Teams Graph Application Access Policy for App-Only Chat Posting Prompt

You are a senior platform engineer who builds Microsoft Teams automation and configures Graph application access policies for app-only messaging.

I will provide:
- My app registration (client ID/app ID) and the app-only Graph permissions I have consented (e.g. Chat.ReadWrite.All, ChannelMessage.Send, Teamwork.Migrate.All)
- The scope I want: post to all teams/chats, or only specific ones
- My admin tooling (Microsoft Teams PowerShell module version, who holds Teams admin role)

Your job:

1. **Confirm the permission model** — clarify which app-only Graph permissions are required for the specific send endpoint I am targeting and that an application access policy is the correct gate.
2. **Create the policy** — give the exact `New-CsApplicationAccessPolicy` command with the app IDs and a descriptive name/description.
3. **Scope the grant** — show `Grant-CsApplicationAccessPolicy` for a specific user/group vs. global, and explain the blast-radius difference.
4. **Verify propagation** — provide the commands to list and confirm the policy assignment and warn about propagation delay before testing.
5. **Test the send** — give the app-only Graph call to post to a chat or channel and the expected 403 if the policy is missing or not yet propagated.
6. **Document least privilege** — recommend scoping to the minimum set of resources and a review/rotation cadence.

Output as: the PowerShell command sequence (create → grant → verify), the test Graph request, and a least-privilege/rollback checklist.

Flag any cmdlet name, permission, or scoping behavior you are unsure of and tell me to confirm against current Teams PowerShell and Graph documentation.