Share via

How to Retrieve Teams Recordings (callRecordings) Across Organizers Using the Most Secure, Least-Privilege Approach

Trí Lê Đức 20 Reputation points
2026-06-08T03:13:25.6+00:00

We are implementing an application integrated with Microsoft Teams through the Microsoft Graph API and need to retrieve meeting recording content (callRecording) for meetings within our tenant.

We already know that retrieving recording content works for the organizer using delegated permissions (OnlineMeetingRecording.Read.All):

GET /me/onlineMeetings/{onlineMeetingId}/recordings
GET /me/onlineMeetings/{onlineMeetingId}/recordings/{recordingId}/content

This succeeds only because the signed-in user is the meeting organizer.

Problem

We need to retrieve the recording when the signed-in user is a participant or attendee of the meeting, not the organizer.

The delegated /me/... path does not cover this case (Suppose in our case, we are creating an app to support employee with assessing their English, that's why for each employee, they should have the capability to fetch the meeting transcript (already worked), and recordings for our assessment pipeline).

As far as we can tell, the only available alternative today is the application permission:

OnlineMeetingRecording.Read.All

Using:

GET /users/{organizerUserId}/onlineMeetings/{onlineMeetingId}/recordings/{recordingId}/content

Concern

OnlineMeetingRecording.Read.All is an application-level, tenant-wide permission.

Granting it means our application can read the recording content of every meeting of every user in the tenant, regardless of who organized or participated in it.

From our company's security standpoint, this is over-privileged because:

It is far broader than the actual need, which is a participant accessing a recording they were part of.

It removes the per-user consent boundary that delegated permissions provide.

It increases blast radius if the app's credentials are ever compromised.

Questions

Is there a supported way for a participant or non-organizer to retrieve recording content using delegated permissions, scoped to meetings they actually attended?

  1. If OnlineMeetingRecording.Read.All application permission is the only supported path, can its scope be restricted, for example via an application access policy, RBAC, or another mechanism, so the app can act on behalf of a signed in user and can only read recordings within the permission (meetings belongs to the users only)?
  2. What is Microsoft's recommended pattern for least-privilege access to recording content across organizers?
Microsoft Teams | Development
Microsoft Teams | Development

Building, integrating, or customizing apps and workflows within Microsoft Teams using developer tools and APIs

Answer accepted by question author

Hani-Ng 11,650 Reputation points Microsoft External Staff Moderator
2026-06-08T04:23:47.62+00:00

Hi Trí Lê Đức

According to my research and understanding based on your description, I would like to share some information that I hope it will be helpful:

Delegated access for participants (non-organizers)

At present, retrieving meeting recording content using delegated permissions is only supported when the signed-in user is the meeting organizer.

Meeting participants do not have permission to download recording content through Microsoft Graph APIs, even if they attended the meeting. Get callRecording - Microsoft Graph v1.0 | Microsoft Learn

As such, currently there is no supported method to retrieve recording content via delegated permissions for non-organizer users.

Application permission scope (OnlineMeetingRecording.Read.All)

The application permission:

This is inherently a broad, tenant-wide permission, and your concern about over-privileging is understood.

Access constraints

There are some mechanisms to reduce scope, but each has limitations:

  • Application Access Policy: This allows the app to act only on behalf of specific users (for example, a defined set of organizers). Configure an application access policy using the cloud communications API - Microsoft Graph | Micro… However, in scenarios where most or all employees can organize meetings, this would likely require including a large portion (or all) of users. In practice, this means the policy provides administrative scoping but does not significantly reduce access across the tenant.
  • Resource-Specific Consent (RSC): This enables a more granular, meeting-level model where access is granted within the context of a specific meeting. This approach requires a Teams app and consent at the meeting level, but it avoids granting tenant-wide access.

Based on current capabilities, here are some recommendations you can consider:

  • Application permission + application access policy: Suitable for service scenarios where recordings need to be collected centrally, but it remains organizer-based and may still be broad in practice depending on the tenant setup.
  • Resource-Specific Consent (RSC): Provides the most granular control currently available, as access can be limited to specific meetings where the app is installed and consented.
  • Access via storage layer (OneDrive / SharePoint): Since recordings are stored in OneDrive or SharePoint, accessing them as files using delegated permissions aligned with user access can better reflect participant-level permissions, depending on how sharing is configured.

Delegated access for participants to retrieve meeting recording content is not supported today, and application permissions are required for cross-user scenarios. While application access policies can limit access to specific users, their effectiveness may be limited in environments where most users can act as organizers. For more granular control aligned with least-privilege principles, approaches such as resource-specific consent (RSC) or accessing recordings via their OneDrive or SharePoint storage may be more suitable.

I hope this information helps.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Was this answer helpful?

1 person found this answer helpful.
0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Trí Lê Đức 20 Reputation points
    2026-06-08T03:52:53.9733333+00:00

    Related to the AI Answer,
    "Restrict the app using an application access policy so it can only access online meetings and artifacts for specific organizer accounts (for example, a defined set of users or service accounts)."

    I've already raised some concerns about this, as every employee can be the organizer (create/schedule their own meetings, ...), so a specific list of users here mostly means global (all employees in the tenant). We just need to be consulted on possible and decent solution that we can adopt

    Was this answer helpful?

    0 comments

  2. AI answer

    2026-06-08T03:13:53.11+00:00

    There is currently no supported way for a non-organizer (participant/attendee) to download Teams meeting recording content using delegated permissions scoped only to meetings they attended.

    From the provided documentation:

    1. Delegated permissions for callRecording/recordings
      • callRecording (for ad hoc calls) and online meeting recordings support delegated permissions only in the context of the organizer:
        • For callRecording:
          • Delegated: CallRecording.Read.All (ad hoc calls)
          • Application: CallRecordings.Read.All
          • Delegated access to recording content is explicitly stated as supported only for the meeting organizer; participants do not have permission to download recordings.
        • For online meeting recordings:
          • Delegated: OnlineMeetingRecording.Read.All
          • Application: OnlineMeetingRecording.Read.All, OnlineMeetingRecording.Read.Chat
          • Notes clarify that in delegated scenarios, only the organizer can get recording content, and participants can only be unblocked by tenant admin to download recordings via Teams policies, not via Graph delegated APIs.
    2. Application permissions and tenant-wide scope
      • For listing and accessing recordings across organizers, the supported pattern is application permissions:
        • OnlineMeetingRecording.Read.All for online meetings.
        • CallRecordings.Read.All for ad hoc calls.
      • Example for listing all recordings for meetings organized by a user: 
             GET /users/{usersId}/onlineMeetings/getAllRecordings(meetingOrganizerUserId='{userId}',startDateTime={startDateTime},endDateTime={endDateTime})
        This requires OnlineMeetingRecording.Read.All application permission.
      • For listing recordings for a specific meeting: 
             GET /users/{userId}/onlineMeetings/{meetingId}/recordings
        Requires OnlineMeetingRecording.Read.All (delegated or application, depending on scenario), but delegated access to content is restricted to the organizer.
    3. Application access policy as a scoping mechanism
      • For online meetings, when using application permissions, an application access policy is required:
        • Tenant administrators must create an application access policy and grant it to a user.
        • The policy authorizes the app to fetch online meetings or online meeting artifacts on behalf of that user (the user ID in the request path).
      • This does not scope access to “only meetings the signed-in user attended”; instead, it scopes which organizer’s meetings the app can access when using application permissions.
      • The note for onlineMeeting: getAllRecordings explicitly states that the request fails if meetingOrganizerUserId or an equivalent filter is not provided, reinforcing that the app is acting over meetings organized by specific users, not participants.
    4. Resource-specific consent (RSC) and recordings
      • OnlineMeetingRecording.Read.Chat is an application permission that uses resource-specific consent (RSC).
      • RSC allows scoping to the domain where the app is installed (for example, specific Teams contexts), but the context here is still about online meetings and their artifacts and does not provide a participant-only delegated model for recordings.
      • RSC-based permissions for ad hoc calls are explicitly stated as not enabled.
    5. Least-privilege guidance from Microsoft
      • Best practices emphasize:
        • Use the least privileged permissions required.
        • Prefer RSC where possible, then delegated, and only use application permissions when necessary because they carry the highest privacy risk.
      • For Teams export and meeting artifacts (transcripts/recordings), the documented prerequisites for export APIs include:
        • OnlineMeetingTranscript.Read.All
        • OnlineMeetingRecording.Read.All
      • These are application-level and tenant-wide by design, and are treated as protected APIs that require admin approval and careful governance.

    Direct answers to the questions

    1. Is there a supported way for a participant/non-organizer to retrieve recording content using delegated permissions, scoped to meetings they attended?
      No. Delegated access to recording content via Graph is supported only for the meeting organizer. Participants cannot use delegated Graph APIs to download recording content for meetings they attended.
    2. If OnlineMeetingRecording.Read.All application permission is the only supported path, can its scope be restricted so the app can act on behalf of a signed-in user and only read that user’s meetings?
      • OnlineMeetingRecording.Read.All is an application permission with tenant-wide potential, but:
        • For online meetings, an application access policy is required to authorize the app to access online meetings and artifacts on behalf of specific users (identified in the request path).
        • This allows scoping to meetings organized by specific users (via meetingOrganizerUserId or /users/{userId}/onlineMeetings/...).
      • There is no supported mechanism to restrict application permissions to “only meetings where the user was a participant” via Graph; the scoping is organizer-based, not participant-based.
    3. Microsoft’s recommended least-privilege pattern for accessing recording content across organizers
      Based on the documentation:
      • Use delegated OnlineMeetingRecording.Read.All only when the caller is the organizer and needs to access their own recordings.
      • For cross-organizer access (for example, compliance, export, or analytics scenarios):
        • Use application OnlineMeetingRecording.Read.All (and OnlineMeetingTranscript.Read.All if transcripts are needed).
        • Restrict the app using an application access policy so it can only access online meetings and artifacts for specific organizer accounts (for example, a defined set of users or service accounts).
        • Apply general least-privilege practices: limit which apps get these permissions, minimize the number of users in the access policy, and monitor usage.
      • Prefer RSC-based permissions like OnlineMeetingRecording.Read.Chat where applicable to further scope access to specific app installations, but this still does not provide participant-only delegated access.

    In summary, for an “employee self-service” scenario where each participant should programmatically fetch recordings only for meetings they attended, the current Graph capabilities do not provide a dedicated least-privilege delegated model. The supported options are:

    • Organizer-only delegated access.
    • Organizer-scoped application access via OnlineMeetingRecording.Read.All plus application access policies.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.