Microsoft Teams App Permissions for AI Incident Assistant

Permission reference 

List channels 

Get channel 

 Conversation destination picker. When you open the Major Incident Management (MIM) creation dialog or any workflow that targets a Teams channel, AI Incident Assistant lists all channels for each of your teams in a searchable dropdown. The dropdown lets you select where to post an incident update, summary, or notification. The call is GET /teams/{teamId}/channels for each relevant team, often batched for performance.

 Incident channel resolution. When an incident is created in a specific channel, AI Incident Assistant calls GET /teams/{teamId}/channels/{channelId} to resolve the channel's display name and description. This metadata is used in incident cards, banners, and reports.

 Channel last-activity checks. AI Incident Assistant uses POST /$batch with GET /teams/{teamId}/channels/{channelId}/messages?$top=1 to determine the most recent activity timestamp per channel. This sorts channels by activity in the destination picker, so you see the most relevant channels first.

 Installation-time channel sync. When AI Incident Assistant is added to a team, channel metadata is synchronized so that later features (routing, search, incident creation) can reference accurate channel names without additional API calls.

Chat.ReadBasic.WhereInstalled

Chat.Read.WhereInstalled

Chat.ReadWrite.WhereInstalled

Chat.ReadBasic.WhereInstalled: Read names and members of one-to-one and group chats where the associated Teams app is installed, without a signed-in user.

Chat.Read.WhereInstalled: Read one-to-one and group chat messages for chats where the associated Teams app is installed, without a signed-in user.

Chat.ReadWrite.WhereInstalled: Read and write one-to-one and group chat messages for chats where the associated Teams app is installed, without a signed-in user.

Chat.ReadBasic.WhereInstalled 

Chat.Read.WhereInstalled 

Chat.ReadWrite.WhereInstalled 

 Resolving your personal DM chat with AI Incident Assistant. When AI Incident Assistant needs to send you a proactive message, for example a workflow result or notification, it calls GET /users/{userId}/chats?$filter=chatType eq 'oneOnOne' to find the 1:1 chat between you and the AI Incident Assistant bot. This is required because the Bot Framework does not always surface the chat ID.

 Conversation destination picker (group chats). When you are selecting where to route an incident update or notification, AI Incident Assistant lists your group chats through GET /users/{userId}/chats?$filter=chatType eq 'group'. Group chat names and members are resolved so the picker shows recognizable destinations.

 Reading chat history for incident reports. When you request an incident report from within a chat, AI Incident Assistant calls GET /chats/{chatId}/messages with pagination to read the conversation history for the configured time window. Messages are normalized and fed to the AI to produce a structured incident report. This is the same flow that powers incident reports in channels, adapted for chat-based incidents.

 Reading chat history for AI context (conversation lookback). During major incident management (MIM), AI Incident Assistant calls getFilteredChatMessages to backfill recent conversation context from a chat. This gives the AI agent awareness of what has already been discussed, preventing redundant questions and enabling more targeted incident triage.

 Image and file detection in group chats. When a user shares an image in a group chat, there's a known Teams platform limitation where the Bot Framework activity sometimes does not include the attachment metadata for drag-and-dropped files in group chats. AI Incident Assistant calls GET /chats/{chatId}/messages/{messageId} through the Graph API to check whether the message actually contains image attachments. If it does, AI Incident Assistant prompts the user to copy-paste instead.

 Chat member resolution. AI Incident Assistant calls GET /chats/{chatId}/members (individually or batched) to resolve the participants of group chats. This is used in the conversation picker to display member names for unnamed group chats, and to enrich incident report participant lists.

 Chat access validation. Before offering a chat as a routing destination, AI Incident Assistant uses POST /$batch with GET /chats/{chatId}/messages?$top=1 to validate that the app has read access to the chat. Chats where access fails are excluded from destination lists.

 Channel summary and multi-context generation. When generating summaries or multi-context AI outputs that span chat conversations, AI Incident Assistant reads the full chat message history through getAllChatMessages and normalizes it alongside channel data for unified analysis.

Chat.ReadBasic.WhereInstalled enumerates and displays chat metadata (names, type, member count) in destination pickers, and resolves the DM chat ID.

Chat.Read.WhereInstalled reads actual message content for incident reports, AI context lookback, channel summaries, and image attachment detection.

Chat.ReadWrite.WhereInstalled allows AI Incident Assistant to proactively send and update messages in chats where it is installed. For example: posting incident status updates, updating progress cards, and delivering workflow results into meeting chats.

Permission reference 

Get organization 

 Tenant onboarding during app installation. When a Teams admin or user installs AI Incident Assistant personally, into a group chat, or into a team; the bot's onInstallationUpdateAdd handler calls GET /organization/{tenantId} to retrieve the tenant's display name and verified domains. This information is used to associate the installation with the correct Microsoft 365 tenant in the AI Incident Assistant backend, display the tenant name in the onboarding welcome card, and validate tenant identity for multi-tenant deployments.

 Bot-added-to-team handler. When AI Incident Assistant is added to a team (via the onMembersAdded event, where the bot is in the members list), the same getTenantDetails call is run to ensure the team's tenant is recognized and properly configured.

Permission reference 

Get chatMessage hostedContent 

 Incident report image extraction. When you generate an incident report from a channel or chat, AI Incident Assistant scans the conversation messages for inline images (detected through <img> tags in message HTML). For each message containing images, AI Incident Assistant calls the hostedContents endpoint to download the binary image data. These images are base64-encoded and included in the generated incident report PDF or document, preserving visual context like screenshots, diagrams, and monitoring dashboards that participants shared during the incident.

 Channel indexing and backfill. When AI Incident Assistant indexes historical channel content for search and AI context, hosted content (inline images and files embedded in messages) is retrieved through the same endpoints to build a complete representation of the conversation.

Permission reference 

Create onlineMeeting (application) 

 Incident bridge call creation. When you trigger an incident workflow and select Microsoft Teams as the conferencing tool for the bridge call, AI Incident Assistant calls POST /users/{systemUserId}/onlineMeetings to create an online meeting. The meeting is created on behalf of a configured system user (the defaultUserId from your Teams integration settings). The response includes a joinWebUrl embedded in the incident banner card, allowing all responders to join the bridge call with a single click. Meeting participants are included in the meeting creation payload when available.

 Channel-linked collaboration meetings (MIM). During major incident management, the AI Incident Assistant creates a Teams meeting linked to the incident channel thread via the chatInfo.threadId property. This associates the meeting with the specific channel conversation, so the meeting chat and channel thread are connected. A transcription bot (Recall) may be added to the meeting to capture a live transcript for later incident analysis.

 Auto-created incident channel meetings. When an incident channel is provisioned and your organization's configuration includes automatic meeting creation, AI Incident Assistant creates a channel-linked meeting immediately after channel creation. This ensures a collaboration space is ready before responders even join.

Permission reference 

Get profilePhoto 

 Incident report participant avatars. When generating an incident report, AI Incident Assistant resolves each unique message sender from the conversation history. For each human participant, AI Incident Assistant calls GET /users/{userId}/photo/$value to download their profile photo as binary data. The photo is base64-encoded and included in the incident report alongside the participant's name, job title, email, and phone number. This makes incident reports visually rich and allows report readers to quickly identify who said what during the incident.

Permission reference 

List joinedTeams 

Graph API endpoints used 

 Conversation destination picker (teams list). When you open any workflow that targets a Teams channel (incident creation, MIM, broadcast, or channel summary), AI Incident Assistant calls GET /users/{userId}/joinedTeams to build the list of teams you belong to. This populates the first level of the destination picker. You select a team, then select a channel within that team.

 Installation validation for team destinations. After retrieving the list of joined teams, AI Incident Assistant cross-references each team against its installation records using the TeamsAppInstallation batch endpoints to determine which teams have AI Incident Assistant installed. Teams without AI Incident Assistant installed are either filtered out or marked as unavailable, preventing you from selecting destinations where the bot cannot operate.

 Conversation search and caching. The conversation search handler caches team lists to reduce repeated Graph API calls. On first load or cache expiration, getUserTeams is called, and results are cached per user and tenant. Subsequent searches use the cache until it expires.

Permission reference

List team members

 Team onboarding and member tracking. When AI Incident Assistant is installed into a team (through the onInstallationUpdateAdd or onMembersAdded bot events), the app installation handler calls GET /teams/{teamId}/members to retrieve the current team roster. This information is used to track which users have access to AI Incident Assistant in team context, pre-provision user records for team members so that subsequent interactions are seamless, and understand the scope of the installation for analytics and configuration.

 Installation reconciliation. When team membership changes (members are added or removed), the AI Incident Assistant conversation install tracker uses member data to keep its internal records in sync with the actual team roster.

TeamsAppInstallation.Read.All

TeamsAppInstallation.ReadForUser.All

TeamsAppInstallation.ReadWriteAndConsentSelfForChat.All

TeamsAppInstallation.Read.All: Read the Teams apps that are installed in any scope, without a signed-in user. Does not allow reading app-specific settings.

TeamsAppInstallation.ReadForUser.All: Read the Teams apps that are installed for any user, without a signed-in user. Does not allow reading app-specific settings.

TeamsAppInstallation.ReadWriteAndConsentSelfForChat.All: Allow a Teams app to read, install, upgrade, and uninstall itself for any chat, without a signed-in user, and manage its permission grants for accessing those specific chats' data.

TeamsAppInstallation.Read.All 

TeamsAppInstallation.ReadForUser.All 

TeamsAppInstallation.ReadWriteAndConsentSelfForChat.All 

List apps installed in a team 

List apps installed in a chat 

List apps installed for user 

Get chat for a user app installation 

Add app to chat 

Add app to user 

 Team destination validation. Before presenting a team as a valid destination in the conversation picker, AI Incident Assistant batch-validates that the app is installed in each candidate team. The call POST /$batch includes GET /teams/{teamId}/installedApps?$filter=teamsAppDefinition/authorization/clientAppId eq '{appId}' for each team. Teams where AI Incident Assistant is not installed are filtered from the destination list, preventing you from selecting teams where the bot cannot operate.

 Chat installation validation. Similarly, for group chat destinations, AI Incident Assistant batch-validates that the app is installed in each candidate chat through GET /chats/{chatId}/installedApps?$filter=.... This ensures that only accessible chats appear in destination pickers.

 Group chat discovery with app filter. When building the list of group chats where AI Incident Assistant is installed, the getUserGroupChatsWithAppInstalled function first lists your group chats, then batch-checks each chat's installed apps to filter down to only those chats where AI Incident Assistant is present.

 Personal app installation check. During onboarding and certain workflow submissions, AI Incident Assistant calls GET /users/{userId}/teamwork/installedApps?$expand=teamsApp to determine whether you already have AI Incident Assistant installed in personal scope. This prevents duplicate installation attempts and enables features that require personal scope, such as DM-based workflows.

 Personal app chat resolution. Once a personal installation is confirmed, AI Incident Assistant calls GET /users/{userId}/teamwork/installedApps/{installationId}/chat to resolve the 1:1 chat ID associated with that installation. This chat ID is needed to deliver proactive messages (notifications and workflow results) to your personal AI Incident Assistant chat.

 Proactive personal installation for MIM. When you create a major incident through the task module and do not have AI Incident Assistant installed in your personal scope, the MIM submission handler calls POST /users/{userId}/teamwork/installedApps to proactively install AI Incident Assistant for you. This ensures you can receive personal notifications and updates about the incident you just created.

 Incident meeting chat bot installation. When AI Incident Assistant creates an incident bridge meeting (through OnlineMeetings.ReadWrite.All), the resulting meeting has an associated meeting chat. AI Incident Assistant calls POST /chats/{chatId}/installedApps to install itself into that meeting chat, including a consentedPermissionSet payload that grants the bot RSC permissions in that specific chat (message read and write, chat settings read, and online meeting read). This is essential because the bot must be in the meeting chat roster to post incident updates and banner messages, RSC permissions are needed for the bot to read meeting chat messages and manage the incident workflow within the meeting context, and without this self-installation the meeting chat would be inaccessible to AI Incident Assistant.

 Meeting summary chat bot installation. When AI Incident Assistant needs to deliver a meeting summary to a meeting-linked chat, it calls addAppToChat to ensure it is present in the chat before posting. A 409 Conflict response (already installed) is handled gracefully.

Permission reference

Get user

List users

 User provisioning on first interaction. When you install AI Incident Assistant yourself or first interact with it, the app installation handler makes a GET request to/users/{userId} to retrieve your displayName, mail, givenName, jobTitle, and other profile properties. This data is used to create your record in the AI Incident Assistant backend, linking your Azure AD identity to your account. If a user with the same email already exists (for example, created through another channel), the accounts are merged rather than duplicated.

 RBAC and ability resolution. The defineAbility middleware calls getUser to resolve the Azure AD identity of the current user, which is then used to determine your permissions and role-based access controls.

 Incident report user enrichment. During incident report generation, AI Incident Assistant resolves every unique message sender from the conversation. For each human participant, GET /users/{userId} retrieves their display name, job title, email, and mobile phone. This data populates the participants section of the incident report.

 Meeting participant resolution. When creating an incident bridge meeting, AI Incident Assistant calls getUsersMinimal to batch-resolve participant identities (ID, UPN, and display name) for inclusion in the meeting creation payload. This ensures that meeting invitations include proper attendee information.

 Forwarded message sender enrichment. When Teams messages contain forwarded content, the original sender's display name is sometimes missing from the forwarded message metadata. The TeamsMessageEnrichment module calls getUsersMinimal as a fallback to resolve missing sender display names from Azure AD, ensuring that channel summaries and reports correctly attribute forwarded messages.

 Conversation picker — unnamed group chat display names. Group chats without a custom name are displayed as a comma-separated list of member names. AI Incident Assistant calls getUsersMinimal to batch-resolve the display names of chat members for these unnamed chats.

 Task module user resolution. Various task module flows (form submissions and dialog interactions) call getUser to resolve the identity of the submitting user for logging, attribution, and permission checks.