Share via

Microsoft Graph Permission Clarification – Teams Channel Access (403) and Outlook OAuth Token Permission Requirement

Akshay Babar 20 Reputation points
2026-03-06T18:31:09.4533333+00:00

Hi Team,

We need urgent clarification regarding Microsoft Graph permissions and OAuth token issues for our integration. This is impacting our customer tenant and we need to provide accurate instructions.

1. Microsoft Teams – Fetching Channels for Teams where user is not a member

  • API used: /teams/{team-id}/channels

Current flow: Delegated token

Issue: If the user is not a member of a Team, API returns 403 Forbidden.

Requirement: Fetch all Teams and channels in the tenant, even if the user is not a member.

Questions:

  1. Is there any way to fetch all channels for all Teams without adding the user?
  2. Which Graph permissions are required?

Impact: Customer cannot display full channel list in the UI without this.

Currently, we are using these permissions on our end.

[
  "https://graph.microsoft.com/ChannelMessage.Read.All",
  "https://graph.microsoft.com/Channel.Create",
  "https://graph.microsoft.com/Chat.ReadWrite",
  "https://graph.microsoft.com/Chat.Create",
  "https://graph.microsoft.com/ChannelMessage.Send",
  "https://graph.microsoft.com/ChannelMember.ReadWrite.All",
  "https://graph.microsoft.com/User.Read",
  "https://graph.microsoft.com/User.Read.All",
  "https://graph.microsoft.com/ChannelSettings.ReadWrite.All",
  "https://graph.microsoft.com/TeamsAppInstallation.ReadWriteAndConsentSelfForUser",
  "https://graph.microsoft.com/TeamsAppInstallation.ReadWriteSelfForUser",
  "https://graph.microsoft.com/TeamsAppInstallation.ReadWriteSelfForTeam",
  "https://graph.microsoft.com/user.read",
  "https://graph.microsoft.com/Channel.ReadBasic.All",
  "https://graph.microsoft.com/Team.ReadBasic.All",
  "https://graph.microsoft.com/Group.ReadWrite.All",
  "offline_access"
]

2. Outlook – OAuth token generation issue

Issue: Generating OAuth token shows “Contact your admin” popup and fails.

  • Requirement: Users must generate OAuth token successfully to access information via Graph APIs.

Questions:

What permissions or admin configuration are required for successful token generation?

  1. Required Graph permissions ?

Impact: Customer cannot access data without proper setup.

Currently, we are using these permissions on our end.

[
  "Mail.Read",
  "Mail.ReadWrite",
  "offline_access",
  "Mail.Read.Shared",
  "Mail.ReadWrite.Shared",
  "Mail.Send",
  "User.ReadBasic.All",
  "User.Read"
]
Microsoft Teams | Development
Microsoft Teams | Development

Building, integrating, or customizing apps and workflows within Microsoft Teams using developer tools and APIs

Answer accepted by question author
  1. Jack-Bu 6,675 Reputation points Microsoft External Staff Moderator
    2026-03-09T05:22:37.4633333+00:00

    Hello Akshay,

    Welcome to Microsoft Q&A. Thank you for your detailed query regarding Microsoft Graph permissions. I will address your inquiries as below:

    1. Fetching channels for teams where the user is not a member:

    Your setup uses delegated permissions, which are tied to the signed-in user's access. This means the API enforces restrictions based on the user's membership in the team, leading to the 403 Forbidden error when the user isn't a member. Delegated permissions like Channel.ReadBasic.All only allow access to channels in teams the user has joined or has explicit access to. You can switch to application permissions (app-only authentication via client credentials flow) to access tenant-wide data without user membership restrictions. This allows fetching all teams and channels across the tenant.

    • List all teams: Use /groups?$filter=groupTypes/any(c:c eq 'Unified'). List channels: Use /teams/{team-id}/channels.
    • Required Permissions (Application type, requiring admin consent):
      • Group.Read.All for listing teams.
      • Channel.ReadBasic.All or ChannelSettings.Read.All for channel details.
    • Notes: Update your app registration in Microsoft Entra ID to include these as application permissions, grant admin consent, and authenticate without a user context. This resolves the UI limitation of not displaying the full channel list.
    1. Outlook OAuth Token generation issue:

    The "Contact your admin" popup during OAuth token generation typically occurs when the app requires permissions that need admin consent, or when tenant settings restrict user consent (like user consent is disabled, or the app is unverified/multi-tenant and triggers a review workflow). Even if authentication succeeds, token issuance fails until resolved. This isn't a bug in your code but a security/enforcement mechanism in Microsoft Entra ID.

    • Ensure admin consent is granted for the app. Use the Microsoft Entra admin center (Enterprise applications > Permissions > Grant admin consent) or an admin consent URL. If user consent is disabled, enable it or configure the admin consent workflow to allow users to request approval.
    • Your listed scopes (e.g., Mail.Read, Mail.ReadWrite, User.ReadBasic.All) are generally sufficient, but high-privilege ones like User.ReadBasic.All trigger admin consent. Remove unnecessary high-privilege scopes if possible to simplify.

    REF: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow

    This setup should enable full access without the reported issues. If you encounter specific error codes or need code samples, please comment below.

    Hope this help.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread. 

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.