Teams Oauth Connector Bug

[ghunt-afi]

Bug Description

Teams Oauth Connector has a bug / security vulnerability. It is trying to request Group.ReadWriteAll, when that is NOT in the description of required permissions. This is not a feature request, this is a bug of requiring permissions far beyond what is displayed. The displayed permissions are correct, the bug is what it is requiring on line 7.

n8n/packages/nodes-base/credentials/MicrosoftTeamsOAuth2Api.credentials.ts

To Reproduce

1.) Create teams connector (OAuth)
2.) Enter client ID and Secret from Azure App Registration
3.) Click Test
4.) Notice the azure requested permissions DO NOT MATCH what the n8n connector says it will require.

Expected behavior

Expected behavior after fixing the bug is that the permissions request will match what is stated in the app connector screen, and it will no longer attempt to request elevated and uneccessary permissions such as Group.ReadWriteAll

Debug Info

Debug info

core

• n8nVersion: 2.4.8
• platform: docker (self-hosted)
• nodeJsVersion: 22.21.1
• nodeEnv: production
• database: postgres
• executionMode: scaling (single-main)
• concurrency: -1
• license: enterprise (production)
• consumerId: 7289138f-6c0d-42f0-8138-45de69b83239

storage

• success: all
• error: all
• progress: false
• manual: true
• binaryMode: memory

pruning

• enabled: true
• maxAge: 336 hours
• maxCount: 10000 executions

client

• userAgent: mozilla/5.0 (macintosh; intel mac os x 10_15_7) applewebkit/537.36 (khtml, like gecko) chrome/145.0.0.0 safari/537.36
• isTouchDevice: false

Generated at: 2026-03-13T16:21:29.873Z

Operating System

Default (docker.n8n.io/n8nio/n8n:nightly)

n8n Version

2.4.8

Node.js Version

Default (docker.n8n.io/n8nio/n8n:nightly)

Database

PostgreSQL

Execution mode

main (default)

Hosting

self hosted

[n8n-assistant]

Hey @ghunt-afi,

Thank you for reaching out! We’ve received your issue and are looking into it. To help us track this internally, we’ve created a Linear ticket with the reference: "GHC-7265".

We’ll keep you updated as we make progress, but if you have any additional details or context to share, feel free to add them here - it’s always helpful!

Thanks for your patience and for bringing this to our attention.

---

For INTERNAL use only: GHC-7265

[Joffcom]

Hey @ghunt-afi

The notice is about the Teams trigger and is not a list of all scopes needed for the node to function correctly, the same credential is used for both the normal node and the trigger node.

Looking at the node quickly we do fetch from groups but I can't quickly see anything that edits or writes groups so it is possible that we could change that to a ready scope but it will need more digging into the node to confirm.