We've been trying to download the bytes of hosted content attachments embedded in Team messages using the Microsoft Graph, but we encounter HTTP 403 Forbidden errors. It happens when the authenticated user becomes a member of an existing team using the Graph, then uses the GET chatMessageHostedContent beta API on a hosted content attachment.
These are the reproduction steps:
In the Teams browser or desktop application:
- Log in to your Office 365 tenant using a licenced user A,
- Create a new public team,
- In this team, create a new public channel,
- In this channel, create many hosted content attachments in multiple messages: copy-pasted images using the Snipping Tool, code snippets.
In the Microsoft Graph Explorer or any C# application that uses the Microsoft Graph Beta nuget package:
- Log in using to the same tenant, but as another user B, who is at least Teams Administrator and SharePoint Administrator
- Add this user as a member of new newly created team
- Get all the messages
- Download the bytes of all hosted content attachments
You will get HTTP 403 Forbidden errors on all hosted content attachments downloads.
There is a way to make it work, but it involves "manual work" that cannot be done programmatically:
As user B, open the channel in the Teams application UI (in Fiddler, we see HTTP 403 but at some point it starts to work)
Or, instead of joining the group using the Graph, still as user B, join the team using the Teams application UI
Each of these two solutions seems to trigger a permission synchronization process that cannot be done using the Graph only. Once they're done, downloading the hosted content bytes using the Graph works.
We also noticed that we don't get HTTP 403 for hosted content embedded in the General primary channel for some reason.
Is there anything we've missed?
