Forum Discussion
App Setup Policy - Assign to a group
Hi,
I've not tested to assign the App Setup policy with to a group but it should be possible with PowerShell.
New-CsGroupPolicyAssignment (MicrosoftTeamsPowerShell) | Microsoft Docs
ex. New-CsGroupPolicyAssignment -GroupId salesdepartment@contoso.com -PolicyType TeamsAppSetupPolicy -PolicyName AppPolicyName
TheM365Guy Hi, just to add to the above it's also mentioned in the docs.
"Currently, policy assignment to groups using the Microsoft Teams admin center is only available for Teams calling policy, Teams call park policy, Teams policy, Teams live events policy, Teams meeting policy, and Teams messaging policy. For other policy types, use PowerShell."
https://docs.microsoft.com/en-us/microsoftteams/assign-policies#using-the-microsoft-teams-admin-center-2
The type of the policy to be assigned. Possible values:
- CallingLineIdentity
- TeamsAppSetupPolicy
- TeamsCallingPolicy
- TeamsCallParkPolicy
- TeamsChannelsPolicy
- TeamsComplianceRecordingPolicy
- TenantDialPlan
- TeamsEducationAssignmentsAppPolicy
- TeamsMeetingBroadcastPolicy
- TeamsMeetingPolicy
- TeamsMessagingPolicy
- TeamsShiftsPolicy
- TeamsUpdateManagementPolicy
https://docs.microsoft.com/en-us/powershell/module/teams/new-csgrouppolicyassignment?view=teams-ps
- Hi David, it seems as if you can use New-CsBatchPolicyAssignmentOperation instead where it is included https://docs.microsoft.com/en-us/powershell/module/teams/new-csbatchpolicyassignmentoperation?view=teams-ps
- The only problem with this is it still seems like it still creates a scenario where we have to micro-manage this if the "allowed" user base expands for whatever reason....
I'm running into this right now....we use a "resource access group" model for managing users access to a variety of software and services (including scopiing access for pilot testing things like using newly requested "Teams apps") ....it seems the only way to limit this right now is per user.
So even with the cmdlet mentioned above it seems the only solution would be to write a script where I could take a Group I have, grab the members from it, then recursively run the cmdlet for each member.
*BUT* - what if the project team testing this app/tool then onboards a new user and they now need the same permissions as their peers....or the "pilot group" expands to a different (larger) phase?
At that point....the group membership changes aren't picked up by the App Permission Policy - so once again someone has to rerun the script against the group to add the new members (and *know* they had to do this where they've not had to do this for any other dozens/hundreds of software/services they've been managing access for)
Just seems very strange this is not an option - I mean I know *many* organizations are out there that are pretty "open" in this regard with Teams App Permissions....but there *are* organizations out there that tend to have very strict software use policies and need to vet things in smaller control groups before releasing it to the masses......
And this is not only for security reasons but simple "supportability" - with "smaller to medium" size orgs (or large orgs with small IT Support Depts)....it may become a bit challenging if the support desk is bombarded with a ton of requests for support/guidance on using apps they had no idea were being used in the environment or had ever seen before....get enough of those going at once and you've could potentially have created a support bottleneck that is a bit challenging to swiftly "unplug".....
