Verify access to the protected Teams API


Userlevel 7
Badge +4

This script is about KB4322 (Using Microsoft Graph Export API for Teams)

 

Recently, we were asked in the R&D forum, how much time Microsoft will take, until they inform you, that you have been granted to access to the protected API’s.

Unfortunately, it seems that Microsoft will not inform you per Mail about the successful approvement.

 

In Microsoft Docs, their statement is to use your application to verify if your request has been approved. Microsoft will only write you an email, if they have more questions about the request.

Protected APIs in Microsoft Teams - Microsoft Graph | Microsoft Docs

To verify whether your request has been approved, test your application access on the next applicable Monday. If we have additional questions about the request, we will contact the email specified in the form.

 

Until Veeam Backup for Microsoft 365 v6a is released, we have to use own scripts to test the access. So I put together a few PowerShell commands to test the access with your Application. 
This commands doesn't require the subscription, because they are only listing messages and not downloading them.

 

Prerequisites

You must provide the following information:

  • TenantId = Your Tenant ID
  • AppId = Your VB365 App ID. API Permission ChannelMessage.Read.All must be assigned in AzureAD
  • CertThumbprint = Thumbprint from the VB365 Authentication certificate. You can find it in VB365, windows cert manager or in the app configuration in your Azure AD admin console.

The commands must be run directly on your VB365 Server in an evaluated PowerShell session and the Microsoft Graph PowerShell SDK must be installed.

 

Commands
 

#Configuration

$TenantId = "Your Tenant ID"
$AppId = "Your VB365 App ID"
$CertThumbprint = "Thumbprint from the VB365 Authentification certificate"



#Connect to GraphAPI

$Cert=Get-ChildItem Cert:\LocalMachine\My\$CertThumbprint
Connect-MgGraph -AppId $AppId -TenantId $TenantId -Certificate $Cert



#Get all M365 group (unified group) and use the ID to query a list of messages for a single team (second one, first one is the default group without a team attached)

$Teams = Get-MgGroup -Filter "groupTypes/any(c:c eq 'Unified')" | select id
Get-MgTeamChannelMessage -TeamID $Teams.Id[1]

 

Access has been granted
 

If your request was approved and you have access to the protected APIs, the command will either show you an empty line because the first Team has no messages or it will list the available messages. Also possible that the unified group doesn’t have a Team. Then the output will tell you that no Team was found. In each of this cases, we verified that we have access to the protected API. 

 

Access has not been granted yet


If you don't have access to the protected API's, you will see the following error as documented in our KB:

 


2 comments

Userlevel 7
Badge +8

This is great thanks for sharing this and I am passing it along to our Dev team.

Userlevel 7
Badge +6

Thanks for sharing this script with us @Mildur!

Comment