Microsoft Teams App Management
Before launching Microsoft Teams in their organization, companies should think about Microsoft Teams App Management and how they want to handle the internal app store. Based on what we hear from our clients, without a plan, sooner or later concerns will grow and management will start to ask:
- Which apps are installed, and who is using which Teams tool?
- Are we protected from data loss? Could external apps cause security leaks?
- Is our use of app compliant with GDPR? Do these apps use EU or US data centers?
- Which apps are useful at all, and which are installed but not used?
- Should we maybe disable all access to the app store?
- Can and should we track our employees’ use of external apps? Do we have the capacities to control this?
- In short: How can we manage Teams apps?
Our own experience shows that these concerns are definitely justified. Our apps are available in the Teams app store, and we’re often contacted by people who downloaded them without the knowledge of their organization.
Microsoft Teams App Management Options
In the Microsoft Teams Admin Center at https://admin.teams.microsoft.com you have several options for improving your app governance in Microsoft Teams.
1. Manage Teams apps
Under the Teams apps / Manage apps menu option, you can allow or block apps for your organization. In the main view, you have to do this for each 1,130+ apps individually.
The org-wide settings for apps are also found here. You could, for example, block all third-party apps. A new option is that you can also block all new third-party apps published to the store.
Of course, blocking or allowing all third-party apps will probably not be the best solution for you. In most cases, the best way is some kind of mix, which is what a governance strategy is for.
2. App Permission Policies
After you have selected which apps to allow, you can then create app permission policies for individual users. For a deep dive into Microsoft Teams app permission policies, check out our blog post. An example for a possible implementation would be to block all third-party apps, but create a whitelist of several specific apps that are not blocked.
3. App Setup policies – pre-install apps in MS Teams
Another option is to create app setup policies. Here you can add apps that will always be installed for all users in your organization.
4. Customize app store in Microsoft Teams
The fourth and last option in this menu allows you to customize the Teams app store with cosmetic adjustments: change the logo, background image or text color. There are no options for making the store more secure, however.
5. Usage reports of apps in MS Teams
To find out more about how your users work with apps in MS Teams, go to Analytis & Reports / Usage reports.
In the usage reports, you can select “Apps usage” to show the use of apps in Teams. With this feature, you can discover which apps are maybe not used at all and should be uninstalled.
6. App access review for MS Teams with AAD P2
For organizations using Microsoft with Azure Active Directory Premium 2 licenses, there is an advanced option of setting up an app access review. After a certain amount of time specified for each app, administrators are notified and can check whether the app is still in use and needed or can be uninstalled. (Licenses below this tier can control and review app access only manually.)
Advantages of Microsoft Teams app management
With a well-thought out strategy on how to manage Teams apps, you can close potential security gaps, such as…
- no data leaks via third-party apps
- no unplanned additional costs
- consistent use of apps for specific purposes (e.g. just one specific app for task management)
- no security risks through custom apps
- no unused “app corpses” that still have access to your tenant
- compliance with data protection policies
- no app tests on your productive environment
Difficulties with Microsoft Teams app governance
On the other hand, a strict app governance policy in MS Teams poses certain difficulties:
- Your organization is less flexible as users only have access to explicitly allowed apps and not the whole portfolio.
- Tests and security checks to decide if a required app is allowed can be extremely time-consuming.
- Subsequent assignment of installed apps is usually no longer traceable to user or application purpose.
- Automated app access reviews are only possible with AAD P2 or Third Party App (manual reviews are very time-consuming).
- SaaS applications from other developers are often not privacy or security compliant.
In the end, you will need to carefully weigh all your options for a balanced Microsoft Teams app management strategy and governance policy.