MS Graph Teams Listing

Question

Im using my work account which is linked to Office365 online by my organization.

I was able to get Bearer token successfully from https://login.microsoftonline.com/skillsoft.onmicrosoft.com/oauth2/token via Postman

However when I try to do GET on https://graph.microsoft.com/v1.0/teams/{tenantid} to get a list of teams, through PostMan, I get this error:

{
"error": {
    "code": "Forbidden",
    "message": "Missing role permissions on the request. API requires one of 'Team.ReadBasic.All, TeamSettings.Read.All, TeamSettings.ReadWrite.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All, TeamSettings.Read.Group, TeamSettings.Edit.Group, TeamSettings.ReadWrite.Group'. Roles on the request ''. Resource specific consent grants on the request ''.",
    "innerError": {
        "date": "2022-02-24T22:28:31",
        "request-id": "",
        "client-request-id": ""
    }
}}

Here is screenshot of my permissions on the API on portal.azure.com -> API Permisions

I do have Team.ReadBasic.All as mentioned by the error message. Not sure what Im missing.

Yes, I did mention https://graph.microsoft.com as resource while fetching bearer token.

I have tried using both the GroupID (from Get link to Team) and the TenantID from the same link (which is the same directory ID on my API registration)

What am I missing?

Answer 1

First off, I don't think there is an endpoint https://graph.microsoft.com/v1.0/teams/{tenantid} - you don't need to supply a tenant id as it's implied from your sign-in context. The only endpoint that matches that pattern would be get the information for one specific team (see here: https://docs.microsoft.com/en-us/graph/teams-list-all-teams?context=graph%2Fapi%2F1.0&view=graph-rest-1.0#get-team-information-for-a-group).

If you're wanting all Teams, you would use just '/teams' (i.e. without anything after that), per this document: https://docs.microsoft.com/en-us/graph/api/teams-list?view=graph-rest-beta&tabs=http#http-request

However, to do that, you need to have some idea of your personal user context. Are you, for instance, a Teams Service Administrator or a Global Admin in your tenant, that you would have access to list all the teams? If not, you would only be able to list your own Teams, and the "joinedTeams" endpoint would be better to use (more here: https://docs.microsoft.com/en-us/graph/api/user-list-joinedteams?view=graph-rest-beta&tabs=http). As an alternative, if you really need your code to list all the teams, then you'll need to have the rights I mentioned, or use Application permissions, which means setting up an Azure AD Application (not that hard to do, but does mean a bit more setup and an Admin has to consent for your app once off).