Forum Discussion
403 Error: Application access policy not found, -Global scope not available in tenant
Hi everyone,
I'm trying to use Microsoft Graph API to retrieve online meeting details using an application identity. However, I receive a 403 error with the message:
"No application access policy found for this app"
I followed the documentation here: Configure application access policy, but I encountered a problem: the -Global scope mentioned in the documentation is not available in my tenant.
Iβve successfully granted the policy using the following methods:
Option A β Grant to Specific User
Grant-CsApplicationAccessPolicy -PolicyName "YOUR_POLICY_NAME" -Identity "email address removed for privacy reasons"
Option B β Grant to AD Group
New-CsGroupPolicyAssignment -GroupId "YOUR_GROUP_ID" -PolicyType ApplicationAccessPolicy -PolicyName "YOUR_POLICY_NAME"
These work fine, and the app can access online meetings for users or groups assigned this way.
However, I need to allow the app to access meetings across the organization, and the -Global assignment method is not available in my tenant.
Questions:
- Is there an alternative to -Global for tenant-wide access?
- Is this limitation expected in certain tenant configurations?
- Any workaround or best practice for enabling organization-wide access to online meetings via Graph API?
Thanks in advance!
4 Replies
Just to add, I was following the official documentation here:
π https://learn.microsoft.com/en-us/graph/cloud-communication-online-meeting-application-access-policyThis explains how to set up the policy, including the -Global scope, which unfortunately isnβt available in my tenant.
Which version of the Teams module are you using and what permissions does your user have? The switch is available for me, tested in few of my tenants
Alternative approach would be to assign the policy to users individually, which you can easily automate via PowerShell. The downside of this approach is that it might take some time, or even fail, in larger orgs. Here's an example, just in case: https://learn.microsoft.com/en-us/powershell/module/microsoftteams/grant-csapplicationaccesspolicy?view=teams-ps#assign-an-application-access-policy-to-all-users-in-the-tenant
Hi VasilMichev,
Thanks for your message.
Weβve already added the following application permissions to our app:
- CallRecords.Read.All β Application β Granted
- OnlineMeetingArtifact.Read.All β Application β Granted
- OnlineMeetingRecording.Read.All β Application β Granted
- OnlineMeetings.Read.All β Application β Granted
- OnlineMeetingTranscript.Read.All β Application β Granted
- User.Read.All β Application β Granted
- User.Read β Delegated β Not Granted
We are using Microsoft Graph API (not the Teams module) to retrieve online meeting details. The endpoint we are using is:
GET https://graph.microsoft.com/v1.0/users/{userId}/onlineMeetings/{meetingId}
Reference: Get onlineMeeting - Microsoft Graph v1.0 (https://learn.microsoft.com/en-us/graph/api/onlinemeeting-get?view=graph-rest-1.0&tabs=http)
We understand that assigning application access policies to users individually works, but our users prefer not to manage access this way. Weβre currently exploring alternative approaches that allow broader access without per-user policy assignments and will keep you updated on any progress.
Let us know if you have any suggestions or recommended best practices for this scenario.
Best regards,
David
