This week I had a Aha event and some fun with side effect by the Microsoft Teams App permission policy. The customer disabled third party apps and allowed only a few Microsoft apps. For testing purposes, the customer created a user-based app policy, allowed some third-party apps in this policy and assigned it to some specific user accounts. With one of these users, we started to create a new private Microsoft Teams, which should be enabled as org-wide teams afterwards. During testing we saw some nice side effects of the arrangement of the Microsoft Teams app permission policies and it took some time to find the root cause for it. So, I like to report it to you in this blog post.
In first instance, the customer would like to build an org-wide Teams for the whole organization as self-learning portal and communication platform for Microsoft 365 services. We created a private team, build the different channels, tabs within the channels and customized the settings. When the team is customized perfectly, it will be converted to an org-wide team.
The advantage of doing it such a way is obviously: you can build the team first, present it to some specific users and do some test, before opening it for the whole company. And in this case, it was more than justified to proceed in the same way.
We implemented the Microsoft 365 learning pathways as self-learning portal and would like to add a website tab to the General channel and link the training portal here. To do so we logged into Microsoft Teams with the user account Rainer Zufall. We created the private team and added a new tab to the General channel. We choose as app type Website to publish the Self-Learning website hosted in SharePoint Online.
The customer decided to disable the normal way to create new Microsoft Teams for the end user by Office 365 Group lockdown mechanism. We implemented a solution based on Azure Runbooks, Microsoft Forms and SharePoint Online to provide to a user a more guided way to create new teams. The user can request a new team by a Microsoft Forms and the team will be created in the background automatically based on some naming rules, templates and so on. To publish this form, we added another Website tab with the URL to the Microsoft Forms. As last step we removed the Wiki tab.
In a next step, we added some pilot users to the future org-wide team and ask the user Mira Belle to test all the functions. After some minutes we got the first feedback: Which functions? No tabs are visible. Only the default tabs are present. We did a remote session and could not believe what happened there. The added tabs were missing.
Clicking on the “A user added a new tab to this channel” message gave us a notification that Mira Belle has no permission to use this app.
Troubleshooting and side effects by Microsoft Teams app permission policy
As you can imagine it was not so easy to troubleshoot this scenario. Especially since we used a German UI and the translation by Microsoft was not the best one. Why the new tabs were not visible to the end user? We deleted the local cache, used the Microsoft Teams Web client and did some further analysis. Without any useful results. The tabs stayed hidden. So, we added a new tab under the context of Mira Belle in the channel. When the assistant came up to ask for the app type, the cause begun to become clearer. The selection of different apps provided for Mira Belle was limited in comparison to the owner of the team, Rainer Zufall. Why?
We opened the Teams Admin Center and checked the users and app permission settings. There I saw that the Global app permission policy was modified and newly once were created by the customer. The Global policy disables all third-party apps for the user. For testing purposes, the customer created a new policy. The testing policy allows some third-party apps like the Website app.
And guess what? Of course, the user, we used to create the team initially, has assigned the testing policy. That’s why Rainer Zufall was able to add the Website tab and has access to it.
It looks like the app permission policy not only disable to add new apps to a team. It also hides the third-party apps to users if they don’t have a permission for them. In the Microsoft docs article, Microsoft is writing about “you can use app permission policies to control what apps are available to Microsoft Teams users in your organization”.
But for me it was totally new that I can also control with this app permission policy if a tab is visible to a user or not. Of course, I can only disable apps in general. But it can be still useful in the one or another scenario.
After we found out the root cause for this behavior, we did some cross checks. We reenabled the Website app in the Global policy. After some hours waiting, Mira Belle logged out and in again, and voila, the tabs were visible. So, at the end some nice side effects by Microsoft Teams app permission policy.