App permission policies – Office 365 for IT Pros https://office365itpros.com Mastering Office 365 and Microsoft 365 Mon, 29 Jul 2024 19:53:37 +0000 en-US hourly 1 https://i0.wp.com/office365itpros.com/wp-content/uploads/2024/06/cropped-Office-365-for-IT-Pros-2025-Edition-500-px.jpg?fit=32%2C32&ssl=1 App permission policies – Office 365 for IT Pros https://office365itpros.com 32 32 150103932 Teams App-Centric Management (ACM) https://office365itpros.com/2024/07/31/teams-acm/?utm_source=rss&utm_medium=rss&utm_campaign=teams-acm https://office365itpros.com/2024/07/31/teams-acm/#comments Wed, 31 Jul 2024 07:00:00 +0000 https://office365itpros.com/?p=65791

Teams ACM Makes It Easier to Manage Access to Teams Apps

Over the years, I have become accustomed to using app permission policies to control access to Teams apps. Now a new sheriff is in town and App-centric management (ACM) is the replacement for app permissions policies.

ACM means that apps store a permission list to say who can use the app. The permission can be:

  • Everyone: The app is available to anyone in the organization, including guests.
  • Specific users or groups: The app is available only to selected users (including guests) and groups. The groups can be Microsoft 365 groups, security groups, dynamic groups, and distribution lists.
  • No one: The app is blocked to everyone in the organization.

Microsoft says that ACM simplifies the app management process because administrators no longer need to edit (or create) an app permission policy and assign the policy to users to allow the users to install apps. Instead, an administrator select the target app in the Teams admin center (Figure 1) and edit the availability for the app to whatever permission should apply.

Teams apps.
Figure 1: Teams apps

Getting to Teams ACM

Moving from app permission policies to ACM is a one-time, non-reversable migration run by invoking a wizard in the Teams admin center. You can pause the migration at any time but will eventually have to let it run to completion (Figure 2). During this process, the wizard checks the app permission policies currently defined in the tenant and updates the apps specified in the policies with equivalent ACM permissions to allow users to continue to access the same set of apps.

Running the wizard to switchover to Teams ACM.
Figure 2: Running the wizard to switchover to Teams ACM

The time required for the migration depends on the number of app permission policies in the tenant and the number of ACM assignments the wizard must make. The tenant completed in just a few minutes in my tenant, but I suspect that it might take much longer in a large tenant.

Once the migration completes, you cannot access app permission policies through the Teams admin center, but you can with cmdlets from the Teams PowerShell module. For example:

Get-CsTeamsAppPermissionPolicy -Identity 'Global'

The apps defined in the policy are listed in the DefaultCatalogApps and GlobalCatalogApps property. To check the permissions assigned by the migration, select any app and use its identifier to find the app name.

Get-TeamsApp -Id 44263ed4-f1ac-4e96-93aa-d24dd50459ea

ExternalId Id                                   DisplayName      DistributionMethod
---------- --                                   -----------      ------------------
           44263ed4-f1ac-4e96-93aa-d24dd50459ea Channel calendar store

Now go to the Teams admin center and check the availability of the app (Figure 3).

Checking the Teams ACM permissions for an app.
Figure 3: Checking the Teams ACM permissions for an app

The transition to ACM is simple and should not cause any problems for tenants. The best thing about the changeover is that it removes one policy from the set required to manage user accounts and that can’t be a bad thing.

Better Permission Visibility for Teams Apps

Teams Apps use Graph permissions to access user and organizational data. The app developer requests consent for the permissions, which then need an administrator to grant consent.

Details of permissions are available in app properties. However, the presentation of their details has been a tad obscure in the past. Microsoft introduced a change earlier this year (MC713370) to do a better job of highlighting the permissions and the data that the permissions allow access to. For instance, the Teams channel calendar app can use the permissions shown in Figure 4. The text is deliberately geared for humans to understand.

Graph permissions consented for the Teams channel calendar app.
Figure 4: Graph permissions consented for the Teams channel calendar app

Figure 4 covers an app that has been granted consent. Figure 5 shows the increased level of detail available to an administrator before they grant consent to an app.

Graph permissions requested by a Teams app.
Figure 5: Graph permissions requested by a Teams app

Of course, to fully comprehend what data the app is asking to be allowed access, administrators still need to understand Graph permissions and the differences between delegated and app permissions. But at least the information is there and presented in a way that makes it easy to look up a permission to check it out.

Small But Important Changes for Teams App Management

With over 2,500 apps available in the Teams app store, it’s important that every detail of managing apps is as simple and precise as possible. Changes like the changeover to ACM and better presentation of Graph permissions might seem small in the overall scheme, but they really make a difference, and that’s what counts.


Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.

]]>
https://office365itpros.com/2024/07/31/teams-acm/feed/ 6 65791