Teams Authentication
Summary¶
Teamwork can run inside Microsoft Teams as a personal app. Unfortunately, the Teams desktop client requires especial authentication which can be done in Teamwork by either entering credentials in a login window or through tenant-level permissions. Note that the topics covered in this documentation are not related to the authentication in Teams web and SharePoint.
Login window¶
In order to use Teamwork inside Microsoft Teams desktop client, users have to enter their credentials in a login window which pops up after opening the Teamwork personal app. This is the default behavior if tenant-level permissions are not configured. This is how the login window looks like:
The login window will also pop up when the authentication token has expired. In this case, no user interaction is required.
Tenant-Level permissions¶
In addition to the login window approach, administrators can configure Teamwork to authenticate using tenant-level permissions. Those permissions are not uniquely associated with the Teamwork SPFx app. Once approved, they can also be used by other applications! The steps below describe how to configure tenant-level permissions in an Office 365 tenant:
- After uploading and deploying Teamwork SPFx app to the app catalog, open the SharePoint Admin Center of your tenant
- In the new Admin Center, in the left quick launch menu, choose the API management menu item. Using this page, you (or any other admin of your SharePoint Online tenant) can approve or deny any pending permission request. Note that you don't see which solution package is requesting which permission because the permissions are defined at the tenant-level and for a unique application.
- Choose the permissions requested by Teamwork, choose Approve or reject access, and then choose Approve. Please find below the requested permissions:
| API name | Permission |
|---|---|
| Microsoft Graph | Directory.AccessAsUser.All |
| Microsoft Graph | Files.Read.All |
| Microsoft Graph | Group.ReadWrite.All |
| Microsoft Graph | Sites.Read.All |
| Microsoft Graph | User.Read.All |
| Microsoft Graph | User.ReadBasic.All |
| Microsoft Graph | User.ReadWrite.All |
| {tenant}-teamwork-functions | user_impersonation |
After approving the required permissions, authentication through the login window approach won't be used in Microsoft Teams desktop client anymore.
Common errors when managing permissions in the API management page¶
Depending on the operation you are trying to execute, you will face a different error message in the API management page. We've listed below the possible error messages for the different cases:
Operation: Approve a requested permission as a SharePoint administrator
Error messag:e [HTTP]:500 - [CorrelationId]:53ee2d9f-a0f9-2000-078d-b1ec5183945b [Version]:16.0.0.19527
Solution: Logged in user must be global administrator
Operation: Reject a requested permission as a SharePoint administrator
Error message: [HTTP]:403 - [CorrelationId]:5cee2d9f-801d-2000-6cd2-3db457dd64f0 [Version]:16.0.0.19527 - Access denied. You do not have permission to perform this action or access this resource
Solution: Logged in user must be global administrator
Operation: Remove a granted permission as a SharePoint administrator
Error message: Insufficient privileges to complete the operation
Solution: Logged in user must be global administrator
Operation: Approve a requested permission that doesn't exist such as tenant-teamwork-functions
Error message: [HTTP]:400 - [CorrelationId]:8fd4339f-abcd-200f-6cd2-3857f31dd2e5 [Version]:16.0.0.19918
Solution: Check requested permission for correctness. If permisson is not a valid AAD application or a valid API permission, consider rejecting wrong permission and adding correct one for approval