Get Control Over Your Microsoft Teams App Permission Policy
Why You Need a Teams App Permission Policy
The primary purpose of having a Teams App Permission Policy is to allow or block specific apps. It defines what apps your users or your organization can use.
Types of Teams Apps
There are three types of apps for Microsoft Teams:
- First-party apps by Microsoft
- Third-party apps
- Custom or Tenant apps
You need to have global admin rights or Teams service admin rights in order to create policies to allow or block all these different app types. Once you block a certain app or a whole app type, your users will not be able to download this app from the Teams app store. You can easily manage these policies if you have the respective admin rights.
How To Manage Teams App Permission Policies
To manage the Teams App Permission Policies, go to the Microsoft Teams Admin Center at https://admin.teams.microsoft.com.
(Alternatively, you can also get there by opening office.com, selecting “Admin”, then “Show All” on the left and clicking on “Teams”.)
In the Teams Admin Center, click on “Teams apps” and select the “Permission Policies” option. From here, you can manage the “Global (Org-wide default)” App Permission Policy as per your requirement, or you can create custom policies for individual users or a certain group of users.
You can see the three types of Teams apps separately available in the App Permission Policy: Microsoft apps, third-party apps and tenant / custom apps.
For each app type, you can make changes and allow or block all apps, allow specific apps and block all others or block specific apps and allow all others.
Note: If you create new org-wide app settings, those will become effective instead of the default global policy or any custom policies.
Adding A Custom Teams App Permission Policy
In order to add new custom Teams app permission policies or to manage existing ones you need to have Teams Service Administrator rights. Here is how you can create a new custom app permission policy:
- Open the Microsoft Teams admin center, go to “Teams apps” and select the “Permission policies” option
- Click on “+ Add”
- Now, enter the name & description of the new policy
- For each Teams app type (first-party apps, third-party apps, custom / tenant apps), select if you want to allow all, block all, or allow/block specific apps. In order to allow or block specific apps, simply search for the app name and add it to the allowed / blocked list.
Once it’s done, click on “Save” to create your custom App Permission Policy.
Editing a Teams App Permission Policy
You can also edit your app permission policies as well as the default org-wide policy in the Microsoft Teams admin center.
Again, select “Teams apps” in the admin center menu and go to “Permission policies”. Then, select the Policy you want to edit by either clicking on its name or by placing a checkmark to the left of its name and then clicking on “Edit” in the menu bar above the policies. Now, block or allow any app type or specific apps as explained above. Once you are finished, click on “Save” to update the app permission policy.
Applying Teams App Permission Policies
You can apply the App Permission Policies in the Teams admin center either under “Permission policies” or under “Users”.
Under “Permission Policies”
- Click to the left of the policy’s name that you want to apply in order to select it
- Click on “Manage users” in the menu bar
- Enter the user name you want to apply this policy to, and click on add. You need to repeat this for each user individually.
- Once it’s done, click on “Apply”.
The changes do not take effect at once; they may take anything between 20 minutes and a full day to become active.
In the Users section, select the user you want to apply the policy to.
- Go to the “Policies” tab.
- At Assigned policies, click on “Edit”.
- The Edit User Policies menu will open. Under “App permission policy”, select the custom app policy you created earlier.
- To save your change, click “Apply”.
Frequently Asked Questions
Q: Is the App Permission Policy also applied on the mobile Teams app?
A: Yes, if you have blocked an app in the Teams App Permission Policy, then it will also be blocked on mobile phones. No user will be able to download or use this app.
Q: Can I also control Line of Business apps (custom apps / tenant apps)?
A: Yes, if you have admin rights, then you can easily control the use of any app, including LOB apps.
Q: Can I stop the uploading of custom apps?
A: Yes, if you want to restrict users from uploading custom apps on Microsoft Teams, then you can block custom apps in the permission policy to keep users from uploading any custom apps.
Q: Which part is affected by permission policies?
A: The permission policies control and manage the installation, use, and discovery of different apps.
Q: What happens when an app is blocked for the user?
A: When you block a specific app for a particular individual or an organization, they cannot install, interact, or discover those apps anywhere in the Teams app store. They won’t be able to use any of its capabilities either when you block an app. It is blocked for the entire organization, but you can still choose people you want to allow access to.
When the app is blocked, users won’t be able to do the following:
- Add the app personally
- Chat in the app
- Send messages to the app’s host
- Perform tasks that require the use of the blocked app
- See the app or its tab
Do you want to do more to protect your Microsoft Teams environment? Have a look at our External User Manager for managing and controlling guest users, and at our Teams Manager for teams templates, lifecycles and naming conventions.