scope is required to get a token - set the value to https://graph.microsoft.com/.default
  4. teamGroupId — you can get the team group id from the Teams client as follows:
  • In the Teams client, select Teams from the far left nav bar .
  • Select the team where the app is installed from the dropdown menu.
  • Select the More options icon (⋯)
  • Select Get link to team
  • Copy and save the groupId value from the string.

Using Postman

  • Open the Postman app.
  • Select File => Import => Import file to upload the updated JSON file from your environment.
  • Select the Collections tab.
  • Select the chevron (>) next to the Test RSC to expand the details view and see the API requests.

Execute the entire permissions collection for each API call. The permissions that you specified in your app manifest should succeed, while those not specified should fail with an HTTP 403 status code. Check all of the response status codes to confirm that the behavior of the RSC permissions in your app meet expectations.

Note

To test specific DELETE and READ API calls, please add those instance scenarios to the JSON file.

Test revoked RSC permissions using Postman

  • Uninstall the app from the specific team.
  • Follow the steps above for Test added RSC permissions using Postman.
  • Check all of the response status codes to confirm that the specific API calls that succeeded have failed with an HTTP 403 status code.