How do I get a Graph API token with higher permission than the user?

Question

I am currently developing a Microsoft Teams tab app using Teams Toolkit.

The users of the app should be able to invite guest users to certain teams and edit some of the users information in AD. This requires higher permission level than the users have.

I have tried to use delegated permission but this limits the permission of the app based on the user's permissions. See https://learn.microsoft.com/en-us/graph/auth/auth-concepts

Is there a way using Teams Toolkit or, as a last resort, some other package to get a Graph API token that will allow the app to perform operations that requires permissions higher that what the user have?

For reference I list below some of the permission the app needs:

        "User.ReadBasic.All",
        "Sites.ReadWrite.All",
        "Domain.ReadWrite.All",
        "Directory.ReadWrite.All",
        "TeamMember.ReadWrite.All",
        "TeamSettings.ReadWrite.All",

Thank you!

Can you please check with the Application permissions for Graph API's to perform actions on behalf of app. — ChetanSharma-msft, Mar 15 '22 at 05:42
Do you mean move the permission from delegated to application in permissions.json file? — Mihai N., Mar 15 '22 at 07:31
No,You need to do this through Azure function,as mention below. — Sayali-MSFT, Mar 15 '22 at 10:32
Thank you! I was under the wrong impression that this is somehow supported out of the box. — Mihai N., Mar 15 '22 at 12:58

score 0 · Answer 1 · answered Mar 15 '22 at 08:32

There are two main types of permissions, as you've seen. The first is "Delegated", which basically means the user is "delegating" your app to do something on his/her behalf. This is of course limited to what the user themselves can/can't do, as it's basically just doing it for them. To do something -differently-, or to do without having that specific user associated with it, you need to use Application permissions. In this case, your access is essentially unlimited, BUT it means that a tenant administrator needs to consent upfront (i.e. once-off) to your application having this level of access.

"Application" permissions are therefore what you're needing in your scenario.

score 0 · Accepted Answer · answered Mar 15 '22 at 09:13

Just as Hilton mentioned, you should use "Application" permission for your scenario.

"Application" permission is designed to running from backend, so you can setup a backend web app or Azure Function to do this.

Here are the basic steps:

Go to your AAD app, and add the permission you want
Consent the permission
copy client id and client secret from AAD portal
Follow the steps to get access token https://learn.microsoft.com/en-us/graph/auth-v2-service#4-get-an-access-token

By the way, recommend to use Azure Function features inside Teams Toolkit, which can help you easily setup an Azure Function in you Teams Tab project, then you can write the code inside the Azure Function to call graph api with application permission

Thank you!. This works and using Azure Function app is quite easy to setup and deploy. — Mihai N., Mar 15 '22 at 12:59

How do I get a Graph API token with higher permission than the user?

2 Answers2

Linked