Export Microsoft Teams chats with a work or school account

export-ms-teams-chats.md

Migrated to https://github.com/evenevan/export-ms-teams-chats

It's likely that this is out of your control, but for me, it says it requires admin permissions.

https://login.microsoftonline.com/common/oauth2/nativeclient?error=access_denied&error_subcode=cancel
The "Return to the application without granting consent" option is a blank webpage.

This might be my organization's policy or something by Microsoft.

Nonetheless, thank you. Wish MS just let us do this.

It's likely that this is out of your control, but for me, it says it requires admin permissions.

https://login.microsoftonline.com/common/oauth2/nativeclient?error=access_denied&error_subcode=cancel The "Return to the application without granting consent" option is a blank webpage.

This might be my organization's policy or something by Microsoft.

Nonetheless, thank you. Wish MS just let us do this.

Sorry about your experience :(

Based on what I could find, your organization seems to have changed some default settings and made it so that admin permission is required for specific OAuth scopes. I've gone ahead and played around with different scopes, and it seems to still work with some of them removed.

If you want to try again with the reduced scopes, use the link in step 1 to download the new code. Then, it is basically the same steps as before. Please let me know how it goes if you decide to try it again 👍

Wow, thanks for getting back to me so fast on this!
The good news is that with your changes, I was able to sign in, but sadly I get another set of errors now :(
Line | 65 | $me = Invoke-RestMethod -Method Get -Uri "https://graph.microsoft.com … | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | {"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the | operation.","innerError":{"date":"2023-07-19T04:29:07","request-id":"e26a1c8c-41e9-4842-9d3c-d892d17502cd","client-request-id":"e26a1c8c-41e9-4842-9d3c-d892d17502cd"}}} Getting all chats, please wait... This may take some time. Invoke-RestMethod: {"error":{"code":"Forbidden","message":"Missing scope permissions on the request. API requires one of 'Chat.ReadBasic, Chat.Read, Chat.ReadWrite'. Scopes on the request 'openid, profile, email'","innerError":{"date":"2023-07-19T04:29:09","request-id":"6dba41d2-965a-48fc-94a1-2b4bf75bcec9","client-request-i d":"6dba41d2-965a-48fc-94a1-2b4bf75bcec9"}}}

Wow, thanks for getting back to me so fast on this! The good news is that with your changes, I was able to sign in, but sadly I get another set of errors now :( Line | 65 | $me = Invoke-RestMethod -Method Get -Uri "https://graph.microsoft.com … | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | {"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the | operation.","innerError":{"date":"2023-07-19T04:29:07","request-id":"e26a1c8c-41e9-4842-9d3c-d892d17502cd","client-request-id":"e26a1c8c-41e9-4842-9d3c-d892d17502cd"}}} Getting all chats, please wait... This may take some time. Invoke-RestMethod: {"error":{"code":"Forbidden","message":"Missing scope permissions on the request. API requires one of 'Chat.ReadBasic, Chat.Read, Chat.ReadWrite'. Scopes on the request 'openid, profile, email'","innerError":{"date":"2023-07-19T04:29:09","request-id":"6dba41d2-965a-48fc-94a1-2b4bf75bcec9","client-request-i d":"6dba41d2-965a-48fc-94a1-2b4bf75bcec9"}}}

No worries!

It's unfortunate that didn't work, but Microsoft certainly didn't help with the vagueness of OpenID scope type's granted permissions. However, I have one more thing that you can try.

There is another OAuth scope type that you could try. Please note that I have not been able to test this one myself, as my organization locked down using third-party Azure Active Directory apps. First, download my code again (sorry!) as I have removed a seemingly unnecessary scope for this alternate method. Then, with a PowerShell 7 terminal in the directory with my code, run .\Get-MicrosoftTeamsChat.ps1 -clientId f498b5fc-4099-4a24-b14d-2bf4565d041a -tenantId DOMAIN, where DOMAIN is replaced with the part after the @ in your school/work email, such as contoso.com. In the authentication step, the app should be named "Teams Chat Export." If all goes well, you'll be able to sign in and the script will run.

If that doesn't work, then I'm just about out of ideas. In this case, it would be helpful to know which permission(s) your org locked down. With Microsoft's Graph Explorer, try signing in with your work/school account by clicking on the person near the top right. If you can sign in (I couldn't for my other org account), click on your profile picture at the top right and then click Consent to permissions. In the search box that appears, for each of Chat.Read, User.Read, and offline_access, enter it into the search field and note if it says yes or no under the Admin consent required column. You may need to expand a category to find the permission. For reference, all three don't require admin consent for me.

Please let me know how this goes if you decide to try ( ﾉ ^ｰ^)ﾉ

Thanks again for giving it a shot!

Unfortunately, I got a new error, similar to the first:

Need admin approval
unverified
This app may be risky. If you trust this app, please ask your admin to grant you access. Learn more
Have an admin account? Sign in with that account
Return to the application without granting consent

I'll go through the Graph Explorer and report back on that part.

By the way, the app name is as you described, "Teams Chat Export"

Here's what I see from Microsoft's Graph Explorer

Permission	Admin consent required	Status
Chat.Read	No	Consent
User.Read	No	Unconsent
offline_access	No	Consent

and some more items:

Chat.ReadBasic	No	Consent
Chat.ReadWrite	No	Consent

I'll try hitting Consent on the aforementioned permissions and see if there's an improvement.

Also, thanks for the instructions on how to log in so I can view these!

Update:
I'm not sure if this is from spamming Consent, but I am getting some success with queries like
https://graph.microsoft.com/v1.0/me/joinedTeams which actually does return valid information.
Unfortunately, I'm getting errors similar to earlier when trying to get messages:

"error": { "code": "Forbidden", "message": "Missing scope permissions on the request. API requires one of 'ChannelMessage.Read.All, Group.Read.All, Group.ReadWrite.All'. Scopes on the request 'Channel.ReadBasic.All, ChannelMessage.Edit, Chat.Create, Chat.Read, Chat.ReadBasic, Chat.ReadWrite, openid, profile, Team.Create, Team.ReadBasic.All, User.Read, User.ReadBasic.All, User.ReadWrite, email, ChannelMessage.Send'"

I really appreciate your involvement with this project - thank you so much :)

Based on the permissions you've shown me, I found that the traditional scope type should be valid, as none require admin permissions, and for some reason, I hadn't thought of trying it out with the PnP Management Shell application. I've given this a quick test, and it seems to work. In theory, using the PnP Management Shell (which appears to be an allowed app for your org) and the traditional scopes (which allow fine-tuned control over the permissions) should get you through every hoop.

I've pushed another change to the project, which removes the OpenID scope type. Downloading the new code and following the normal guide should hopefully work, if you decide to continue to pursue this of course.

Finally, that error in the last message you sent is somewhat interesting, as it says that it missing a scope. If you hit consent on the Chat.Read permission, that'll probably work.

Hi!
thanks for your work.
I want to report you that each chat with square brackets [ ] fail to export:

easy to fix, just add after line 156 :
$name = $name -replace '[[]]','_'

result:

Bye :)

Is there a way to also embed in the chat all sent and received files ?
right now in the exported html there is just the link to sharepoint.

Hi! thanks for your work. I want to report you that each chat with square brackets [ ] fail to export:

easy to fix, just add after line 156 : $name = $name -replace '[[]]','_'

result:

Bye :)

Hey! Thanks for the fix, but I've pushed a slightly different fix for your issue that preserves the square brackets; the issue was an oversight on wildcard paths and just required changing parameters.

Is there a way to also embed in the chat all sent and received files ? right now in the exported html there is just the link to sharepoint.

I've glanced through the process of downloading SharePoint files and I have concluded that for the time being, I don't have the time to try and make it work.

If you're up for it, you could open an an issue/pull request and work on an implementation. Otherwise, I may try adding this later on once I get some time. Although far from ideal, another solution is simply having all of the files available separately (you should have a folder name "Microsoft Teams Chat Files" in your org's OneDrive that has your uploaded files, but do note this doesn't include files uploaded by others).