Hi there, the MS Teams trigger node says the following:
Microsoft Teams Trigger requires the following permissions: ChannelMessage.Read.All Chat.Read.All Team.ReadBasic.All Subscription.Read.All Configure these permissions in Microsoft Entra
Does this mean that ALL the above permissions are required for eg “trigger on new chat message”? Or just the permission tied to the respective operation, ie “trigger on new chat message” just requires Chat.Read.All.
If Team.ReadBasic.All is required just for “trigger on new chat message”, then it’s a non-starter from an enterprise security perspective unfortunately.
Thanks for the help
hi @sac.mm.xlv , good day!
From what I can tell, the current implementation does not scope permissions per trigger type, so even “trigger on new chat message” may still require the broader permission set listed by the node.
Setting up MS Teams triggers can be quite a challenge due to the specific Enterprise permissions required in Azure. You usually need to ensure the app registration has the right API scopes, otherwise, the node just won’t see the incoming messages.
All 4 permissions are required regardless of which trigger event is used. The node shares one OAuth scope for everything, so even “new chat message” alone still needs eg Team.ReadBasic.All and Subscription.Read.All. There’s no way to scope it down per operation without modifying the node.
One workaround is to integrate with MS Power Automate flow to listen for chat messages, then have it POST to a plain n8n Webhook node, which requires zero Graph API permissions from your app registration. This is a premium solution and requires a subscription to Power Automate.
Another option is to use RSC and scope the app to a specific team (Resource-specific Consent for Apps - Teams | Microsoft Learn)