Skip to content

Application Access Policy Not Recognized Despite Proper Configuration #3348

New issue
New issue
Open
Open
Application Access Policy Not Recognized Despite Proper Configuration#3348
Labels
status:waiting-for-triageAn issue that is yet to be reviewed or assignedtype:bugA broken experience
@jflasnier

Description

@jflasnier
jflasnier
opened on Jun 19, 2025

Describe the bug

With the correct CsApplicationAccessPolicy in place and proper app registration, the Graph API call using application token should succeed:
GET /v1.0/users/{user-id}/onlineMeetings/{meeting-id}/transcripts

Actual Behavior:
Consistent 403 error response:
{
"error": {
"code": "General",
"message": "No application access policy found for this app.",
"innerError": {
"request-id": "b20917f6-68c0-4c95-860d-d2f98ee385e1",
"date": "2025-06-11T16:09:17"
}
}
}

Policy was created and granted globally using:

  • New-CsApplicationAccessPolicy -Identity "OnlineMeetingAccessPolicy" -AppIds "dd363d6f-8b5f-49b5-8278-5f01eb9e3fbf"
  • Grant-CsApplicationAccessPolicy -PolicyName "OnlineMeetingAccessPolicy" -Global

Also:

  • Graph Explorer call with delegated auth works (/me/onlineMeetings/.../transcripts).
  • Same API with application-only token fails (/users/{id}/onlineMeetings/.../transcripts).
  • Token roles confirm inclusion of required permissions.
  • Microsoft Support (case #2504030030007267) confirms configuration is correct and advised reporting to GitHub.

Please investigate why the SDK fails to recognize the ApplicationAccessPolicy despite configuration being validated and active. Either the SDK or Graph back-end does not honor the policy mapping for OnlineMeetingTranscript.Read.All in application context.

Expected behavior

With the correct CsApplicationAccessPolicy in place and proper app registration, the Graph API call using application token should succeed:
GET /v1.0/users/{user-id}/onlineMeetings/{meeting-id}/transcripts

How to reproduce

Use application-only token with correct scopes
GET /v1.0/users/{user-id}/onlineMeetings/{meeting-id}/transcripts
Authorization: Bearer {app-token}

SDK Version

No response

Latest version known to work for scenario above?

No response

Known Workarounds

No response

Debug output

Click to expand log ``` 
</details>


### Configuration

PowerShell SDK Version: Microsoft.Graph 2.0.0+
App Registration: dd363d6f-8b5f-49b5-8278-5f01eb9e3fbf

Permissions granted (Application):
- OnlineMeetings.Read.All
- OnlineMeetingRecording.Read.All
- OnlineMeetingTranscript.Read.All
- OnlineMeetings.ReadWrite.All
- OnlineMeetingArtifact.Read.All
- User.Read.All
- Sites.Read.All
- Files.Read.All
- Application.Read.All

### Other information

_No response_

Metadata

Metadata

Assignees

No one assigned

    Labels

    status:waiting-for-triageAn issue that is yet to be reviewed or assignedtype:bugA broken experience

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions