How to exchange Teams token to Azure communication service dont need admin consent request api Teams.ManageCalls and Teams.ManageChats?

Nguyen Uy Dinh 40

I have create app using communication service to join the call like MSTeams.

I try to implement login feature, using microsoft account (Teams account).
As i know, after login and get access token from Microsoft, i need to exchange to Azure communication service (ACS) token. Meanwhile i need to add scopes Teams.ManageCalls and Teams.ManageChats.
But my app create for multi-tennant to use. And both api Teams.ManageCalls and Teams.ManageChats need to grant admin consent for.

Is there anyway to create login using Microsoft account, and using communication service but dont need to grant any permission?

Thanks you.

Nguyen Uy Dinh 40 Reputation points

2024-11-20T06:58:49.54+00:00

dear @Shree Hima Bindu Maganti
Thanks you very much for the answer.
As i understand: method CommunicationIdentityClient.createUserAndToken() is using to create new account in ACS.
Can you help me more detail, how to use method to create new user by using Microsoft token after get access token trong MSAL. Or can you send me any document how to use it?
Nguyen Uy Dinh 40 Reputation points

2024-11-20T07:06:31.69+00:00

dear @Shree Hima Bindu Maganti
Thanks you very much for the answer.
As i understand, method CommunicationIdentityClient.createUserAndToken() is create a new user in ACS.
Can you help me more detail, how to createUserAndToken with apply MS access token? or can you help me the document about this?
Shree Hima Bindu Maganti 895 Reputation points Microsoft Vendor

2024-11-20T07:20:18.1633333+00:00
Hi @Nguyen Uy Dinh ,

Thankyou for your Response.
CommunicationIdentityClient.createUserAndToken() with MSAL tokens:

Authenticate User with MSAL

Use MSAL to authenticate and get the access token (openid and profile scopes, or Teams-specific scopes if needed).

Example: Obtain an MSAL token using a Microsoft account.

Use MSAL Token to Create ACS User

Initialize the CommunicationIdentityClient with your ACS connection string.

Use the createUserAndToken() method to create a user and generate a token for ACS.

const { CommunicationIdentityClient } = require("@azure/communication-identity"); const connectionString = "<your-ACS-connection-string>"; const identityClient = new CommunicationIdentityClient(connectionString); const msalAccessToken = "<MSAL_ACCESS_TOKEN>"; const { user, token } = await identityClient.createUserAndToken(msalAccessToken, ["voip"]); console.log(user, token);

Validate MSAL Token

Ensure the MSAL token has the correct scopes to interact with ACS.
https://learn.microsoft.com/en-us/azure/communication-services/quickstarts/identity/access-tokens?tabs=windows&pivots=platform-azportal
https://learn.microsoft.com/en-us/entra/identity-platform/msal-overview
Nguyen Uy Dinh 40 Reputation points

2024-11-20T08:13:35.74+00:00

hi @Shree Hima Bindu Maganti
i have check in @azure/communication-identity, it seem like method createUserAndToken just create a new user like a guest. I have invite my acount into the metting. Then i use createUserAndToken to generate a token and user ID from ACS, then use it and log into the call. But it became a guess account.

I think we should use method getTokenForTeamsUser to exchange ACS token. But this method is checking scopes Teams.ManageCalls or Teams.ManageChats.

Can you give me your opinion about this situation?
Robin Sheng-MSFT 4,025 Reputation points Microsoft Vendor

2024-11-21T05:22:16.88+00:00

Hi Nguyen Uy Dinh

Teams tag is mainly focused on the general issue of Microsoft Teams troubleshooting. According to your description, your question is not in our support scope. Thanks for your understanding and patience.
Shree Hima Bindu Maganti 895 Reputation points Microsoft Vendor

2024-11-21T05:40:55.3133333+00:00
Hi @Nguyen Uy Dinh ,

Thankyou for your Response.
The exact issue is that createUserAndToken generates a new Azure Communication Services (ACS) user, which does not have a Microsoft Teams identity. As a result, the user is treated as a guest when joining a Teams meeting. To link a Teams user identity to an ACS token, the getTokenForTeamsUser method is necessary.
The createUserAndToken method is designed to create ACS users who are independent of Microsoft Teams. Such users join as guests when used for Teams meetings.

Using getTokenForTeamsUser:

To link an ACS token to a Teams user identity, use the getTokenForTeamsUser method.

This method requires the Azure AD application to have permissions such as Teams.ManageCalls or Teams.ManageChats. These permissions must be granted by a Microsoft tenant admin.

const token = await communicationIdentityClient.getTokenForTeamsUser({ teamsUserAadToken: '<Teams user Azure AD token>', });

Replace <Teams user Azure AD token> with the MSAL-acquired Azure AD token for the Teams user.

The Azure AD app used must request the following API permissions:

Delegated Permissions: Teams.ManageCalls, Teams.ManageChats

These permissions require admin consent in multi-tenant apps.
Register an Azure AD app in your tenant.

Grant the app the Teams.ManageCalls or Teams.ManageChats permissions.

Use MSAL to acquire an Azure AD token for the Teams user.

Use getTokenForTeamsUser to exchange the Azure AD token for an ACS token.

Get Token for Teams User Documentation
Nguyen Uy Dinh 40 Reputation points

2024-11-21T07:02:45.22+00:00

hi @Shree Hima Bindu Maganti
Im very appreciate your help, this information is very helpful to me.
So as i understand, i cant use method **getTokenForTeamsUser **without permission Teams.ManageCalls, Teams.ManageChats .
Do you know any way else to help me to do feature login into ACS using Micrsoft account without any permission need admin consent?
and i have readed on page https://learn.microsoft.com/en-us/rest/api/communication/dataplane/communication-identity/exchange-teams-user-access-token?view=rest-communication-dataplane-2023-10-01&tabs=HTTP
there is no referring to need any permission, but when i call api with no permission, it still error.
So do you know any page referring to any permission are needed for this function?.

One more time Im very appreciate your help.
Thanks you so much.
Shree Hima Bindu Maganti 895 Reputation points Microsoft Vendor

2024-11-21T07:21:19.24+00:00

Hi @Nguyen Uy Dinh ,

Thankyou for your Response.
Using getTokenForTeamsUser without Admin Consent:

Admin consent is required for Teams.ManageCalls and Teams.ManageChats permissions.

These permissions are needed to manage Teams functionality through ACS.

No bypass is possible for this requirement.

The REST API documentation doesn’t mention admin consent, but permissions like Teams.ManageCalls and Teams.ManageChats are implied.

You’ll need delegated or application permissions to use the API correctly.

ACS Guest Users: Use createUserAndToken to create guest users in ACS.

OAuth Authentication: Authenticate users using MSAL and Azure AD without needing Teams permissions (though Teams calls still require admin consent).

Admin consent is necessary for Teams-linked ACS tokens.

ACS Guest Users or OAuth can be alternatives if admin consent is not possible.
To obtain a Teams-linked ACS token, admin consent is required for permissions like Teams.ManageCalls or Teams.ManageChats.

If admin consent isn't feasible, consider using ACS Guest Users or OAuth authentication without Teams integration.
Nguyen Uy Dinh 40 Reputation points

2024-11-21T07:48:41.3233333+00:00

hi @Shree Hima Bindu Maganti
Thanks you so much.

Accepted answer

Shree Hima Bindu Maganti 895 Reputation points Microsoft Vendor

2024-11-20T06:02:13.1133333+00:00

Hi @Nguyen Uy Dinh ,
Welcome to the Microsoft Q&A Platform!
Using Azure Communication Services (ACS) to join Teams calls without requiring admin consent for Teams.ManageCalls and Teams.ManageChats permissions.

Use ACS Direct Calling Feature: Azure Communication Services allows you to join Teams calls directly by generating ACS tokens. This does not require Teams.ManageCalls or Teams.ManageChats permissions.

Authenticate Users with Azure AD: Authenticate users using Microsoft Authentication Library (MSAL) to sign in with their Microsoft accounts. Only request basic scopes like openid, profile, and email.

Exchange Access Token for ACS Identity: Use the ACS Identity SDK to create a user and issue an ACS token without relying on Teams-specific permissions:

API: Use the CommunicationIdentityClient.createUserAndToken() method.

Token scopes: Use ["voip"] for calling functionality.

Avoid Teams-Specific APIs: The Teams APIs like Teams.ManageCalls and Teams.ManageChats are only needed if interacting with Teams-specific features like managing chats or initiating calls programmatically within Teams. These require admin consent, so avoid these APIs.

Use ACS Meeting URLs: Join Teams calls by using ACS meeting join links (Teams meeting URLs). ACS handles the call connection without needing direct Teams API permissions.
If the answer is helpful, please click "Accept Answer" and kindly upvote it.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How to exchange Teams token to Azure communication service dont need admin consent request api Teams.ManageCalls and Teams.ManageChats?

0 additional answers

Your answer