Deleting a Teams App from a users Teams

Copper Contributor

I recently deployed the Company Communicator App to my org, however an oversight in the deployment made it so when published it proactively installed for everyone.
I'm trying to now uninstall that application so I can turn off the proactive installation setting.

 

I'm using PowerShell to do this, however I'm running into a few issues.
The script itself (for a single user for a test) is as follows - I've redacted sensitive info...

 

 

 

#Log into Teams
Connect-MicrosoftTeams
#App ID and Import User ID list
$theAppID = "ec9f52eb-1d6c-45d5-af44-964e73ed42db"
$UserID = "<UserID>"
$Name = "<Name>"
#Check User List for the Teams App, removes installation if the App ID matches
Get-CsOnlineUser -Filter 'accountEnabled -eq $True' | ForEach-Object {$isTheAppInstalled = Get-TeamsAppInstallation -UserId $UserID -AppId $theAppID
if ($isTheAppInstalled)
{
Write-Host "$($Name) has the app, removing."
Remove-TeamsAppInstallation -UserID $UserID -AppId $theAppID
}
else
{
Write-Host "$($Name) has not got the app."
}
}

 

 

 

The error I'm getting is to do with API permissions; however I have gone through the permissions and have granted each of them (At the moment they're all delegated, but have tried to mix and match)

 

 

 

 

 

Get-TeamsAppInstallation : Error occurred while executing
Code: Forbidden
Message: Missing scope permissions on the request. API requires one of 'TeamsAppInstallation.ReadForUser,
TeamsAppInstallation.ReadWriteSelfForUser, TeamsAppInstallation.ReadWriteForUser'. Scopes on the request 'AppCatalog.ReadWrite.All,
ChannelMember.ReadWrite.All, email, Group.ReadWrite.All, openid, profile, Reports.Read.All, User.Read.All'
InnerError:
RequestId: 1d8de733-41a0-40a5-88d4-eca5387a574d
DateTimeStamp: 2022-05-12T14:11:21
HttpStatusCode: Forbidden
At line:5 char:92
+ ... Installed = Get-TeamsAppInstallation -UserId $UserID -AppId $theAppID ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-TeamsAppInstallation], ApiException
+ FullyQualifiedErrorId : Microsoft.Teams.PowerShell.TeamsCmdlets.ErrorHandling.ApiException,Microsoft.Teams.PowerShell.TeamsCmdlets.GetTeamsAppInstallation

 

 

 

Is anyone able to advise on what could be causing this issue? Here are the permissions on the user app registration.

alexl_2397_0-1652364934423.png

Just a note: User .Read has been set prior to this, as it's needed for the bot to function.

 

Any advice on this would be greatly appreciated - thank you!




2 Replies

@alexl_2397 The question here is, How did you enable the app in MS Teams ? did you allow the app in the Teams admin center and add it to the Global App Permission policy or what ?
Ideally, when you enable a MS Teams app to a group of users, you need to create a custom App permission policy for it. Starting with, you want to make sure the app is allowed under the Teams admin center (Teams Apps > Manage Apps > either search for the app if exist already then allow it or upload your custom app here). once you do that, create a custom App Permission policy under Permission Policies, mimic the Global policy app settings and under the third party app or custom apps, add the Company Communicator App then assign this custom policy to the group of users who need to access the app. This way, you will make sure the app only available to the group of users who need it and not for all users. at the same time, when you remove the app from the Global App Permission policy, Teams will remove the app from all users automatically, no need to use any script to uninstall the app or install it.

 

The following Microsoft documents will guide you through the process and provide more insight on how to use app permission policies in Teams:
https://docs.microsoft.com/en-us/microsoftteams/app-policies 
https://docs.microsoft.com/en-us/microsoftteams/teams-app-permission-policies

 

Hi AwsAyad,
Throughout the deployment I followed the guidance provided on GitHub - https://github.com/OfficeDev/microsoft-teams-apps-company-communicator/wiki/Deployment-guide#6-insta...

I published the user app through Teams (Desktop) by uploading the custom app; and then I published it through the Desktop App also (Creating the request, and then going into the Teams Admin Portal and approving it).

My plan was to create a permissions policy in order to control who has access so I can do testing; however the oversight when deploying the app via the ARM template (Having proactively install set to true) prevented that.
So now, as part of damage control and so I can continue testing without messaging the entire company, I'm trying to uninstall the app for everyone (I have an exported-list from Azure of everyone's User IDs) to do so - at the moment though I'm just testing the script itself on a single user.