microsoft
Teams Microsoft.Teams.Policy.Administration.Cmdlets.Providers.PolicyRpException: {"code":"Forbidden","message":"Access Denied.","action":"Provide different credential or request access."}
Description of the issue
I am trying to export the 'Microsoft Teams' configuration using DSC using the certificate thumbprint authentication method. When I try doing that, I am getting the error as highlighted in the subject.
Microsoft.Teams.Policy.Administration.Cmdlets.Providers.PolicyRpException: {"code":"Forbidden","message":"Access Denied.","action":"Provide different credential or request access."}
I have granted the Organization.Read.All Application permission for the client ID that I am using for this.
It only works with the credential option when I try with Global Admin account. Has anyone else encountered this issue or would be aware of the solution?
I have shared the logs for one of the configuration errors.
Microsoft 365 DSC Version
1.24.731.1
Which workloads are affected
Teams
The DSC configuration
No response
Verbose logs showing the problem
Microsoft.Teams.Policy.Administration.Cmdlets.Providers.PolicyRpException: {"code":"Forbidden","message":"Access Denied.","action":"Provide different credential or request access."}
at Microsoft.Teams.Policy.Administration.Cmdlets.Providers.HttpRequestHelper`1.<GetAllAsync>d__2.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Teams.Policy.Administration.Cmdlets.Providers.BaseTpmGetCmdlet`1.<>c__DisplayClass8_0.<<ProcessRecord>b__0>d.MoveNext()
"Error during Export:"
at Export-TargetResource, xxxxx\Documents\WindowsPowerShell\Modules\Microsoft365DSC\1.24.731.1\DSCResources\MSFT_TeamsAppPermissionPolicy\MSFT_TeamsAppPermissionPolicy.psm1: line 448
at Start-M365DSCConfigurationExtract, xxxxx\Documents\WindowsPowerShell\Modules\Microsoft365DSC\1.24.731.1\Modules\M365DSCReverse.psm1: line 682
at Export-M365DSCConfiguration, xxxxx\Documents\WindowsPowerShell\Modules\Microsoft365DSC\1.24.731.1\Modules\M365DSCUtil.psm1: line 1394
at <ScriptBlock>, <No file>: line 10
TenantId: xxxxx.onmicrosoft.com
Environment Information + PowerShell Version
OsName : Microsoft Windows 11 Enterprise
OsOperatingSystemSKU : EnterpriseEdition
OsArchitecture : 64-bit
WindowsVersion : 2009
WindowsBuildLabEx : 22621.1.amd64fre.ni_release.220506-1250
OsLanguage : en-US
OsMuiLanguages : {en-US}
Key : PSVersion
Value : 5.1.22621.3958
Name : PSVersion
Key : PSEdition
Value : Desktop
Name : PSEdition
Key : PSCompatibleVersions
Value : {1.0, 2.0, 3.0, 4.0...}
Name : PSCompatibleVersions
Key : BuildVersion
Value : 10.0.22621.3958
Name : BuildVersion
Key : CLRVersion
Value : 4.0.30319.42000
Name : CLRVersion
Key : WSManStackVersion
Value : 3.0
Name : WSManStackVersion
Key : PSRemotingProtocolVersion
Value : 2.3
Name : PSRemotingProtocolVersion
Key : SerializationVersion
Value : 1.1.0.1
Name : SerializationVersion
Still happening with 1.25.416.1 Please address this issue. All of my Teams exports are quite worthless.
Hi all, I stumbled across this thread when facing a similar issue myself, but in this documentation it flags that as well as the API permissions assigned to the application, you need to assign Microsoft Entra roles to the application - see point 5 under 'Setup Application-based authentication'.
Having added the Entra app ID to Teams Administrator, I am now able to export using cert thumbprint authentication and the app.
Wanted to mention here in case this helps anyone else.
Indeed. Teams Administrator (or Global Reader for reading) is one of the directory roles required for the Teams workload to function correctly.
