Forum Discussion
Solved
App Setup Policy - Assign to a group
Hey guys, I am confused a little bit - I could not found any solutions to assign a "app setup policy" to a AAD group. I just found under "meeting policies" - the tab "group policy assignment" this ...
Hi,
I've not tested to assign the App Setup policy with to a group but it should be possible with PowerShell.
New-CsGroupPolicyAssignment (MicrosoftTeamsPowerShell) | Microsoft Docs
ex. New-CsGroupPolicyAssignment -GroupId salesdepartment@contoso.com -PolicyType TeamsAppSetupPolicy -PolicyName AppPolicyName
Hopefully TeamsAppPermissionPolicy gets added to that list soon. TeamsAppSetupPolicy is a bit useless without it for those of us who lock down access to apps for one reason or another.
Hi David, it seems as if you can use New-CsBatchPolicyAssignmentOperation instead where it is included https://docs.microsoft.com/en-us/powershell/module/teams/new-csbatchpolicyassignmentoperation?view=teams-ps
- The only problem with this is it still seems like it still creates a scenario where we have to micro-manage this if the "allowed" user base expands for whatever reason....
I'm running into this right now....we use a "resource access group" model for managing users access to a variety of software and services (including scopiing access for pilot testing things like using newly requested "Teams apps") ....it seems the only way to limit this right now is per user.
So even with the cmdlet mentioned above it seems the only solution would be to write a script where I could take a Group I have, grab the members from it, then recursively run the cmdlet for each member.
*BUT* - what if the project team testing this app/tool then onboards a new user and they now need the same permissions as their peers....or the "pilot group" expands to a different (larger) phase?
At that point....the group membership changes aren't picked up by the App Permission Policy - so once again someone has to rerun the script against the group to add the new members (and *know* they had to do this where they've not had to do this for any other dozens/hundreds of software/services they've been managing access for)
Just seems very strange this is not an option - I mean I know *many* organizations are out there that are pretty "open" in this regard with Teams App Permissions....but there *are* organizations out there that tend to have very strict software use policies and need to vet things in smaller control groups before releasing it to the masses......
And this is not only for security reasons but simple "supportability" - with "smaller to medium" size orgs (or large orgs with small IT Support Depts)....it may become a bit challenging if the support desk is bombarded with a ton of requests for support/guidance on using apps they had no idea were being used in the environment or had ever seen before....get enough of those going at once and you've could potentially have created a support bottleneck that is a bit challenging to swiftly "unplug".....
