Teams Chat always initiates as if request is from the user who authorized the Teams integration

mholmes · ‎01-10-2023

Hello,

We are trying to set up a Microsoft Teams integration in order to start a Teams chat from a task.

In one of the steps, an Azure administrator needs to log in to ServiceNow to authorize the application.

The problem we are having is that when we click the "Start Microsoft Teams Chat" button, invite users to the chat using the dialog, and then click "Start Chat," the Flow Designer action "Create Microsoft Teams Chat" kicks off, and an Outbound HTTP request is sent to https://graph.microsoft.com/v1.0/chats.

We get the following error in the HTTP response: "The caller must be one of the members specified in request body."

What it wants is for us to include the Azure admin user in the chat every time. If we explicitly select that user and invite them to the chat, it works.

Obviously, the graph API thinks that the Azure admin (rather than the end-user) is the caller requesting the chat. This doesn't seem right, and neither ServiceNow support, our implementation partners, nor any documentation or demos I can find indicate that it should be necessary to invite this user to every chat.

My assumption is that something odd is going on with OAuth, but I have not been successful in figuring it out, even with the assistance of ServiceNow support and others.

Can anyone suggest some troubleshooting tips to help me diagnose root cause and hopefully resolve this issue? I've been trying to pick apart the many tables within ServiceNow that govern Azure integrations as well as OAuth, but so far I haven't found a smoking gun.

I have looked for tokens in the oauth_credential table (is that the right place?) and I don't see any "Created by" the user who authorized the integration. I do see one for myself and ones for other people who have attempted to initiate chats, however. Some have a name of "Microsoft Teams Chat," other have names like "Microsoft Teams Graph Authorization Code," "Microsoft Teams Graph Spoke OAuth Client Credentials" and "Notify For Microsoft Teams" and I'm not clear which ones are used when.

spike · ‎05-30-2024

Did you ever find a solution for this? I'm experiencing the same problem and coming up empty on solutions..

mholmes · ‎05-30-2024

The "Collaboration Services" plugin, in conjunction with the "IT Service Management for Microsoft 365" plugin can be used for this. Then, an Azure admin can log in to ServiceNow (using the same account that they use to administer Azure) and use the "Install Azure Apps" wizard (found in the side nav) to install Microsoft Teams and "Request based chat."

This is not obvious from the documentation, because the Collaboration Services documentation links to the ServiceNow for Microsoft Teams and Microsoft 365 documentation, which in turn links to many different documents, none of which are plainly connected to the simple use case of "initiate a chat from a task." The documentation for "Install Azure Apps" is presented as being related to Virtual Agent functionality and "Employee Experience," so if you are simply intending to initiate chats from tasks, it is not obvious from the document that that is what you need.

spike · ‎05-31-2024

Thanks for the comments. So reading this it looks like you're saying that while I can use the spoke, I should look at installing the above stuff instead?

The Azure admin user, do they need to be an admin in ServiceNow to be able to do what you suggest?

Thanks again.

mholmes · ‎05-31-2024

It was certainly the most expedient way I could find. The Spoke can be used for other things, such as creating a meeting. I get the impression that different Teams-related features are fairly different in their ServiceNow implementations.

As for the Azure admin user, they don't need to be a ServiceNow admin, but they do need the external_app_install_admin role in ServiceNow (and possibly virtual_agent_admin - which contains external_app_install_admin).