How to create access policy for using an app on behalf of a user at an organizational level

Debarghya Maity 40 Reputation points
2023-11-14T10:24:57.99+00:00

Hi,

I'm creating a bot in teams that uses get meeting ID from joinWebUrl Graph API. To use that in a bot I need to create an access policy for the same using Powershell. I followed these docs but had no success. I ended up getting access denied. Need some help to execute the following at an organizational level.

Thanks

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,535 questions
0 comments No comments
{count} votes

Accepted answer
  1. James Hamil 26,116 Reputation points Microsoft Employee
    2023-11-15T23:33:05.45+00:00

    Hi @Debarghya Maity ,

    To create an access policy for using an app on behalf of a user at an organizational level, you can follow these steps:

    1. Connect to Microsoft Graph PowerShell using the least-privilege permission needed. For creating access policies, use Policy.ReadWrite.ApplicationConfiguration. Connect-MgGraph -Scopes "Policy.ReadWrite.ApplicationConfiguration"
    2. Create a new access policy using the New-MgPolicyApplicationAccessPolicy cmdlet. You will need to specify the following parameters:
    • DisplayName: The display name of the access policy.
    • Description: A description of the access policy.
    • AppId: The ID of the app that the access policy applies to.
    • IsEnabled: Whether the access policy is enabled or disabled.
    • AccessRight: The access right that the access policy grants. In this case, you will want to use Application<a href="#doc-pos=2" data-tag-index="1"></a><a href="#doc-pos=1" data-tag-index="3"></a></span>.
    • Condition: The condition that must be met for the access policy to apply. In this case, you will want to use UserConsent.

    Here is an example command:

    New-MgPolicyApplicationAccessPolicy -DisplayName "My Access Policy" -Description "Allows users to use the app on behalf of themselves" -AppId "{app-id}" -IsEnabled $true -AccessRight Application -Condition UserConsent
    

    Replace {app-id} with the ID of the app that you want to create the access policy for.

    1. Once the access policy has been created, you can assign it to users or groups using the Add-MgPolicyApplicationAccessPolicyAssignment cmdlet. You will need to specify the following parameters:
    • PolicyId: The ID of the access policy that you want to assign.
    • PrincipalId: The ID of the user or group that you want to assign the access policy to.
    • PrincipalType: The type of the principal. In this case, you will want to use Group or User.
    • TargetType: The type of the target. In this case, you will want to use Application<a href="#doc-pos=2" data-tag-index="1"></a><a href="#doc-pos=1" data-tag-index="3"></a>.
    Add-MgPolicyApplicationAccessPolicyAssignment -PolicyId "{policy-id}" -PrincipalId "{user-or-group-id}" -PrincipalType User -TargetType Application
    

    Replace {policy-id} with the ID of the access policy that you created, and {user-or-group-id} with the ID of the user or group that you want to assign the access policy to.

    Once you have assigned the access policy to the appropriate users or groups, they should be able to use the app on behalf of themselves.

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.