Microsoft Teams App Permission Policy – Guidance & Best Practices for Admins
What is a Teams app permission policy and why is it important?
Microsoft Teams allows users to install various apps: Microsoft’s own apps, third-party apps, or their own company solutions.
Without clear rules, this can quickly lead to problems: uncontrolled app installations, security gaps, lack of compliance, and increasing support costs. This is exactly where app permission policies come in. They determine which apps are allowed in Teams and which are not.
For IT administrators, this means that with the right policies in place, you can prevent shadow IT from developing or sensitive data from ending up in unauthorized apps.
What types of Microsoft Teams Apps are there?
To create useful policies, you need to be familiar with the three categories of Teams apps:
| App type | Description | Examples |
| Microsoft apps | Provided by Microsoft, part of the ecosystem | Planner, OneNote, Viva |
| Third-party apps | External providers, available in the Teams App Store | Asana, Teams Manager, Trello |
| Custom/tenant apps | Developed in-house, or company-specific apps | Line-of-business apps (LoB) |
Why is this important?
Each app category brings its own risks: third-party providers may violate data protection requirements, while LoB apps must be tested and deployed in a controlled manner. App permission policies allow you to control which apps are approved in a granular manner.
You need to have global admin rights or Teams service admin rights in order to create policies to allow or block all these different app types. Once you block a certain app or a whole app type, your users will not be able to download this app from the Teams app store.
Who are app permission policies particularly relevant for?
- For IT administrators responsible for governance and security.
- For compliance teams that have to meet regulatory requirements.
- For companies with 200 or more employees where app usage is difficult to monitor.
Example: In a manufacturing company, employees start using private tools for shift planning. Without a policy, this creates shadow IT. With clear policies, such apps can be blocked and approved alternatives (e.g., a LoB app) can be provided.
How do I work with Teams app permission policies?
To manage the Teams App Permission Policies, go to the Microsoft Teams Admin Center at https://admin.teams.microsoft.com.
In the Teams Admin Center, click on “Teams apps” and select the “Permission Policies” option. From here, you can manage the “Global (Org-wide default)” App Permission Policy as per your requirement, or you can create custom policies for individual users or a certain group of users.
You can see the three types of Teams apps separately available in the App Permission Policy: Microsoft apps, third-party apps and tenant / custom apps.
For each app type, you can make changes and allow or block all apps, allow specific apps and block all others or block specific apps and allow all others.
Note: If you create new org-wide app settings, those will become effective instead of the default global policy or any custom policies.
How do I create a custom Teams app permission policy?
In order to add a new custom Teams app permission policies or to manage existing ones you need to have Teams Service Administrator rights.
Here’s how to create a policy in the Microsoft Teams Admin Center:
- Open the Microsoft Teams admin center
- Click on “Teams apps” in the menu and select -> “Permission policies”
- Click on “+ Add” to create a new policy
- Now, enter the name & description of the new policy (e.g. “Default Policy Sales”)
- For each Teams app type (first-party apps, third-party apps, custom / tenant apps), select if you want to allow all, block all, allow/block specific apps or use Microsoft default settings.
- In order to allow or block specific apps, search for the app name and add it to the Allow / Block list.
- Save.
How can I edit or delete an existing Teams app permission policy?
You can edit your app permission policies as well as the default org-wide policy in the Microsoft Teams admin center.
- Select the desired policy from the menu.
- Click on Edit and make changes.
- Use Delete to remove policies that are no longer needed.
Best practice: Check policies regularly! Especially after Microsoft updates, as new apps may be added.
How do I assign Teams app permission policies to users?
- Open the desired user in the Admin Center under Users.
- Select the Permission Policy app under Policies -> Edit User Policies.
- Save your changes (they may take up to 24 hours).
Scenario: Your company wants to allow all third-party apps for marketing, but only Microsoft apps for accounting. This is easy to do with individual policies for groups or departments.
The changes do not take effect immediately; it can take between 20 minutes and a whole day for them to become active.
What problems can arise with app policies and how can I solve them?
Delayed activation: Changes can take up to 24 hours, so plan accordingly.
User frustration: When actively used apps are suddenly blocked. Solution: Communicate the change in time and provide alternatives.
Exceptions necessary: Some groups need apps that others are not allowed to use. Solution: Multiple policies for different departments.
How does Solutions2Share support you with governance in Microsoft Teams?
App permission policies are managed directly in the Teams Admin Center. But governance in Microsoft Teams encompasses much more: team creation, naming conventions, lifecycle management and the assignment of permissions. This is exactly where Solutions2Share’s Teams Manager comes in.
- Governance by design: Predefined rules ensure clear standards for team creation.
- Automation: Many recurring admin tasks can be mapped automatically.
- Overview: Centralized control of processes related to Teams for more control and less manual effort.
This reduces your daily admin workload, brings structure to Microsoft Teams, and ensures that guidelines are adhered to in the long term.
Book a free demo now and see how Teams Manager simplifies your governance.
Frequently asked questions (FAQ) about app permission policies
How long does it take for a new app policy to become active?
It can take up to 24 hours. So always plan new policies in advance.
Can I create different policies for different departments?
Yes, policies can be tailored to users or groups.
What happens to an installed app if it is blocked?
The app disappears from Teams and users can no longer use it.
What tools help me manage policies on a daily basis?
In addition to the Teams Admin Center, Solutions2Share’s Teams Manager offers advanced control and automation for governance policies.
Is the app permission policy also applied on the mobile Teams app?
Yes, if you have blocked an app in the Teams App Permission Policy, then it will also be blocked on mobile phones. No user will be able to download or use this app.
Can I control Line of Business apps (custom apps / tenant apps)?
Yes, if you have admin rights, then you can easily control the use of any app, including LOB apps.
Can I stop the uploading of custom apps?
Yes, if you want to restrict users from uploading custom apps on Microsoft Teams, then you can block custom apps in the permission policy to keep users from uploading any custom apps.
Which part is affected by permission policies?
The permission policies control and manage the installation, use, and discovery of different apps.
What happens when an app is blocked for the user?
When you block a specific app for a particular individual or an organization, they cannot install, interact, or discover those apps anywhere in the Teams app store. They won’t be able to use any of its capabilities either when you block an app. It is blocked for the entire organization, but you can still choose people you want to allow access to.
When the app is blocked, users won’t be able to do the following:
– Add the app personally
– Chat in the app
– Send messages to the app’s host
– Perform tasks that require the use of the blocked app
– See the app or its tab
Why app permission policies are essential
Without clear rules for apps in Microsoft Teams, you risk security issues, compliance failures, and chaos in app usage.
Policies in the Admin Center give you the control you need, and tools like Teams Manager allow you to further automate governance.
Get a free demo to see how you can better manage many governance issues in Microsoft Teams.
CEO and Governance Expert at Solutions2Share
Christian Groß is a Microsoft Teams governance expert from the very beginning. Over the past 6 years, he has developed 6 Teams apps, founded Solutions2Share, and launched the German-speaking Microsoft 365 conference in Mainz, Germany.
He regularly speaks at international M365 events and supports IT leaders in building scalable governance strategies.
Hallo, vielen Dank für den Beitrag! Kann ich auch irgendwo sehen, welche Mitglieder in der App Permission Policy enthalten sind?
Hallo Christian, ja das können Sie. Gehen Sie dazu einfach auf die einzelne Permission Policy, setzen Sie den Haken und gehen dann auf “Manage Users”. Grüße, Solutions2Share
Hallo Michelle, das ist meiner Auffassung nach nicht korrekt. Ich habe die gleiche Anforderung wie Christian, ich möchte sehen, WER denn eine bestimmte App Permission Policy zugewiesen bekommen hat. Der Punkt ‘Manage Users’ ist nur ein Drop-Down Menü, welches die Punkte ‘Assign Users’ und ‘Bulk unassign users’ enthält. Unter beiden erhält man keine Antwort auf die Frage. Da Microsoft häufig die naheliegendsten Anforderungen nicht erfüllen kann, gehe ich im Moment davon aus, dass es im UI keine Möglichkeit gibt. Falls ich aber den Wald vor lauter Bäumen nicht sehe, freue ich mich über einen Hinweis. Lieben Dank!
Hey Daniel, ich habe auch noch einmal nachgesehen und Sie haben vollkommen recht. Sie können jedoch auf “Manage Users” gehen und rechts über den Filter nach Permission Policies filtern. Folgend sehen Sie dann alle Benutzer, denen die jeweilige Policy zugewiesen wurde. Ich hoffe, das hilft Ihnen weiter!