Share via

MS Graph API Create onlineMeeting returns error 403 No Application Access Policy found for this app.

Tomek Jagodowski 6 Reputation points
2022-06-09T20:10:33.98+00:00

Have Developer Sandbox tenant: 05b918a2-36ce-4bfe-aa74-ffc26a4d51fb
Created Enterprise App OID: 0095c6ae-ca8d-4b4d-bd2c-a073a2163995
with permissions
User.Read -Delegated
User.Read.All -Application
Calendars.ReadWrite -Application
OnlineMeetings.ReadWrite.All -Application

logged into powershell tenant to execute:
New-CsApplicationAccessPolicy -Identity newApp-policy -AppIds "0095c6ae-ca8d-4b4d-bd2c-a073a2163995"
Grant-CsApplicationAccessPolicy -PolicyName newApp-policy -Identity "fb9a9c8b-1ed8-4365-a6f3-ef4f5967bcc4"
Grant-CsApplicationAccessPolicy -PolicyName newApp-policy -Global

later
POST Method to create online meeting
https://graph.microsoft.com/v1.0/users/fb9a9c8b-1ed8-4365-a6f3-ef4f5967bcc4/onlineMeetings
still fails with 403 error: No Application Access Policy found for this app.

waited few hours, no change,
Added extra permission:
OnlineMeetings.ReadWrite -Delegated
no change

there is also github issue:
https://github.com/microsoftgraph/microsoft-graph-docs/issues/16801

Microsoft Security | Microsoft Graph
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. ShivaniRai-MSFT-7217 2,751 Reputation points
    2022-06-16T11:14:46.63+00:00

    Hi @Tomek Jagodowski ,

    As per this Microsoft Documentation, we need to identify the app’s application (client) ID in the Azure app registration portal
    and place it in this command: New-CsApplicationAccessPolicy -Identity newApp-policy -AppIds "{application (client) ID}". In the next step we need to Identify the user's user (object) ID in the Azure user management portal and then use this command: Grant-CsApplicationAccessPolicy -PolicyName newApp-policy -Identity "{object ID}"

    212101-image.png

    For validating application access policy you can run this command Get-CsApplicationAccessPolicy to check if the policy created successfully or not.

    Hope this helps.
    If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

    Was this answer helpful?

    0 comments
  2. Tomek Jagodowski 6 Reputation points
    2022-06-10T10:35:48.643+00:00

    Seems the issue was placing OID instead App ID in the command
    New-CsApplicationAccessPolicy -Identity newApp-policy -AppIds "0095c6ae-ca8d-4b4d-bd2c-a073a2163995"

    Should there be a validation saying App ID not existing.
    After changing OID to matching App ID policy was granted successfully.

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.