Table of Contents
Control the Apps Users Can Install in Teams
The process of migrating Teams tenant management settings has been in progress since Microsoft announced the Teams Admin Center in April 2018. Lots has changed since and the Teams Admin Center has matured greatly, and now we see the final pieces of the puzzle appear with Teams app setup policies (to control the default apps available to users) and Teams app permission policies (to control the apps users are allowed to install and use, including during meetings).
Migrated Org-Wide App Settings
If you’ve already blocked some third-party apps in the Teams settings in the Office 365 Admin Center, you’ll find that the settings are moved across into org-wide app settings in the App Permissions Policies sector of the Teams Admin Center (Figure 1).
Org-wide app settings (Figure 2) control if third-party or custom apps (app packages developed by your organization) can be installed. If you allow third-party apps to be installed, you can create a list of blocked third-party apps that will never be available to users.
Teams App Permission Policies
App Permission Policies control the set of Microsoft, third-party, and custom apps available to end users. While org-wide settings apply to everyone in the tenant, app permission policies offer a finer degree of control down to the individual user level. Each policy allows access to its own set of apps (Figure 3). After you assign an app permission policy to a user, they can install any of the apps covered by the policy. An app permission policy can’t override a block set in the org-wide app settings.
Creating and Assigning Teams App Permission Policy
A global app permission policy is created automatically within a tenant and applied to all accounts. If you want to allow access to different apps, you can customize the set of apps defined in the global app permission policy or create a new app permission policy and assign it to selected accounts. An app permission policy covers three types of app:
- Microsoft Apps.
- Third-party Apps.
- Tenant Apps (apps published and owned by the organization).
For each type of app, you can decide to:
- Allow all apps. Users can install and use any app of the type published in the Teams app store.
- Allow specific apps and block all others: The administrator selects the apps that users can install and use. Any other apps are blocked.
- Block specific apps and allow all others: The administrator blocks selected apps available in the Teams app store and makes them unavailable to users.
- Block all apps: Users aren’t allowed to install and use apps of this type.
When you restrict the set of apps available in Teams, the Store filters the set of apps, bots, and connectors it displays to users and team owners. To assign a policy to a user, go to the Users section of the Teams Admin Center, select the user, and edit the policies section of their account to update the assigned app permission policy, which will be the Global (Org-wide default) policy unless it was previously changed for another policy. Due to caching, it can take a up to a day before Teams clients respond to a change in the set of apps allowed to users or a change in the policy assigned to an account.
Updating Teams App Permissions Policies with PowerShell
Editing individual accounts to update policies rapidly becomes a boring activity. The cmdlets to work with Teams App Permissions Policies are in V2.0 of the Teams PowerShell module. PowerShell makes it easy to assign the same App Permissions policy to a group of users, such as the members of a team. In the code snippet below, we connect to the Skype for Business Online endpoint, find the members of a team, and use the membership list to assign the policy to each member.
# Find members of the Human Resources Group and assign them the appropriate Teams App Permissions policy
$HRGroup = Get-Team -DisplayName "Human Resources Group"
$TeamUsers = Get-TeamUser -GroupId $HrGroup.GroupId -Role Member
$TeamUsers | ForEach-Object { Grant-CsTeamsAppPermissionPolicy -PolicyName "HR App Policy" -Identity $_.User}
For more information about managing all aspects of Teams, read the several hundred pages of coverage we give to Teams and Office 365 Groups in the Office 365 for IT Pros eBook. You won’t be disappointed.
I created a custom MS Teams App permission policy and did not assign any users to it. Now i want to delete the same. When i click delete it mentions cannot delete as this policy has been assigned to one or more users. I have a hard time in finding to whom this policy is assigned. Can you help
Get-CsOnlineUser -Filter {TeamsAppPermissionPolicy -eq ‘Policy Name’} | Select UserprincipalName
Hi. I’m getting errors for Get-Team and Get-TeamUser for cmdlet not found, they appear to be Teams module cmds (vs SfB module cmds). Any advice?
Get-Team and Get-TeamUser never appeared in the Skype module. I assume you’re using the latest version of the Teams module?
Getting this eror :
any idea ?
Connecting to remote server api.interfaces.records.teams.microsoft.com failed with the following error
| message : The WinRM client cannot process the request. Basic authentication is currently disabled in
| the client configuration. Change the client configuration and try the request again. For more
| information, see the about_Remote_Troubleshooting Help topic.
Basic authentication is disabled for the connection protocol you tried. Authenticate using modern authentication…