May 12 2022 07:22 AM
I recently deployed the Company Communicator App to my org, however an oversight in the deployment made it so when published it proactively installed for everyone.
I'm trying to now uninstall that application so I can turn off the proactive installation setting.
I'm using PowerShell to do this, however I'm running into a few issues.
The script itself (for a single user for a test) is as follows - I've redacted sensitive info...
#Log into Teams
Connect-MicrosoftTeams
#App ID and Import User ID list
$theAppID = "ec9f52eb-1d6c-45d5-af44-964e73ed42db"
$UserID = "<UserID>"
$Name = "<Name>"
#Check User List for the Teams App, removes installation if the App ID matches
Get-CsOnlineUser -Filter 'accountEnabled -eq $True' | ForEach-Object {$isTheAppInstalled = Get-TeamsAppInstallation -UserId $UserID -AppId $theAppID
if ($isTheAppInstalled)
{
Write-Host "$($Name) has the app, removing."
Remove-TeamsAppInstallation -UserID $UserID -AppId $theAppID
}
else
{
Write-Host "$($Name) has not got the app."
}
}
The error I'm getting is to do with API permissions; however I have gone through the permissions and have granted each of them (At the moment they're all delegated, but have tried to mix and match)
Get-TeamsAppInstallation : Error occurred while executing
Code: Forbidden
Message: Missing scope permissions on the request. API requires one of 'TeamsAppInstallation.ReadForUser,
TeamsAppInstallation.ReadWriteSelfForUser, TeamsAppInstallation.ReadWriteForUser'. Scopes on the request 'AppCatalog.ReadWrite.All,
ChannelMember.ReadWrite.All, email, Group.ReadWrite.All, openid, profile, Reports.Read.All, User.Read.All'
InnerError:
RequestId: 1d8de733-41a0-40a5-88d4-eca5387a574d
DateTimeStamp: 2022-05-12T14:11:21
HttpStatusCode: Forbidden
At line:5 char:92
+ ... Installed = Get-TeamsAppInstallation -UserId $UserID -AppId $theAppID ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-TeamsAppInstallation], ApiException
+ FullyQualifiedErrorId : Microsoft.Teams.PowerShell.TeamsCmdlets.ErrorHandling.ApiException,Microsoft.Teams.PowerShell.TeamsCmdlets.GetTeamsAppInstallation
Is anyone able to advise on what could be causing this issue? Here are the permissions on the user app registration.
Just a note: User .Read has been set prior to this, as it's needed for the bot to function.
Any advice on this would be greatly appreciated - thank you!
May 12 2022 08:32 AM
@alexl_2397 The question here is, How did you enable the app in MS Teams ? did you allow the app in the Teams admin center and add it to the Global App Permission policy or what ?
Ideally, when you enable a MS Teams app to a group of users, you need to create a custom App permission policy for it. Starting with, you want to make sure the app is allowed under the Teams admin center (Teams Apps > Manage Apps > either search for the app if exist already then allow it or upload your custom app here). once you do that, create a custom App Permission policy under Permission Policies, mimic the Global policy app settings and under the third party app or custom apps, add the Company Communicator App then assign this custom policy to the group of users who need to access the app. This way, you will make sure the app only available to the group of users who need it and not for all users. at the same time, when you remove the app from the Global App Permission policy, Teams will remove the app from all users automatically, no need to use any script to uninstall the app or install it.
The following Microsoft documents will guide you through the process and provide more insight on how to use app permission policies in Teams:
https://docs.microsoft.com/en-us/microsoftteams/app-policies
https://docs.microsoft.com/en-us/microsoftteams/teams-app-permission-policies
May 13 2022 01:58 AM