Using Teams App Permission Policies

Control the Apps Users Can Install in Teams

The process of migrating Teams tenant management settings has been in progress since Microsoft announced the Teams Admin Center in April 2018. Lots has changed since and the Teams Admin Center has matured greatly, and now we see the final pieces of the puzzle appear with Teams app setup policies (to control the default apps available to users) and Teams app permission policies (to control the apps users are allowed to install and use, including during meetings).

Migrated Org-Wide App Settings

If you’ve already blocked some third-party apps in the Teams settings in the Office 365 Admin Center, you’ll find that the settings are moved across into org-wide app settings in the App Permissions Policies sector of the Teams Admin Center (Figure 1).

App Permission Policies in the Teams Admin Center
Figure 1: App Permission Policies in the Teams Admin Center

Org-wide app settings (Figure 2) control if third-party or custom apps (app packages developed by your organization) can be installed. If you allow third-party apps to be installed, you can create a list of blocked third-party apps that will never be available to users.

Teams Org-wide app settings
Figure 2: Teams Org-wide app settings

Teams App Permission Policies

App Permission Policies control the set of Microsoft, third-party, and custom apps available to end users. While org-wide settings apply to everyone in the tenant, app permission policies offer a finer degree of control down to the individual user level. Each policy allows access to its own set of apps (Figure 3). After you assign an app permission policy to a user, they can install any of the apps covered by the policy. An app permission policy can’t override a block set in the org-wide app settings.

A Teams App Permissions Policy
Figure 3: A Teams App Permissions Policy

Creating and Assigning Teams App Permission Policy

A global app permission policy is created automatically within a tenant and applied to all accounts. If you want to allow access to different apps, you can customize the set of apps defined in the global app permission policy or create a new app permission policy and assign it to selected accounts. An app permission policy covers three types of app:

  • Microsoft Apps.
  • Third-party Apps.
  • Tenant Apps (apps published and owned by the organization).

For each type of app, you can decide to:

  • Allow all apps. Users can install and use any app of the type published in the Teams app store.
  • Allow specific apps and block all others: The administrator selects the apps that users can install and use. Any other apps are blocked.
  • Block specific apps and allow all others: The administrator blocks selected apps available in the Teams app store and makes them unavailable to users.
  • Block all apps: Users aren’t allowed to install and use apps of this type.

When you restrict the set of apps available in Teams, the Store filters the set of apps, bots, and connectors it displays to users and team owners. To assign a policy to a user, go to the Users section of the Teams Admin Center, select the user, and edit the policies section of their account to update the assigned app permission policy, which will be the Global (Org-wide default) policy unless it was previously changed for another policy. Due to caching, it can take a up to a day before Teams clients respond to a change in the set of apps allowed to users or a change in the policy assigned to an account.

diting the policies assigned to a Teams user
Figure 4: Editing the policies assigned to a Teams user

Updating Teams App Permissions Policies with PowerShell

Editing individual accounts to update policies rapidly becomes a boring activity. The cmdlets to work with Teams App Permissions Policies are in V2.0 of the Teams PowerShell module. PowerShell makes it easy to assign the same App Permissions policy to a group of users, such as the members of a team. In the code snippet below, we connect to the Skype for Business Online endpoint, find the members of a team, and use the membership list to assign the policy to each member.

# Find members of the Human Resources Group and assign them the appropriate Teams App Permissions policy
$HRGroup = Get-Team -DisplayName "Human Resources Group"
$TeamUsers = Get-TeamUser -GroupId $HrGroup.GroupId -Role Member
$TeamUsers | ForEach-Object { Grant-CsTeamsAppPermissionPolicy -PolicyName "HR App Policy" -Identity $_.User}

For more information about managing all aspects of Teams, read the several hundred pages of coverage we give to Teams and Office 365 Groups in the Office 365 for IT Pros eBook. You won’t be disappointed.

10 Replies to “Using Teams App Permission Policies”

  1. I created a custom MS Teams App permission policy and did not assign any users to it. Now i want to delete the same. When i click delete it mentions cannot delete as this policy has been assigned to one or more users. I have a hard time in finding to whom this policy is assigned. Can you help

  2. Hi. I’m getting errors for Get-Team and Get-TeamUser for cmdlet not found, they appear to be Teams module cmds (vs SfB module cmds). Any advice?

    1. Get-Team and Get-TeamUser never appeared in the Skype module. I assume you’re using the latest version of the Teams module?

  3. Getting this eror :
    any idea ?
    Connecting to remote server failed with the following error
    | message : The WinRM client cannot process the request. Basic authentication is currently disabled in
    | the client configuration. Change the client configuration and try the request again. For more
    | information, see the about_Remote_Troubleshooting Help topic.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.