User16862549565925374144 (Customer) asked a question.
Hi, I'm having some problems with the MS Teams connector for Workflows. We have a service account that we want to send chats directly to users when their workflow is done.
It seems to work sometimes, other times not. When I test the workflow sometimes the chat comes from whomever is testing the workflow or they get a 403 error.
If I log in as the service account and touch / reauthorize the connector and test the workflow it seems to work for a period of time.
Any thoughts what I can check? I want multiple admins to create workflows using the same Teams connector for consistency.
"error": {
"code": "Forbidden",
"message": "AclCheckFailed",
"innerError": {
"message": "RosterCreationNotAllowed-Create Thread: One or more members cannot be added to the unique roster thread",
"code": "40001",
"innerError": {},
@User16862549565925374144 (Customer) - This looks like a response error from Teams indicating you are perform an action with specific member(s) that cannot be performed against/for them.
AclCheckFailed (Workflows doesn't have ACLs.. this is a Windows thing). And a "Roster" is part of teams. Additionally web searching for AclCheckFailed makes it clear this is a Teams response.
>It seems to work sometimes, other times not. When I test the workflow sometimes the chat comes from whomever is testing the workflow or they get a 403 error.
This portion is confusing me. Are you saying that with a specific authorized connection you get a mix of success and 403s? And these appear to be random?
The above combined with:
>If I log in as the service account and touch / reauthorize the connector and test the workflow it seems to work for a period of time.
If both of these are true then it is likely something like a race condition / timing conflict on the Teams side. The reasoning for this is an authorized connection is immutable. You cannot even view any information about it in Workflows. It would either 100% work or 100% fail to maintain the exact credentials. Reauthing a connection means a period of time has passed which would also indicate anything to do with a previously failing user would have had time to complete on MS backend.
What is the exact action you are trying to perform with the Teams connector? Are you able to locate the specific Graph API documentation for Teams that can perform this action? If so do you receive the same behavior when using Custom API Action (CAPIA)?
In the simplest form, I want to get the chat ID using this widget:
[cid:image001.png@01D99AE1.A471F0B0]
@User16862549565925374144 (Customer) - This is an open public forum that community members can use to ask questions and receive answers by other community members and sometimes by Okta staff. If you would like direct assistance from Okta Support you will need to open a case.
Wow, huge apologies. I thought I was responding to my open case. 🙂 I wondered why the email notification was a different format.
Thanks for the response, I agree it looks like a Teams's issue. My hunch is I did not setup the account correctly when I first attached Okta to Teams but I can't find where the problem might be.
Looking at the flow history, and re-running that step will often create the same 403 error... but 5 minutes later pressing the same button the request goes through.
I might try to build my own API for the same step, that could give me a more useful error message.