Managing Repository Credentials
      Back to home
      1. Help Center
      2. Cloud
      3. Managing Repository Credentials

      Requesting Extra Approval for Protected APIs from Microsoft

      As part of the Teams Azure AD Configuration, you must request extra permissions from Microsoft to use the ChannelMessage.Read.All permission.

      If the Azure registered application has theChannelMessage.Read.All, but the extra approval process has yet to be carried out (either via the customer not submitting the form or Microsoft is yet to process the form), then the Collector will throw  the following error:

      Inaccessible: Code: Forbidden
      Message: Invoked API requires Protected API access in application-only context when not using Resource Specific Consent. Visit https://docs.microsoft.com/en-us/graph/teams-protected-apis for more details.
       Questions on the Extra Approval Form

      The Protected APIs Extra Approval form has several questions that may require extra explanation:

      Question Explanation
      #2. Publisher name The publisher is ActiveNav.
      #3. Application name The application is ActiveNav Cloud Teams Collector.
      #4. Application ID(s) to enable permissions/subscription for (GUID, semicolon separated). These are the Azure Registered Application Ids (also known as Client Ids) that will be provided as credentials to the platform.
      #5. Azure billing subscription ID as GUID, this subscription must be under the same tenant. The detail on the form explains how to retrieve this value; however, none of the APIs used by the Teams collector are metered (billable).

      The Collector uses the following endpoints to perform its tasks:
      • List Channel Messages
      • List Replies
      • Get Chat Message
      Billable APIs have a 'Note' near the top of the page indicating a licensing model (e.g., Get All Chat Messages ).

      The Licencing and Payment requirements page for Teams does not list the APIs being used by the Teams collector.
      #6. Which category best describes your application (select one)? This is asking why the customer is using the Teams Collector; select the "Management and reporting" option.
      #7. Why does your application need read access to all messages in the tenant? To enable us to discover and report any potential policy and/or security violations that may exist within message content.
      #8. Data retention The Collector and platform do not store any of the message body; they do, however, obtain and store metadata, e.g., creation date. Currently, the following answer is most appropriate:

      This app will store a copy or summary of message metadata but will not make a copy of the message body, the subject lines, or any attachments. This is disclosed in the app's privacy policy.
      #9. What are the tenant IDs where your application needs to run? These are the tenant IDs associated with the Azure Registered application being used.

      *Questions 7 and 8 only appear once an answer has been provided for 6. Questions 9 and 10 are shown once 8 has an answer.

      Approval

      Applications are reviewed by Microsoft every Wednesday, and approvals are deployed every Friday or Monday (except during major holiday weeks in the US).

      If you do not receive a notification informing you that your application has been successfully granted, you should attempt to retry feature extraction at intervals after the approval period has surpassed to see if the error has cleared. We suggest that customers contact Microsoft support for any further details on chasing applications.