maester icon indicating copy to clipboard operation
maester copied to clipboard
verified publisher icon maester365

Access denied for all Teams Tests although connected - Which API Permission for Teams?

Open blindzero opened this issue 8 months ago • 2 comments

I try to get the tests running, which are depending on a Teams connection in our Bitbucket Pipelines based environment. I assigned Organization.Read.All to the registered application and admin consented. (referring to https://github.com/maester365/maester/issues/651#issuecomment-2761833680 and https://learn.microsoft.com/en-us/microsoftteams/teams-powershell-application-authentication#setup-application-based-authentication).

My Teams connection with client certificate seems to work, my

  Connect-MicrosoftTeams -ApplicationId "$env:AZURE_CLIENT_ID" -Certificate $clientCert -TenantId "$env:AZURE_TENANT_ID" -ErrorAction Stop

seems to work as I see the successful message in my build log.

However, the tests using Teams are "Skipped", or I receive an test error, like

Get-CsTeamsMeetingPolicy: /opt/atlassian/pipelines/agent/build/Maester/Teams/Test-TeamsMeeting.Tests.ps1:4
Line |
   4 |          $TeamsMeetingPolicy = Get-CsTeamsMeetingPolicy
     |                                ~~~~~~~~~~~~~~~~~~~~~~~~
     | Access Denied. Provide different credential or request access.

Digging into this I see that the application doesn't have proper API permissions, as all Cs* cmdlets are failing. Hence, Test-MtConnection.ps1 reports no Teams connection, due to failing Get-CsTenant. I found out that all Cs*-cmdlets are failing with same access denied, while all Non-Cs cmdlets seem to work.

I checked all API permissions and verified

Directory.Read.All
User.Read.All
Organization.Read.All
TeamSettings.Read.All

and even

AppCatalog.Read.All
Channel.ReadBasic.All
ChannelSettings.Read.All
TeamMember.Read.All

as I found some samples using these.

I tried certififate and even Access Token based Connect-MicrosoftTeams (https://learn.microsoft.com/en-us/microsoftteams/teams-powershell-application-authentication#examples) with client secret. All with the same results.

I then assigned "Teams Administrator" Azure Role to my Maester Application. With this, the Cs* cmdlets work and the tests can be performed properly. Although that makes totally sense from logical stand point, it is something I want to avoid and not have assigned to an automated check application pipeline as it grants way too many permissions.

Interestingly, i couldn't find any official documentation that these cmdlets need other permissions.

Do you guys have the same issue? How do you got Teams tests running?

Thanks a lot for your help, Matthias

blindzero avatar Apr 19 '25 16:04 blindzero

Same here, testing with app-connection.

I used your workaround to get the tests to run.

KlasBol avatar May 08 '25 14:05 KlasBol

@NZLostboy thoughts?

merill avatar May 13 '25 07:05 merill

@blindzero and @KlasBol You can use the Teams Reader instead of Teams admin. This should resolve your issue. I can't find API Permission at this moment for it. This permission was added to the doc a few weeks ago with https://github.com/maester365/maester/pull/1065.

l-gosling avatar Aug 20 '25 17:08 l-gosling

@blindzero or @KlasBol or @merill can it be closed?

if i assigned the teams user role the tests pass. Not API permission is available yet. Image

l-gosling avatar Aug 30 '25 00:08 l-gosling

@blindzero or @KlasBol or @merill can it be closed?

if i assigned the teams user role the tests pass. Not API permission is available yet. Image

How do you do this when you are using an Azure Automation account with a System Assigned Managed Identity?

LarsDeGraaf avatar Sep 16 '25 06:09 LarsDeGraaf