We have an integration setup with Graph API that leverages OnlineMeetings.ReadWrite.All Application-level scope so that clients can schedule Teams meetings through our platform. While developing a few months ago, due to certain complexities within our application, we chose the Application-level scope instead of delegated.
Today, we are working with a couple of our clients to start using this integration and both have expressed concerns about this scope (and subsequent CsApplicationAccessPolicy) granting permission to schedule Teams meetings on behalf of ANY of their AD users. They are requesting that this can be limited to certain users within their respective companies.
From research, I've found that the CsApplicationAccessPolicy can either be granted globally or to specific users for Teams. Is there a way to assign the policy to a group instead of specific users? Alternatively, is there a way to restrict the integration/Graph API to work for specified groups only?
We cannot request clients to assign the policy to specific users, and maintain that list for each new/future user that gets added to their AD.