This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 40%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
We have an integration setup with Graph API that leverages OnlineMeetings.ReadWrite.All Application-level scope so that clients can schedule Teams meetings through our platform. While developing a few months ago, due to certain complexities within our application, we chose the Application-level scope instead of delegated.
Today, we are working with a couple of our clients to start using this integration and both have expressed concerns about this scope (and subsequent CsApplicationAccessPolicy) granting permission to schedule Teams meetings on behalf of ANY of their AD users. They are requesting that this can be limited to certain users within their respective companies.
From research, I've found that the CsApplicationAccessPolicy can either be granted globally or to specific users for Teams. Is there a way to assign the policy to a group instead of specific users? Alternatively, is there a way to restrict the integration/Graph API to work for specified groups only?
We cannot request clients to assign the policy to specific users, and maintain that list for each new/future user that gets added to their AD.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 24%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
As you said above, there is no settings that can set the App policy to the group via Teams admin center or PowerShell command. It only applies to the one or more users. if you want to control the channel permission to access app, you could refer to this part of document steps
For Teams API part, I will also add office-teams-app-dev tag to your thread. Someone checking office-teams-app-dev tag will give you more insights. Thanks for your understanding.
It has been a while, how is everything going?
If you have any update about this issue, please feel free to post back.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 62%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
@Jacob Miller - Please let us know if you still need any help?
If it is resolved, shall we close this this issue?
This can be closed. We will look into the potential of using delegated. Thanks.
@Jacob Miller - Graph API can work either on delegated permission or Application level permissions as mentioned in below documentation:
https://learn.microsoft.com/en-us/graph/api/application-post-onlinemeetings?view=graph-rest-1.0&tabs=http#permissions
We can not control the API to call on group level permissions.
