Granting Consent for Data Access by Third-Party and LOB Apps
Described in Office 365 notification MC222892 (September 26), Microsoft has made several important changes to the way that third-party apps are managed in the Teams admin center. The changes are linked to Microsoft 365 roadmap item 67140 and are now available.
The Teams apps section of the admin center supports management of apps and the permission and setup policies used to deploy apps to users. The first change is that the listing of apps includes a permissions column to show when a third-party app needs permission, with the idea being that an admin can take care of consent centrally and so avoid the need for end users to have to seek consent when they want to use an app.
Apps published by Microsoft don’t need to be granted consent. Some third-party apps don’t need consent either because they do not interact with Microsoft 365 data like user accounts or sites. For instance, the Adobe Sign app allows users to sign documents with that service without accessing any Microsoft 365 data.
The Need for Permissions
Third-party apps or LOB apps created by a tenant can access Microsoft 365 data with the Microsoft Graph, but only if they receive permission to access the data. Microsoft Graph divides permissions into sets of actions that an app can perform. When you see View details in the Permissions column, you know that the app needs administrator consent (on behalf of the tenant) to access data via the Graph.
To give consent, select an app and look at the Permissions tab in its details and then Review permissions and consent. You must be able to sign in as a tenant administrator to give consent. Once signed in, you’ll see the permissions requested by the app. Figure 2 shows that the chosen app wants to read user profile information from Azure AD. Be aware that you’re granting consent for org-wide access to the requested information. If you’re happy that the app should have access to this data, click Accept.
When an app has received consent, you’ll see a notice to that effect under Org-wide permissions in the Permissions tab.
Azure AD App Registration
Apps that receive consent are registered with Azure AD. You can find details of all the apps registered in your tenant in the Enterprise applications blade of the Azure AD portal. Figure 3 shows details of an app which received consent through the Teams admin center. You can revoke permissions from an app at any time.
Resource Specific Consent
Office 365 notification MC218561 was announced in July (Microsoft 365 roadmap item 56605) to say that teams owners could give consent to apps to access data in the teams they managed. This feature is known as resource-specific consent (RSC) because the consent is limited to permissions for a specific resource (a group/team). Limiting the scope of the permissions assigned to an app to what it needs to function instead of giving it org-wide access makes a heap of sense.
Now fully deployed across Office 365, RSC is a Teams feature controlling access to team settings, channels, messages, apps, tabs, and membership. It depends on the tenant settings in the Consent and Permissions section of the Enterprise applications blade in the Azure AD portal (Figure 4). See this page for more information.
The ability to give resource-specific consent can be limited to a set of team owners rather than all team owners in the tenant.
Some apps don’t need access to data drawn from across the tenant and only need permissions to interact with specific Teams objects from the set supported by RSC (Figure 5).
You’ll recognize these apps because the RSC permissions they need are listed in the permissions tab of the app details. In Figure 6 we can see that the app needs to read a team’s settings, membership, and messages and create channels.
Add App to a Team
The last feature allows Teams admins to add apps to target teams to avoid the need for team owners to install the apps. This a preview feature that only works for apps designed to be installed within a team (normally accessed via a channel tab). By comparison, Teams app setup policies allow organizations to make apps available to users on a personal basis to use via the app navigation bar.
If you see that an app has “team” included in its capabilities listed under the About tab, you know it supports team scope. Template Chooser, Trello (Figure 7), and Zoho CRM are examples of apps with team scope.
To install an app into a team, select the app in the Manage Apps screen and then choose Add to team. You can then select the team to install the app into (Figure 8).
For more information, see the Teams documentation.
More Information About Apps
Given the growing number of apps in the Teams app store (760 as I write this), it’s obvious that a solid management framework is needed to control third-party apps, especially in how these apps use the Microsoft Graph to access data. The implementation of permission management is solid and is a very useful addition to the Teams admin center.
For more information about app permissions, consent, and RSC, view the Ignite session about Navigating the Microsoft Teams App Lifecycle (app permissions and consent is covered from about 34:20 in the video).
Managing Teams is what Chapter 12 of the Office 365 for IT Pros eBook is all about. You’ll find lots more interesting and useful information in Chapter 12 and all the other chapters of the book.