Configure application access to online meetings or virtual events
For apps to access some cloud communications APIs with application permissions, in addition to the Microsoft Graph application permissions, tenant administrators must configure an application access policy. For details, see supported application permissions.
The following sections describe the two main scenarios that require an application access policy.
In some cases, such as background services or daemon apps running on a server without a signed-in user, it is acceptable for an app to call Microsoft Graph and perform actions on behalf of a user. For example, an app may require Microsoft Graph to schedule multiple meetings based on published schedules (like courses) or external scheduling tools. In such situations, the application can act on behalf of any user. Therefore, it is important to make sure that the user possesses the necessary privileges, such as being the organizer or co-organizer, to access the online meeting.
In cases where a signed-in user is not presented, an app can call Microsoft Graph to access a virtual event using application permissions. For example, an app can call Microsoft Graph to look up a virtual event that a user has created or retrieve attendance reports of a virtual event created by the user without using that user's delegated permissions. In these cases, the user must be the organizer of that virtual event.
Follow these steps to configure an application access policy for cloud communications resources such as online meetings and virtual events. These steps do not apply to other Microsoft Graph resources.
The following table compares application access policy for online meeting and virtual event under various scenarios involving two users. These scenarios involve two users (user_1 and user_2) and the following application access policies:
- Policy_1 contains one app ID (app_1)
- Policy_2 contains one app ID (app_2)
- Policy_3 contains both app IDs (app_1 and app_2)
Scenario | Online meeting | Virtual event |
---|---|---|
policy_1 is assigned to user_1, policy_2 is assigned to user_2 | app_1 can only access online meetings as user_1 app_2 can only access online meetings as user_2 |
app_1 can only access virtual events created by user_1 app_2 can only access virtual events created by user_2 |
policy_1 is assigned to user_1 and user_2 | app_1 can access online meetings as user_1 app_1 can access online meetings as user_2 |
app_1 can access virtual events created by user_1 app_1 can access virtual events created by user_2 |
policy_3 is assigned to user_1, no policy is assigned to user_2 | app_1 and app_2 can access online meeting as user_1 No app can access online meeting as user_2 |
app_1 and app_2 can access virtual events created by user_1 No app can access virtual events created by user_2 |
policy_3 is assigned to the whole tenant | Both app_1 and app_2 can access online meetings as either user_1 or user_2 | Both app_1 and app_2 can access virtual events created by either user_1 or user_2 |
To configure an application access policy and allow applications to access online meetings with application permissions:
Identify the app's application (client) ID and the user IDs of the users on behalf of which the app will be authorized to access online meetings.
- Identify the app's application (client) ID in the Microsoft Entra admin center > app registrations page.
- Identify the user's user (object) ID in the Microsoft Entra admin center > user management page.
Connect to Skype for Business PowerShell with an administrator account. For details, see Manage Skype for Business Online with PowerShell.
Create an application access policy containing a list of app IDs.
Run the following cmdlet, replacing the Identity, AppIds, and Description (optional) arguments.
New-CsApplicationAccessPolicy -Identity Test-policy -AppIds "ddb80e06-92f3-4978-bc22-a0eee85e6a9e", "ccb80e06-92f3-4978-bc22-a0eee85e6a9e", "bbb80e06-92f3-4978-bc22-a0eee85e6a9e" -Description "description here"
Grant the policy to the user to allow the app IDs contained in the policy to access 1) online meetings on behalf of the granted user, and 2) virtual events created by the granted user.
Run the following cmdlet, replacing the PolicyName and Identity arguments.
Grant-CsApplicationAccessPolicy -PolicyName Test-policy -Identity "748d2cbb-3b55-40ed-8c34-2eae5932b22a"
(Optional) Grant the policy to the whole tenant. This will apply to users who do not have an application access policy assigned. For details, see the cmdlet links in the Related content section.
Run the following cmdlet, replacing the PolicyName argument.
Grant-CsApplicationAccessPolicy -PolicyName Test-policy -Global
Note
- Identity refers to the policy name when creating the policy, but the user ID when granting the policy.
- When granting the policy, it will be applied to both online meetings and virtual events. If you prefer to manage online meetings and virtual events separately, we recommend that you have two separate applications.
- Changes to application access policies can take up to 30 minutes to take effect in Microsoft Graph REST API calls.
Administrators can use ApplicationAccessPolicy cmdlets to control online meeting and virtual event access for an app that has been granted any of the following application permissions:
- OnlineMeetings.Read.All
- OnlineMeetings.ReadWrite.All
- OnlineMeetingArtifact.Read.All
- OnlineMeetingTranscript.Read.All
- OnlineMeetingRecording.Read.All
- VirtualEvent.Read.All
For more information about configuring application access policy, see the PowerShell cmdlet reference for New-ApplicationAccessPolicy.
If you attempt an API call to access an online meeting or virtual event without configuring the application access policy, you might encounter the following error:
{
"error": {
"code": "Forbidden",
"message": "No application access policy found for this app",
"innerError": {
"date": "<date_redacted>",
"request-id": "599d9cb0-56ac-4dc5-b6f8-1456a1414609"
}
}
}
Follow the steps in this article to create and/or grant an application access policy that contains the app ID to the user ID.