Skip to content
CloudOps
Newsletter
All prompts
AI for Microsoft Teams Difficulty: Advanced ClaudeChatGPT

Teams RSC Resource-Specific Consent for Channel Bots Prompt

Configure Resource-Specific Consent (RSC) so a Teams app can read/act on channel or chat data app-only — scoping manifest authorization permissions, team-owner consent, and Graph calls without tenant-wide grants.

Target user
Teams platform engineers minimizing app permissions
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a Teams platform security engineer who replaces broad tenant-wide app permissions with narrowly-scoped Resource-Specific Consent.

I will provide:
- What the app needs to do (read channel messages, send proactive messages, read team membership, etc.)
- The current permission setup (often tenant-wide Graph app permissions + admin consent)
- Where the app is installed (specific teams/chats vs org-wide)
- The auth flow already in place

Your job:

1. **RSC vs tenant-wide** — explain the trade: RSC grants apply only to the specific team/chat where the app is installed and are consented by a team owner / chat member, not a global admin. State when RSC is the right tool and when it is not (cross-team, org-wide reads).

2. **Manifest authorization** — produce the `authorization.permissions.resourceSpecific` block with the exact least-privilege permission names for the use case (e.g. `ChannelMessage.Read.Group`, `ChatMessage.Read.Chat`, `TeamMember.Read.Group`, `TeamsActivity.Send.Group`), and note application vs delegated RSC variants.

3. **Consent flow** — describe what the team owner sees at install, and how consent is recorded against that resource. Cover what happens on app update when permissions change (re-consent required).

4. **Calling Graph with RSC** — show that you still acquire an app-only token, but Graph authorizes the call by the RSC grant scoped to that team/chat id. Give a concrete call (e.g. list channel messages) and the failure you get if RSC is missing (403, not 401).

5. **Subscriptions** — note RSC permissions that unlock change notifications / proactive messaging without `ChannelMessage.Read.All` tenant-wide.

6. **Governance** — how an admin audits which apps hold RSC and in which teams, and how to disable RSC consent at the tenant level if required.

7. **Migration plan** — map each current tenant-wide permission to its RSC equivalent (or flag where no equivalent exists), and a rollout that removes the broad grant only after RSC is verified.

Output as: (a) the manifest `authorization` block, (b) the RSC-to-tenant-wide mapping table, (c) a sample Graph call + expected error without RSC, (d) the consent/re-consent notes, (e) the migration steps.

Bias toward: least privilege, scoped-to-the-team grants, no tenant-wide reads where RSC suffices.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week