MS Teams using Managed Identity

OK this one’s not a problem with PSU per se - more a call for help in case someone else (@insomniacc?) has tried this.

I’d like to be able to manage Microsoft Teams from PSU, and I see that Connect-MicrosoftTeams has an -Identity parameter to let it connect using a managed identity.

Our PSU app service has its own managed identity (we use it to connect to AzKeyVault) so I’m assuming it’s possible to use that.

I have this script:

Connect-MicrosoftTeams -Identity

… and it appears to connect, but then throws this when it gets to the Get-Team call:

Code: InvalidAuthenticationToken

Message: CompactToken parsing failed with error code: 80049217


  RequestId: 846f64f5-51fb-4c3a-84ff-ad324428ca06

  DateTimeStamp: 2022-01-13T04:01:05

HttpStatusCode: InvalidAuthenticationToken

I’ve granted the “Group.ReadWrite.All” Graph role to the managed identity as best I can tell, so I think it should have permission.

Has anyone else tried connecting to Teams from an Azure-hosted instance of PSU?


Product: PowerShell Universal
Version: 2.7.0

Hey, Cant say I have unfortunately. My UD instance is still sat on-prem not really doing much at the moment, it was just used as a demo, but we’ve been migrating our automation platform so that took priority and it kinda got put aside + Its taking forever to get anywhere with the networking team so I still dont have access back to on-prem from my webapp. … maybe one day soon.

I know when I played around with a PS function app, there’s something similar in the default profile which uses the identity, I cant remember what it was doing but I think it set the identity to use with other things - bit of a stab in the dark but you could pop up an empty PS function app and have a look at the profile.ps1 to see if that helps.
I havent specifically connected to teams like this though, my teams interaction has mainly just been webhooks and graph data.

1 Like

I have not tried it but Per MS doc have you tried the -credentials? Connect-MicrosoftTeams (MicrosoftTeamsPowerShell) | Microsoft Docs

This example demonstrates how to sign in using AccessTokens. Admin can reterive Access Tokens. It requires two tokens, MS Graph Access Token and Teams Resource token.

$graphtoken = #Get MSGraph Token for following for resource  "" and scopes "AppCatalog.ReadWrite.All", "Group.ReadWrite.All", "User.Read.All";
$teamstoken = #Get Teams resource token for resource id "48ac35b8-9aa8-4d74-927d-1f4a14a0b239" and scope "user_impersonation";

Connect-MicrosoftTeams -AccessTokens @($graphtoken, $teamstoken)


Yeah I use -Credential in my current (on-prem) scripts, but in the cloud, since I have an Azure Managed Identity for PSU, I wanted to try that.

The -AccessTokens option might work, but I’m not sure how to fetch the “Teams resource token”. I can get a Graph token with the Az PowerShell module, I think. Any clues?

I found this post of someone getting it to work with a code example. Again I have not tried it but maybe has some clues.


1 Like

Haha I had that exact page open and was reading it as you replied!

Ah - access tokens aren’t working yet for applications - only for users:

Errors connecting to teams via AccessTokens · Issue #8623 · MicrosoftDocs/office-docs-powershell (

I’d love to get -Identity working but for now I think I’ll have to revert back to using an actual Azure AD account and use -Credentials. Dang.

1 Like

Sorry, was worth a try. If you don’t mind me asking what are you doing in teams that can not be done via graph? Just wondering incase I hit that wall.

Ah I just find the MicrosoftTeams module must easier to use. I’m using Graph to interrogate teams elsewhere, so it’s still an issue.

I might be able to use Get-AzAccessToken to fetch a Graph token using my managed identity so I don’t have to store any credentials, too, so I will experiment with that.

1 Like

OK I’m having success with Graph. This code successfully finds our IT team and its members:

$team = 'Information Technology'

$token = Get-AzAccessToken -ResourceTypeName MSGraph

$headers = @{
    Authorization = "Bearer $($token.Token)"

$uri = "`$filter=displayName eq '$team'"

$team = (Invoke-RestMethod -Uri $uri  -Headers $headers).value | Select-Object -First 1

if ($team) {
    $uri = "$($"
    (Invoke-RestMethod -Uri $uri  -Headers $headers).value

… with no stored credentials! So that’s awesome. Shame that Connect-MicrosoftTeams doesn’t work, but this’ll get me going.

To answer your question, @MSchreiber - my use case for this test is a “who’s on leave today” post. We have a daily script that interrogates our HR system to find out who’s on leave today, and then uses an incoming webhook in a set of known Teams to post a message in a channel to say who in the team is on leave today. It’s pretty slick! :slight_smile:


Nice, glad you got it working. I love the teams webhooks makes it so easy to post stuff.

1 Like