New-CsApplicationAccessPolicy

Question

Hi Team,

Currently we are creating and granting New-CsApplicationAccessPolicy to individual user or getting all users from tenant and applying it. Will this cover all existing users only from tenant or creating new users also will be covered? If we have to apply this to group how can we do it? Does adding user or removing user from group affects this policy automatically for the user? Can you pls provide clear steps and comamnds to do it with group

Answer 1

Please understand that our forum is a public platform, and we will modify your question to cover the personal information in the description. Kindly ensure that you hide these personal or organization information next time you post error or some information to protect personal data.

Dear @Sushil Dangi,

Welcome to Microsoft Q&A Forum!

Thanks for sharing the additional details and the error output. Based on everything reviewed from the beginning, here is my insights of what happened, why the error occurred, and suggestions for you to check.

1.What you did (correct steps):

• Created an Application Access Policy using New-CsApplicationAccessPolicy.
• Created a mail-enabled security group.
• Added a user to the group.
• Assigned the policy to the group using:

Grant-CsApplicationAccessPolicy -Group XXXXXelabstech -PolicyName OrgTranscriptPolicy

• Called Microsoft Graph APIs using application permissions (client credentials flow).

All of the above steps are supported and valid.

Mail-enabled security groups are a supported group type for CsApplicationAccessPolicy. No special group settings (dynamic group, M365 group, etc.) are required.

Reference: Grant-CsApplicationAccessPolicy

2.The error: “No application access policy found for this app” may not cause by the group and not cause by the assignment command. This error occurs when the Application (Client) ID used at runtime does not match the App ID listed in the Application Access Policy.

At runtime, Microsoft Graph checks only one thing:

Does the appId in the access token exist in the AppIds list of the CsApplicationAccessPolicy assigned to the user (directly or via group)?

If the App ID does not match, Graph returns this error even if:

• The policy exists
• The policy is assigned correctly
• The user is in the group

This behavior may be expected.

3.Common causes of this issue:

Wrong ID used in the policy:

• The policy must contain the Application (Client) ID
• Not the Object ID
• Not the Enterprise Application ID

Token issued for a different app:

• The access token used in Graph must belong to the same App Registration
• If the token is generated for App A but the policy contains App B → error occurs

Multiple app registrations:

• Policy created for one app
• Token generated for another app

4.Here are recommended validation checklist:

Please validate in this order:

• App Registration: please note the Application (client) ID
• Check the Policy: Get-CsApplicationAccessPolicy -Identity "OrgTranscriptPolicy" to confirm the same App ID is listed under AppIds
• Token: decode token to confirm appId matches the policy
• Group:
  • User is a member of the group
  • Group is already assigned the policy (your command is correct)

Once the App ID and token alignment is corrected, the error may stop without changing anything else.

---

For more information of your concern:

-What New-CsApplicationAccessPolicy actually does:

• It creates a policy that contains Application (Client) IDs
• When assigned, those apps may access online meetings / virtual events on behalf of users

-Does assigning it to “all users” cover new users? The answer is No. If you run:

Get-CsOnlineUser | Grant-CsApplicationAccessPolicy -PolicyName MyPolicy

It applies only to users that exist at that moment. New users created later will not automatically get it. Please kindly review this case: https://learn.microsoft.com/en-us/answers/questions/5746422/rsc-policy-assignment

-New-CsGroupPolicyAssignment may not work for CsApplicationAccessPolicy

• It supports only certain Teams policies.
• Application Access Policies may not support.
• So, the correct cmdlet is only: Grant-CsApplicationAccessPolicy -Group

Please see this case for more insights: https://learn.microsoft.com/en-us/answers/questions/5514401/regarding-the-csapplicationaccesspolicy-in-teams-p

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". 

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread. 

Answer 2

When you create and grant a New-CsApplicationAccessPolicy, it applies to the users you specify at that time. If you grant the policy to all existing users in the tenant, it will not automatically apply to new users created after the policy is assigned. Each new user will need to have the policy assigned separately unless you have a mechanism in place to apply the policy to new users automatically.

To apply the policy to a group, you can use the -Group parameter in the Grant-CsApplicationAccessPolicy cmdlet. This allows you to assign the application access policy to all users within a specified group. Here’s a basic example of how to do this:

Grant-CsApplicationAccessPolicy -Group "YourGroupName" -PolicyName "YourPolicyName"

When you add or remove users from the group, the application access policy will automatically apply to the users currently in the group. This means that if a user is added to the group, they will inherit the policy, and if they are removed, they will lose the policy assignment.

Here are the steps to assign a policy to a group:

1. Identify the group you want to assign the policy to.
2. Use the Grant-CsApplicationAccessPolicy cmdlet with the -Group parameter to assign the policy.
3. Monitor the group membership to ensure that users are added or removed as needed, which will automatically affect their policy assignment.

Make sure to replace YourGroupName and YourPolicyName with the actual names you are using.