How to manage Teams Apps permissions and policies

Teams application

Microsoft Teams apps enhance the user experience. They provide seamless access to third-party Office 365 apps and custom apps you’ve developed yourself. These apps play a key role in enabling users to continue working seamlessly without leaving Teams.

But there are hundreds of apps available in the Teams app store, making it difficult for decision-makers and administrators to determine which apps are beneficial for their organization.

Fortunately, the Teams admin center provides the app-specific data you need to make a decision. This article helps you navigate the Teams admin center. It explores the different app types available and provides details on permission, configuration, and element policies. This includes resource-specific consent, which is essential for effectively managing your organization’s Teams apps.

Types of applications

Three types of apps integrate with Teams:

Part One: These are created and published by Microsoft, and include familiar apps like Forms, OneNote, Stream, and others like Bing News, Power Automate, Dynamics 365, and more.
ISVs: Many ISVs publish apps for Teams, and you’ll find the vast majority of them in the Teams app store.
Custom: Custom applications are unique to your organization; they are built and used specifically to meet the business needs of users.

The Microsoft Teams admin center allows administrators to review the apps available to the organization. Using the “Manage apps” page, you can interact with the apps. This allows you to block, enable, or release apps to users through configuration policies.

Administrators can also customize or modify the properties of certain applications. This is done based on business needs, such as changing the icon color or name to align with the organization’s brand. Additionally, custom policies and settings allow administrators to tailor the application experience to specific users.

Application Review and Licensing

Third-party apps in Teams raise concerns about data, privacy, and the type of permissions the app has. Fortunately, you can find all this information directly in the Teams admin center. This will help you understand and review the apps you’re considering.

You can select an application in the “Manage Applications” section. And also view the description, terms of use, permissions, certifications:

How to Manage Teams Apps Permissions and Policies — *Figure 1: Information about Decisions in Teams Admin Center* .

You can install some Teams apps for free. However, a subscription is usually required to access all the app’s features. A paid subscription is often required after free trial periods for some third-party apps. These subscriptions are available through AppSource, and some are available through the Microsoft Teams admin center.

Teams Apps Permission Policies

Once you’ve chosen the apps you want to use, you can control how those apps are presented to users. First, make sure your organization’s settings are compatible with allowing third-party apps. This will allow you to control the installation of these apps. If you’re using custom apps, make sure to enable this setting:

In permission policies, you can create a policy for the entire organization or for a group of users that allows only certain applications and blocks all others. In Figure 3, the administrator has decided to allow two third-party applications for the organization:

These policies allow you to control which applications can be available in your organization. This ensures that users install the applications they need to perform their duties.

Application Configuration Policies

Admins can use app configuration policies to install and pin apps to the app bar. This encourages the use of selected apps and allows or prevents users from downloading custom apps in Teams. An app configuration policy can apply to all users in the organization or to a group of users.

In Figure 4, the administrator updates the global application configuration policy. The global application configuration policy applies to all users. Unless a different application configuration policy affects a particular user account:

The Custom App setting determines whether a user can upload a custom app to Teams. Apps can be used on mobile devices. However, the user must be on their desktop to add them to Teams. Enabling this setting allows custom apps to be deployed using tools such as Power Virtual Agents or PowerApps. This is done without having to submit the app to the Teams app store.

Installed apps are installed by default so they are easily available in the Teams client. In Figure 4, the administrator adds Polly and Decisions, so a user can then add them to Teams.

Pinned apps allow you to customize the Teams app bar for your users. You can change the order of apps and even add your own custom app or third-party apps (Figure 5):

How to manage permissions — *Figure 5: Pinned Apps in Setup Policies* .

Pinning an app helps promote the app within your organization. The app becomes visible in the app tray (Figure 6). It may take a few hours for the app to appear as clients refresh their cache:

Global admins can grant permissions to apps on behalf of all users in the Teams admin center. This allows users to launch the app without having to review and accept permissions. Some users may not be allowed to accept permissions for apps. This is especially true if you have configured consent settings in Azure Active Directory:

Apps may ask for permission

to read information stored in a team,
to read a user’s profile,
to send email on behalf of users.

Review the permissions to see exactly what data you’re allowing the app to access. And accept if you’re happy with the level of access required. Some apps may request permissions they don’t use, so it’s worth checking out the Microsoft App Governance add-on. This provides detailed information about the app, including comprehensive metadata.

If you’re looking for a more granular way to specify application permissions, consider resource-specific consent. Resource-specific consent allows team owners to consent to an application’s access to data. This is because RSC allows owners to consent instead of just admins. This is because the permission scope applies to that team only.

This is useful because admins can’t determine whether an app should have access to a team’s data. It also saves admins time, as they don’t have to review every app requested by the organization. However, you should be aware that not all apps support the RSC model. Therefore, before considering the RSC model to authorize your apps, make sure it’s acceptable.

RSC permissions are configured under Enterprise Applications in the Azure AD admin center. The “Enable group-specific consent” setting must be enabled to allow users to consent to applications. You can find it under Enterprise Applications > Consent and permissions > User consent settings (Figure 8):

While granular permissions in RSC aren’t Azure AD permissions, they’re more specific to Teams. Still, it’s helpful to familiarize yourself with the Azure AD app consent user experience. You can manage apps for your organization and develop apps with a more unified consent experience.

Conclusion

Given evolving needs, you’ll inevitably end up using a combination of apps within Microsoft Teams. To achieve this, it’s important to have a firm grasp of policies, pricing, and consent settings. This ensures users have access to the apps they need to collaborate and produce quality work.

Teams