Accessing OnlineMeetings with Azure AD app without global application access policy
I have an Azure AD app registration with the following Microsoft Graph permissions:
- OnlineMeetings.ReadWrite.All
- OnlineMeetings.Read.All
- OnlineMeetingTranscript.Read.All
I'm trying to access online meetings across my organization using Graph API endpoints with my app's credentials instead of a specific user's context. I understand that I need to create an application access policy, but I want to avoid using the -Global parameter if possible.
I've attempted to use a security group instead, but it didn't work. Here's what I've tried so far:
- Created a security group and added relevant users
- Used the following PowerShell commands:
New-CsApplicationAccessPolicy -Identity "MeetingAccessPolicy" -AppIds "my-app-id" -Description "Access policy for meetings" Grant-CsApplicationAccessPolicy -PolicyName "MeetingAccessPolicy" -Group "my-security-group-id"
- Waited for policy propagation (over 30 minutes)
- Tested API calls using the app's access token
https://graph.microsoft.com/v1.0/users/{user-id}/onlineMeetings/{meeting-id}
https://graph.microsoft.com/v1.0/users/{user-id}/onlineMeetings/{meeting-id}/transcripts/{transcript-id}/content
I receive the error:
{
"error": {
"code": "General",
"message": "No application access policy found for this app.",
"innerError": {
"request-id": "xxxx-xxxx-xxxx-xxxx",
"date": "2024-08-13T19:47:25",
"client-request-id": "xxxx-xxxx-xxxx-xxxx"
}
}
}
Despite these attempts, I'm still unable to access meetings for users in the security group. Questions:
- Is there a way to grant application-level access to online meetings without using a global policy?
- Can I use security groups or other Azure AD groups effectively for this purpose?
- Are there any specific requirements or configurations I might be missing?
- If a global policy is the only option, are there any best practices or security considerations I should be aware of?
Any insights or alternative approaches would be greatly appreciated. Thank you!