Microsoft Graph OnlineMeetings.Read.All: Is Grant-CsAppAccessPolicy required for Graph OnlineMeetings.Read.All?

Question

I’m using and azure app with Microsoft Graph OnlineMeetings.Read.All (application permissions) to read Teams online meeting data from a .NET Core web app for all Entra users.

Is it mandatory to run Grant-CsAppAccessPolicy for the Entra ID app in order to successfully access online meeting data via Microsoft Graph?

Specifically:

• Does Graph access work with**New-CsAppAccessPolicy alone**, or
• Must the app be explicitly allowed using Grant-CsAppAccessPolicy, and
• In what scenarios is this policy required vs optional?

Looking for clarification on whether this step is always required or only needed for certain Teams workloads.

Answer 1

Hi @krishnanmythili,

Welcome to Microsoft Q&A, and thank you very much for reaching out.

Based on your description, the information Q&A assist provided is correct. That said, I’d like to further clarify this to help address your questions more clearly.

To answer your main question first: Grant‑CsApplicationAccessPolicy is mandatory in your scenario. Per Microsoft documentation, for cloud communications APIs (such as Teams online meetings), application permissions alone are not sufficient. They must be paired with an application access policy in order for Microsoft Graph requests to succeed.

If Grant‑CsApplicationAccessPolicy is not configured, it’s very common to see errors such as “No application access policy found for this app” when the application attempts to access Microsoft Graph. This behavior has been reported by other users as well such as this StackOverFlow thread for example, and in those cases the issue was only resolved after the application access policy was properly granted.

This link will take you to StackOverflow, which is outside Microsoft’s domain. Please note that Microsoft is not responsible for the accuracy, security, or advertising on external sites.

Regarding whether Graph access works with New‑CsApplicationAccessPolicy alone: unfortunately, no. The policy does not take effect until it is explicitly granted to users, a group, or applied globally using Grant‑CsApplicationAccessPolicy.

Finally, outside of delegated permission scenarios, Microsoft mentioned two application‑permission scenarios where a CsApplicationAccessPolicy is required:

• Allowing applications to access online meetings on behalf of a user
• Allowing applications to access virtual events created by a user

I hope this helps clarify your questions.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".      

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

To access online meeting data using the Microsoft Graph API with the OnlineMeetings.Read.All application permission, it is necessary to configure the application access policy. Specifically, the Grant-CsAppAccessPolicy cmdlet is required to explicitly allow the app to access online meeting resources on behalf of users. The New-CsAppAccessPolicy cmdlet is used to create the policy, but without granting it to the application using Grant-CsAppAccessPolicy, the access will not be effective.

In summary:

• New-CsAppAccessPolicy is used to create the policy.
• Grant-CsAppAccessPolicy is mandatory to apply that policy to the application, allowing it to access online meeting data.
• This step is generally required for applications that need to access Teams workloads, including online meetings.

If the application does not have the necessary permissions granted through Grant-CsAppAccessPolicy, it will not be able to successfully access the online meeting data, even if the application permissions are correctly set up in Azure AD.