microsoft-graph-apiaccess-tokenmicrosoft-graph-teamsazureportal

Microsoft App Registration - how to create meetings using OnlineMeetings.ReadWrite.All within an application context and not a user context?


I currently have an app registration in Azure portal. This app has a client secret set up on it and a number of API Permissions as well. These are permissions for the Microsoft Graph and are delegated as well. This is how it looks like, Configured permissions

Now I have also set up an App role for meetings as well, which looks like this,

App roles

With this context in mind, you can see I have added an application permission from the "My APIs" section, which points to my app registration and the permission for "OnlineMeetings.ReadWrite.All". My objective is to obtain an access token in order for my client app to create a meeting whilst running the following POST,

POST /users/{userId}/onlineMeetings/createOrGet

My question is to try and gain and understanding of what the authorization scope should be and the grant type as well when trying to obtain an access token. I have tried setting the authorization scope to be "offline_access https://graph.microsoft.com/.default" and the grant type to be "client_credentials" but to no avail. I want my client app to be able to create a meeting on behalf of any user from my tenant without the need for user consent or any application access policies being needed to be set up in Powershell. Is this possible to do?


Solution

  • Instead of setting up new App role, you need to add existing Microsoft Graph permission named OnlineMeetings.ReadWrite.All of Application type and grant consent to it.

    I registered one Azure AD application and granted API permission as below:

    enter image description here

    Note that, you need to create application access policy and grant it access to Global to authorize the app configured in the policy to create online meetings on behalf of any user.

    I used below PowerShell commands to install MicrosoftTeams module and create application access policy:

    Install-Module -Name MicrosoftTeams -Force -AllowClobber
    
    Import-Module MicrosoftTeams
    Connect-MicrosoftTeams
    
    New-CsApplicationAccessPolicy -Identity Sri-Test-policy -AppIds "xxxxxxxxxx" -Description "Allow access to Teams App"
    
    Grant-CsApplicationAccessPolicy -PolicyName Sri-Test-policy -Global
    

    Response:

    enter image description here

    Now, I generated access token using client credentials flow via Postman with below parameters:

    POST https://login.microsoftonline.com/tenantID/oauth2/v2.0/token
    grant_type:client_credentials
    client_id: appID
    client_secret: secret 
    scope: https://graph.microsoft.com/.default
    

    Response:

    enter image description here

    When I used this token to make below POST request, online meeting created successfully like this:

    POST https://graph.microsoft.com/v1.0/users/{userId}/onlineMeetings/createOrGet
    Content-Type: application/json
    
    {
      "startDateTime":"2023-07-29T14:30:34.2444915-07:00",
      "endDateTime":"2023-07-29T15:00:34.2464912-07:00",
      "subject":"Sri Demo Online Meeting",
      "externalId": "xxxxxxxxxx",
      "participants": {
            "attendees": [
                {
                    "identity": {
                        "user": {
                            "id": "xxxxxxxxxxxxx"
                        }
                    },
                    "upn": "demouser@xxxxxxx.onmicrosoft.com"
                }
            ]
        }
    }
    

    Response:

    enter image description here

    Reference: onlineMeeting: createOrGet - Microsoft Graph v1.0 | Microsoft