![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 44%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 54%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESN%3C/text%3E%3C/svg%3E)
Thanks for reaching out to Microsoft Q&A forum support
As far as I know, the challenge here is that Microsoft Teams bots do not receive tenant-level admin role information (like Global Admin or Teams Admin) in the standard activity payload. These roles are managed by Azure AD (Microsoft Entra ID), and typically, developers use Graph API to query role assignments. However, since you're avoiding Graph API, you need a method that allows your bot to infer admin roles securely and efficiently without external API calls.
That said, the recommended solution is to use Azure AD’s wids (well-known IDs) claim, which includes the GUIDs of any directory roles assigned to the user in the authentication token. By configuring your Azure AD app to include this claim, your bot can inspect the token and determine if the user holds a Global Admin or Teams Admin role, securely and without Graph API. This approach is preferred because it reflects actual Azure AD role assignments automatically, requires no manual mapping or maintenance, and allows your bot to enforce role-based access control entirely through token inspection. Azure AD keeps the token claims up to date, so your bot always receives accurate role information without external queries.
You can follow this instruction:
- Configure your Azure AD app registration to include the
widsclaim in the token:- Go to Token Configuration.
- Add an optional claim for Directory roles.
- Enable Teams SSO so your bot receives a token when users interact.
- Decode the token and check the
widsclaim for:- Global Admin:
62e90394-69f5-4237-9190-012177145e10 - Teams Admin:
69091246-20e8-4a56-aa4d-066075b2a7a8 - FYI: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference
- Global Admin:
- Apply role-based access control in your bot logic based on these values.
For more detail information, you can read links below:
https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims?tabs=appui
https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims-reference
This method aligns closely with your original requirement and is the most efficient way to implement secure role-based access control without relying on Graph API.
If you try this approach and still find that it doesn’t fully meet your needs, feel free to leave a comment, I’d be happy to explore alternative solutions with you. There are always creative ways to adapt depending on your bot’s architecture and organizational setup.
I am looking forward to hearing from you
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 85%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENM%3C/text%3E%3C/svg%3E)