This question is meant directly for GRAPH, not any particular programming language.

I just made my self a custom connector and I have a Graph call that creates a Microsoft Team. Now when I make the connection before granting the permission in the Azure for the registered application, my call gets 403 response. and that is absolutely ok! No permission has been granted yet.

Ok then, now I add the Delegated permission of Teams.Create and consent and save. If I try to create the make the call now it still gets the same 403 response. When I create a new connection (basically sign in again) it works. But the old one still does not.

This does not bother me that much, but if it is vice versa, that makes me nervous. Let's say your application goes crazy for some reason so you go to registered applications and you revoke all of it's permissions and consents. But, even if you do so, and there was a connection made before you revoked permissions and cancelled the consents, it still has all the rights to create the team in my example.

Can you please explain me how this stuff actually works? Is this intended?

CodePudding user response：

Thanks for reaching out to us, this is mostly due to cached token, when you connected without having proper permission , that token has been cached with the previous scopes you have that's why you are getting 403 response. when you create a new connection the new refresh token has been used with newly provided permissions.

Thanks