Adding invited (guest) user to teams seems to not

Hi (ref issue)

After setting up the tenant to allow invitation of user from another domain, we are able to invite external users (in set domain) to teams. This works fine when doing it manually, in the GUI. However, when trying to add an invited user threw the windows graph API, something is not working properly.

Our procedure to invite a user to a team is as follows: Note we are using application privileges

Invite the user to the tenant (with or without welcome mail) https://docs.microsoft.com/en-us/graph/api/invitation-post?view=graph-rest-1.0
Add the invited user to the team https://docs.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0

Both these calls complete successfully and does not return any error messages. In all the admin GUI’s (AAD, Teams, Exchange) the user is invited and is added to the group. But the user in question does not receive a welcome mail that he/she has been added to the team. And if the user (given we send a welcome mail in step 1) tries to access http://teams.microsoft.com the user gets notified that he/she does not have permissions and/or does not see the team.

Any tips?

API Permissions

EDIT: After some investigation, by monitoring the network traffic. It's seems that the missing call, to get properly invited to the team is: POST https://api.teams.skype.com/emea/beta/teams/($teamurl)/bulkUpdateRoledMembers?allowBotsInChannel=true

where you send in a list of userid (8:orgid:{userid}) and the groupid. (teamurl seems to be the channel id)

{"users":[{"mri":"8:orgid:00000000-5946-0000-87d2-b16b6fdf7a72","role":2}],"groupId":"00000000-2e8b-4d18-0000-394c6a4846d0"}

I have tried to call this from application & delegation, but get 'Unauthorized'. Also I could not find any API permission that granted access to 'api.teams.skype.com'.

I finally figured out how to get an access token to invoke bulkUpdateRoledMembers. It only works if I request an access token for it directly, so no Application Permissions and no On-Behalf-Of Flow.

private static async Task<string> GetAccessTokenForTeams(string tenantId)
{

    var client = new PublicClientApplication(
        clientId: "d3590ed6-52b3-4102-aeff-aad2292ab01c",
        authority: $"https://login.microsoftonline.com/{tenantId}/",
        userTokenCache: null);

    try
    {
        var result = await client.AcquireTokenInteractive(new[] { "https://api.spaces.skype.com/user_impersonation" }, null).ExecuteAsync();
        return result.AccessToken;
    }
    catch (Exception e)
    {
        Debug.WriteLine(e);
        throw;
    }
}

It turns out you also need a Skypetoken, which you can get very easily with the just acquired access token.

private static async Task<string> GetSkypeToken(string accessToken)
{
    using (var client = new HttpClient())
    {
        client.DefaultRequestHeaders.Add(HttpRequestHeader.Authorization.ToString(), "Bearer " + accessToken);

        using (var response = await client.PostAsync("https://api.teams.skype.com/beta/auth/skypetoken", null))
        {
            var contentString = await response.Content.ReadAsStringAsync();
            if (response.IsSuccessStatusCode)
            {
                var skypeTokenResponse = JsonConvert.DeserializeObject<SkypeTokenResponse>(contentString);
                return skypeTokenResponse.Tokens.SkypeToken;
            }
            else
            {
                throw new Exception(response.StatusCode.ToString() + ": " + contentString);
            }
        }
    }
}
private class SkypeTokenResponse
{
    public Token Tokens { get; set; }

    public class Token
    {
        public string SkypeToken { get; set; }
        public string ExpiresIn { get; set; }
    }
}

Then you can finally invoke bulkUpdateRoledMembers by passing both tokens along.

private static async Task<object> bulkUpdateRoledMembers(string accessToken, string skypeToken, string teamUrl, string groupId, string userId)
{
    using (var client = new HttpClient())
    {
        client.DefaultRequestHeaders.Add(HttpRequestHeader.Authorization.ToString(), "Bearer " + accessToken);
        client.DefaultRequestHeaders.Add("X-Skypetoken", skypeToken);

        var bodyString = JsonConvert.SerializeObject(new
        {
            users = new List<object>
            {
                new
                {
                    mri = "8:orgid:" + userId,
                    role = 2
                }
            },
            groupId = groupId
        });
        var body = new StringContent(bodyString, Encoding.UTF8, "application/json");

        using (var response = await client.PutAsync($"https://teams.microsoft.com/api/mt/emea/beta/teams/{teamUrl}/bulkUpdateRoledMembers?allowBotsInChannel=true", body))
        {
            var contentString = await response.Content.ReadAsStringAsync();
            if (response.IsSuccessStatusCode)
            {
                var jsonresult = JObject.Parse(contentString);
                return jsonresult;
            }
            else
            {
                throw new Exception(response.StatusCode.ToString() + ": " + contentString);
            }
        }
    }
}