Regarding the CsApplicationAccessPolicy in Teams powershell

Question

Regarding the CsApplicationAccessPolicy in Teams powershell

Wang, Qinjie 105

Hi, Teams,

Currently, many employees in our organization use Teams. We have developed a Teams bot app and would like to assign the CsApplicationAccessPolicy to a specific group of users (around 20,000 to 30,000 people). According to the documentation, this policy can be assigned to individual users or set as a global policy. However, after discussion, we believe that applying the policy globally is too risky in case of any issues, while assigning it individually to tens of thousands of users is not only a huge workload but also difficult to maintain. Therefore, we are looking for a more manageable solution.

Specifically, we would like to know if it is possible to assign this policy to a user group, similar to group management in Entra apps, so that we can manage access more efficiently and effectively.

If there is a solution or method for this, could you please provide detailed guidance? I am not very familiar with Teams PowerShell commands, so step-by-step instructions would be greatly appreciated.

Nivedipa-MSFT 3,731 Reputation points Microsoft External Staff Moderator

2025-08-05T09:21:55.8166667+00:00

@Wang, Qinjie - Thanks for bringing this issue to our attention.
Assigning the CsApplicationAccessPolicy in Microsoft Teams currently does not support direct assignment to Azure AD (Entra) groups; policies can only be assigned globally or to individual users via PowerShell.
Wang, Qinjie 105 Reputation points

2025-08-06T06:18:13.2466667+00:00

We still hope that it can support the concept of groups, as this would make management much easier.
Nivedipa-MSFT 3,731 Reputation points Microsoft External Staff Moderator

2025-08-08T05:23:19.2533333+00:00

@Wang, Qinjie - Thank you for your suggestion!

We appreciate your input. To ensure your idea is considered for future updates, we recommend submitting it through the Teams Feedback Portal. Feature requests are reviewed by the engineering team and may be prioritized based on various factors, including the number of requests received.

If you have any additional thoughts or feedback, please feel free to share them with us. Your contributions are valuable and help improve the product!

Thank you again for your valuable suggestion!

Accepted answer

1 additional answer

Your answer

Nivedipa-MSFT 3,731 Reputation points Microsoft External Staff Moderator

2025-08-05T09:21:55.8166667+00:00

@Wang, Qinjie - Thanks for bringing this issue to our attention.
Assigning the CsApplicationAccessPolicy in Microsoft Teams currently does not support direct assignment to Azure AD (Entra) groups; policies can only be assigned globally or to individual users via PowerShell.
Wang, Qinjie 105 Reputation points

2025-08-06T06:18:13.2466667+00:00

We still hope that it can support the concept of groups, as this would make management much easier.
Nivedipa-MSFT 3,731 Reputation points Microsoft External Staff Moderator

2025-08-08T05:23:19.2533333+00:00

@Wang, Qinjie - Thank you for your suggestion!

We appreciate your input. To ensure your idea is considered for future updates, we recommend submitting it through the Teams Feedback Portal. Feature requests are reviewed by the engineering team and may be prioritized based on various factors, including the number of requests received.

If you have any additional thoughts or feedback, please feel free to share them with us. Your contributions are valuable and help improve the product!

Thank you again for your valuable suggestion!

Answer 1

Steven-N 5,480 Microsoft External Staff Moderator

Hi Wang, Qinjie

Thanks for reaching out to Microsoft Q&A forum support

Based on your description, I understand that your organization has built a Teams bot app and you're trying to assign the CsApplicationAccessPolicy to a large group of users, somewhere between 20,000 to 30,000 people. You've ruled out applying the policy globally due to the risk of widespread impact if something goes wrong and assigning it individually to each user is understandably too time-consuming and hard to maintain.

The issue arises from the limitations in how CsApplicationAccessPolicy can be assigned. While Microsoft officially supports global and per-user assignments, these options do not scale well for large user bases. Global assignment affects all users and can introduce unintended consequences, while individual assignment requires significant administrative effort and lacks flexibility for ongoing management.

So, in this context, from my perspective view, you can try to a more manageable solution is to assign the policy to a group using PowerShell by following this instruction:

1.Create the affective dynamic group

Use Microsoft Entra ID (formerly Azure AD) to create a security group or Microsoft 365 group that includes the target users.

2.Assign the Policy via PowerShell

This is the PowerShell script on my testing environment, you can try to see if it works:

Install-Module -Name PowerShellGet -Force -AllowClobber
Install-Module -Name MicrosoftTeams -Force -AllowClobber
Connect-MicrosoftTeams
$groupName = "YourGroupName"
$policyName = "YourPolicyName"

Grant-CsApplicationAccessPolicy -Group $groupName -PolicyName $policyName
Get-CsApplicationAccessPolicy -Identity $policyName
Get-CsOnlineUser -Filter {ApplicationAccessPolicy -eq $policyName}

Note: You have to check this syntax of your group as:
User's image Or you can read here for more information: Grant-CsApplicationAccessPolicy (MicrosoftTeams) | Microsoft Learn

You may try the approach mentioned above to see if it resolves the issue. However, please note that success is not guaranteed, as the script was executed in my own environment. Differences between our environments could lead to unexpected behavior. If you have any updates or need further assistance, feel free to let me know in the comments section below.

Hope my answer will help you

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Wang, Qinjie 105 Reputation points

2025-08-06T03:27:27.4666667+00:00

Thank you for your response, Steven-N. Creating an Entra group (Azure AD) with over 20,000 members would be a significant workload and could overwhelm our team. We are looking for a simpler and faster way to add these users to the policy. Initially, we considered using a dynamic group (where users are automatically added based on rules), but our research showed that, due to Microsoft security policies, dynamic groups are not supported for this policy assignment. Apart from creating a large static group, are there any other more efficient solutions you could suggest?
Steven-N 5,480 Reputation points Microsoft External Staff Moderator

2025-08-06T06:28:09.87+00:00
Hi Wang, Qinjie

Thanks for replying

I understand your point and am currently exploring a more specific solution. Could you please provide the following information:

For the 20,000–30,000 users you intend to assign the policy to, do you already have a CSV file containing their details for importing into Entra ID?

If you don’t have a CSV file, are these users part of a specific group from which we can export a list to CSV?

If you do have a CSV file, I may be able to offer a solution to this issue. If not, I am going to explore alternative approaches for this concern.

I look forward to hearing from you soon.
Wang, Qinjie 105 Reputation points

2025-08-06T10:29:36.27+00:00

Hi， Steven-N
Thank you for your response

While we do have an Excel file containing all user information and email addresses, this method still relies on managing a static group, which makes efficient control and management challenging.

For example, if 1,000 to 2,000 out of 20,000 to 30,000 users need to be updated, we would still have to manually add or remove users thousands of times.

Is there a more dynamic or efficient solution you could suggest?
Wang, Qinjie 105 Reputation points

2025-08-07T09:02:18.97+00:00

Hi ,Steven-N , are you still following up on this issue? I look forward to your reply. Thank you.
Steven-N 5,480 Reputation points Microsoft External Staff Moderator

2025-08-07T09:33:08.2266667+00:00

Hi Wang, Qinjie
Sorry for late response
I am conducting and doing some test about your concern and going to inform you about the most definitive solution in my capabilities within today.

Best Regards
Steven-N 5,480 Reputation points Microsoft External Staff Moderator

2025-08-08T06:47:58.6266667+00:00

Hi Wang, Qinjie

After conducting some research and testing in my environment, unfortunately, I cannot explore any alternatives dynamic or enhanced method for your concern.

I completely understand how this limitation can make large-scale policy management feel inefficient and difficult to maintain so I’d encourage you to share this concern on the Microsoft Tech Community. It’s a space where product teams often engage, and your feedback could help influence future improvements. Others may also share creative workarounds or insights from similar deployments.

Thank you for your understanding

Best regards

Answer 2

Admin LTM Ltd 0

Hi,

Thank you for the detailed answer and script! I’m planning to try this group assignment method for CsApplicationAccessPolicy in our environment. Could you please confirm if this works in all tenants or only specific Microsoft 365/Teams licensing plans? Also, any tips for monitoring or troubleshooting policy assignments to groups? Thanks in advance!

Share via

Regarding the CsApplicationAccessPolicy in Teams powershell

1 additional answer

Your answer