App Setup Policy - Assign to a group


Hey guys, 

I am confused a little bit - I could not found any solutions to assign a "app setup policy" to a AAD group. I just found under "meeting policies" - the tab "group policy assignment" this is also well documented. Actually I working with a workaround - with powershell and the azure and the teams module. 


Is this still in work? Because when I verify a user - I can also see that the policy is then direct attached, but there is also the information "attached from group". But this is not working, or is there any documentation out there for this? 

7 Replies
best response confirmed by TheM365Guy (Contributor)



I've not tested to assign the App Setup policy with to a group but it should be possible with PowerShell.

New-CsGroupPolicyAssignment (MicrosoftTeamsPowerShell) | Microsoft Docs


ex. New-CsGroupPolicyAssignment -GroupId -PolicyType TeamsAppSetupPolicy -PolicyName AppPolicyName

@TheM365Guy Hi, just to add to the above it's also mentioned in the docs.


"Currently, policy assignment to groups using the Microsoft Teams admin center is only available for Teams calling policy, Teams call park policy, Teams policy, Teams live events policy, Teams meeting policy, and Teams messaging policy. For other policy types, use PowerShell." 



The type of the policy to be assigned. Possible values:

  • CallingLineIdentity
  • TeamsAppSetupPolicy
  • TeamsCallingPolicy
  • TeamsCallParkPolicy
  • TeamsChannelsPolicy
  • TeamsComplianceRecordingPolicy
  • TenantDialPlan
  • TeamsEducationAssignmentsAppPolicy
  • TeamsMeetingBroadcastPolicy
  • TeamsMeetingPolicy
  • TeamsMessagingPolicy
  • TeamsShiftsPolicy
  • TeamsUpdateManagementPolicy 



This was my problem! I searched for the "policytype" and I could not found this information :) "TeamsAppSetupPolicy" - thanks to you!!!


What I did in Powershell was 

New-CsGroupPolicyAssignment -GroupId acb3174d-669c-4cc0-9d97-5844f7b9fcb8 -PolicyType TeamsAppSetupPolicy -PolicyName DigipleinMedewerkers
but I get an error and I don't know what to do with that. Do you have an idea?
[21-5 11:58] Martin van der Harst
New-CsGroupPolicyAssignment : One or more errors.At line:1 char:1+ New-CsGroupPolicyAssignment -GroupId acb3174d-669c-4cc0-9d97-5844f7b9 ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~    + CategoryInfo          : NotSpecified: (:) [New-CsGroupPolicyAssignment_NewExpanded], CmdletInvocationException    + FullyQualifiedErrorId : Microsoft.Teams.ConfigAPI.Cmdlets.Generated.Cmdlets.NewCsGroupPolicyAssignment_NewExpanded
Hopefully TeamsAppPermissionPolicy gets added to that list soon. TeamsAppSetupPolicy is a bit useless without it for those of us who lock down access to apps for one reason or another.
Hi David, it seems as if you can use New-CsBatchPolicyAssignmentOperation instead where it is included
The only problem with this is it still seems like it still creates a scenario where we have to micro-manage this if the "allowed" user base expands for whatever reason....

I'm running into this right now....we use a "resource access group" model for managing users access to a variety of software and services (including scopiing access for pilot testing things like using newly requested "Teams apps") seems the only way to limit this right now is per user.

So even with the cmdlet mentioned above it seems the only solution would be to write a script where I could take a Group I have, grab the members from it, then recursively run the cmdlet for each member.

*BUT* - what if the project team testing this app/tool then onboards a new user and they now need the same permissions as their peers....or the "pilot group" expands to a different (larger) phase?

At that point....the group membership changes aren't picked up by the App Permission Policy - so once again someone has to rerun the script against the group to add the new members (and *know* they had to do this where they've not had to do this for any other dozens/hundreds of software/services they've been managing access for)

Just seems very strange this is not an option - I mean I know *many* organizations are out there that are pretty "open" in this regard with Teams App Permissions....but there *are* organizations out there that tend to have very strict software use policies and need to vet things in smaller control groups before releasing it to the masses......

And this is not only for security reasons but simple "supportability" - with "smaller to medium" size orgs (or large orgs with small IT Support Depts) may become a bit challenging if the support desk is bombarded with a ton of requests for support/guidance on using apps they had no idea were being used in the environment or had ever seen before....get enough of those going at once and you've could potentially have created a support bottleneck that is a bit challenging to swiftly "unplug".....