RSC policy

Question

Hi Team,
can somebody pls provide details to create and assign a RSC policy to a user/group of users/all users if there is another way to do it to simplify the process. currently we are using below steps to do this activity but the process is lengthy and takes lot of time and its not user friendly to do it via powershell. is there any other way to do it automatically in a simple way through graph api or something else. ALso we see either assign to single user or all users but can we do this for group of users?

Also one more query, whats the difference between primary email and login email. If we ahve to subscribe to user's calendar which one should be used? if that email is migrated, should we subscribe with new email again and assign rsc policy again?or is there other process to follow.

Microsoft Teams Integration

( Graph + RSC )

Supported plans

Supported: Microsoft 365 Business Basic/Standard/Premium, Office 365 E1/E3/E5, Microsoft 365 E3/E5, and Teams Essentials (AAD only); not supported: Microsoft 365 Family/Personal and Teams Free.

Register app (Entra ID)

1. Portal → Microsoft Entra ID → App registrations → New registration; configure name and redirect if needed.
2. Grant Microsoft Graph API permissions as Application and/or Delegated as required below.

Toggle permissions

Add RSC to users to grant the app access to users meetings [one-time activity]

You need to be a Teams Admin or Global Admin to execute policy assignments.

Open powershell and perform below steps.

Prereq

Remove previously installed MicrosoftTeams modules to prevent version conflicts.

Terminal

Remove-Module MicrosoftTeams -ErrorAction SilentlyContinue
Uninstall-Module MicrosoftTeams -AllVersions -Force -ErrorAction SilentlyContinue

Copy

01

Install Required PowerShell Modules

Prereq

Install PowerShellGet and MicrosoftTeams with clobber to ensure latest cmdlets.

Terminal

Install-Module -Name PowerShellGet -Force -AllowClobber
Install-Module -Name MicrosoftTeams -Force -AllowClobber

Copy

02

Set Execution Policy (if not already allowed)

Policy

Allows execution of locally downloaded scripts signed by a trusted publisher

Terminal

Set-ExecutionPolicy RemoteSigned -Scope CurrentUser

Copy

03

Connect to Microsoft Teams

Connect

Import the module and authenticate to the tenant with admin credentials.

Terminal

Import-Module MicrosoftTeams
Connect-MicrosoftTeams

Copy

04

Define RSC Policy Variables

Config

Provide a policy name and the Azure app registration’s client ID.

Terminal

$policyName = "OrgTranscriptPolicy"
$appId = "<YOUR_AZURE_APP_ID>"  #Replace with your actual App ID

Copy

05

Define Required Permissions

Permissions

List the Resource-Specific Consent roles required for meetings and transcripts.

Terminal

$resourceSpecificPermissions = @(
  "OnlineMeetings.ReadBasic.Chat",
  "OnlineMeetings.Read.Chat",
  "Calls.AccessMedia.All",
  "CallRecords.Read.All",
  "OnlineMeetings.Read.All",
  "OnlineMeetingTranscript.Read.All",
  "Chat.Read.All"
)

Copy

06

Build Policy JSON (for Graph API)

Optional

Teams resolves permission IDs automatically; JSON shown for clarity.

Terminal

$policyJson = @{
  Version = "1.0"
  Permissions = $resourceSpecificPermissions | ForEach-Object {
    @{
      ResourceAppId = "00000003-0000-0000-c000-000000000000" # Microsoft Graph
      ResourceAccess = @(@{ Id = ""; Type = "Role" })
    }
  }
} | ConvertTo-Json -Depth 5

Copy

07

Create or Update the Application Access Policy

Policy

Create a CsApplicationAccessPolicy binding the appId and granting access to meeting artifacts.

Terminal

try {
  New-CsApplicationAccessPolicy -Identity $policyName -AppIds $appId -Description "Access to online meetings and transcripts"
  Write-Output "RSC Policy '$policyName' created successfully."
} catch {
  Write-Warning "Policy may already exist. Skipping creation."
}

Copy

08

Assign Policy to a Specific User

Assign

Grant the policy to target users so the app can access their meeting resources.

Terminal

$userEmail = "<USER_EMAIL>"  #Replace with the actual user's email address.
Grant-CsApplicationAccessPolicy -PolicyName $policyName -Identity $userEmail
Write-Output "Policy assigned to $userEmail."

Copy

09

Assign to All Users (Bulk Assignment – Use with Caution)

Assign

Uncomment this block if you want to apply the policy to every Teams user

Terminal

 <#
 $users = Get-CsOnlineUser
foreach ($user in $users) {
    Grant-CsApplicationAccessPolicy -PolicyName $policyName -Identity $user.UserPrincipalName
    Write-Output "Assigned to $($user.UserPrincipalName)"
}
#>

Copy

Requires Teams Admin or Global Admin role to create and assign policies.

Answer 1

Dear @Sushil Dangi,

Welcome to Microsoft Q&A Forum!

Thanks for reaching out with your questions around simplifying the assignment of Resource-Specific Consent (RSC) policies in Microsoft Teams. After reviewing your current process and exploring available options, I wanted to clarify that:

• PowerShell is still required to create and assign RSC policies.
• At this time, Microsoft Graph API does not support creating or fully assigning RSC (ApplicationAccessPolicy) policies. While Graph can help with other aspects (like calendar subscriptions or user management), the actual policy creation and assignment must still be done via PowerShell.

That said, I have several suggestions that you can try to see if they can help you to simplify the process:

1.Option 1: This method enables or disables RSC for all apps across Teams and Chat using Microsoft Graph PowerShell SDK:

Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory"
Set-MgBetaTeamRscConfiguration -State EnabledForAllApps
Set-MgBetaChatRscConfiguration -State EnabledForAllApps
Set-MgBetaTeamRscConfiguration -State DisabledForAllApps
Set-MgBetaChatRscConfiguration -State DisabledForAllApps

This controls whether apps with RSC permissions can access Teams and Chat resources across your tenant. However, this does not assign the RSC policy to users, that still requires PowerShell.

2.Option 2: This method ensures your app is automatically installed and pinned for users or groups:

• Go to Teams admin center > Teams apps > Setup policies
• Create or edit a policy
• Configure app installation permissions
• Assign policy to users/groups

This ensures the app is deployed and visible to users, but it does not grant the app access to meeting content. To enable access to meetings and chats, you still need to assign the RSC policy via PowerShell.

---

Additionally, I have some information for your second requirement: Handling UPN/Email changes in Calendar Subscriptions & RSC. Here’s how identity changes affect your integrations:

• When subscribing to a user’s calendar via Graph API, use the user’s UPN (login email) or, preferably, their Azure AD object ID. Avoid using primary email aliases, as they may not be accepted by all endpoints.
• If a user’s UPN or email changes, any Graph subscriptions using the old UPN will stop working. You’ll need to re-subscribe using the new UPN or ideally use the object ID to avoid this issue.
• RSC policy assignments are tied to the user’s Azure AD object, not their email or UPN. So, if a user’s email or UPN changes, the RSC policy remains assigned. No re-assignment is needed unless the user account itself is deleted or recreated.
• For long-term stability in integrations, always use the user’s object ID where possible. It is immutable and survives UPN or email changes.

Also, I found these articles that may be related and helpful for you:

• Teams Setup Policies: Assign policies to users and groups
• UPN Change Planning: Plan and troubleshoot UserPrincipalName changes in Microsoft Entra ID
• Graph API User Identification: Get a user
• Calendar API Usage: Working with calendars and events using the Microsoft Graph API

I hope this information can give you more insights in this case. Wish you a pleasant day!

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". 

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread. 

Answer 2

To create and assign a Resource-Specific Consent (RSC) policy in Microsoft Teams, you can follow the steps outlined in your question, but there are some considerations and alternatives to simplify the process:

1. Assigning to Groups: Currently, the RSC policy assignment can be done for individual users or all users, but assigning to a specific group of users directly through PowerShell is not natively supported. However, you can script the assignment for a group by retrieving the users in that group and then looping through them to apply the policy. This is similar to the bulk assignment you mentioned.
2. Using Microsoft Graph API: While the PowerShell method is common, you can also consider using the Microsoft Graph API to automate the assignment of RSC policies. This can provide a more user-friendly interface and potentially streamline the process. You would need to set up the API permissions and make calls to assign policies programmatically.
3. Primary Email vs. Login Email: The primary email is typically the main email address associated with a user's account, while the login email may refer to the email used for authentication. For subscribing to a user's calendar, you should use the primary email. If the email has been migrated, you would need to subscribe using the new primary email and reassign the RSC policy accordingly.
4. Automation: To automate the process, consider creating a script that can handle the assignment of RSC policies based on group membership, which can be run periodically or triggered by specific events (like user migrations).

By leveraging the Graph API and scripting, you can simplify the process of assigning RSC policies to users in bulk or based on group membership, making it more efficient than manual PowerShell commands.

---

References:

• Assign policies in Teams – getting started
• Preapproval of RSC permissions