gadamdgt
commented
1 year ago I found the sollution. I had to:
- create new group in Entra ID for my organization and select "Microsoft Entra roles can be assigned to the group"
- add my application to group's members
- add "Teams Administrator" role to "Assigned roles" of this group
I'm trying to grant ComplianceRecordingPolicy via PowerShell SDK 7.3.8 using application-based access scenario. Graph API required permissions are set like Organization.Read.All, Policy.Read.All, Policy.ReadWrite.PermissionGrant. The response for *-CsTeamsComplianceRecordingPolicy commands is "Access Denied. Provide different credential or request access".
Sample code (.net7)d2.MoveNext() in /_/Providers/PolicyRP/src/Impl/HttpRequestHelper.cs:line 108
at Microsoft.Teams.Policy.Administration.Cmdlets.Providers.BaseTpmGetCmdlet`1.<>c__DisplayClass8_0.<b 0>d.MoveNext() in /_/Providers/PolicyRP/src/Impl/BaseTpmGetCmdlet.cs:line 40`
using (var rs = RunspaceFactory.CreateRunspace()) { rs.Open(); using (var ps = PowerShell.Create(rs)) { ps.Streams.Error.DataAdded += Error_DataAdded; ps.AddCommand("Set-ExecutionPolicy").AddParameter("Scope", "process").AddParameter("ExecutionPolicy", "Unrestricted"); ps.AddStatement(); ps.AddCommand("Import-Module").AddParameter("Name", "MicrosoftTeams"); ps.AddStatement(); ps.AddCommand($"Connect-MicrosoftTeams").AddParameter("CertificateThumbprint", $"{thumb}").AddParameter("ApplicationId", $"{cid}") .AddParameter("TenantId", $"{tenant}"); ps.AddStatement(); ps.AddCommand($"Grant-CsTeamsComplianceRecordingPolicy").AddParameter("Identity", userId).AddParameter("PolicyName", "crpname"); var result = ps.Invoke(); } }Exception mesage:{"code":"Forbidden","message":"Access Denied.","action":"Provide different credential or request access."}StackTrace:at Microsoft.Teams.Policy.Administration.Cmdlets.Providers.HttpRequestHelper1.Delegated access scenario is working fine. Application-based access scenario and supported cmdlets are described here https://learn.microsoft.com/en-us/microsoftteams/teams-powershell-application-authentication The same issue occurs using Windows PowerSehell console.