SOLVED

Help with Permission Policies and/or Setup Policies

Copper Contributor

I'm trying to deploy different apps targeting specific users. The problem I'm having is that If I assign a permission policy (or setup policy) to a user, it seems to remove that user from another permission/setup policy the user was already assigned previously.

For example, I want to deploy the Adobe Acrobat app and a custom chatbot app. The Adobe app is targeting most users. Whereas the custom app is targeting only a small number of users, some of which are to have the Adobe app.

For example:

We have users 1 through 5 assigned the Adobe app permission and setup policies

We have users 3 and 5 assigned the custom chatbot app permission and setup policies

The expected outcome:

Users 1 through 5 to have access to the Adobe app, be installed, and pinned in Teams.

Users 3 and 5, in addition to the Adobe app, they should have access, installed, and pinned in Teams the Custom chatbot app.

Actual outcome:

It seems that if the Adobe app was assigned first, when assigning the custom app to users 3 and 5, they no longer have the permission/setup policy for the Adobe app and vice versa. If the custom app is assigned first, when assigning the Adobe app,  it removes the permissions from the Adobe app.

 

Is this the expected behavior? and can you confirm if the policies below are configured correctly for trying to achieve the deployment of multiple apps without affecting previous deployments of users that have permissions to other apps?

It seem that only one permission and setup policy can be applied per user. Is that correct? If so, how does one deploy multiple apps to different people where there might be some overlap in some users needing access to multiple apps and other users to only a specific app. 

 

My Global permission policy is as follows:

Microsoft apps: Allow all apps

Third-party apps: Block all apps

Custom apps: Block all apps

 

The Adobe app permission policy is as follows:

Microsoft apps: Allow all apps

Third-party apps: Allow specific apps and block all others (Adobe Acrobat)

Custom apps: Block all apps

Assignment Example: User1, User2, User3, User4, User5

 

The custom chatbot app permission policy is as follows:

Microsoft apps: Allow all apps

Third-party apps: Block all apps

Custom apps: Allow specific apps and block all others (custom chatbot app)

Assignment Example: User3, User5

 

The Global setup policy is as follows:

Upload custom apps: Off

User Pinning: On

Installed apps: "Tasks by Planner and To Do"

Pinned apps: Added "Tasks by Planner and To Do" at the bottom of the default list of pinned apps

 

Acrobat app setup policy:

Upload custom apps: Off

User pinning: On

Installed apps: "Adobe Acrobat"

Pinned apps: Added "Adobe Acrobat" at the bottom of the default list of pinned apps

 

Custom chatbot app setup policy:

Upload custom apps: Off

User pinning: On

Installed apps: "Custom chatbot app"

Pinned apps: Added "Custom chatbot app" at the bottom of the default list of pinned apps

 

1 Reply
best response confirmed by SC-BPC (Copper Contributor)
Solution

@SC-BPC Users can only receive one policy at a time, there is no ability currently to add together policies.

 

To achieve what you describe you would potentially need 4 policies, neither, adobe only, chatbot only and both. Now think about adding a third app to the mix, the permutations and combinations increases exponentially each time.

 

It's not worth trying to use Teams polices for fine-grain per user permissions. I would switch your model around to group users into a small number of categories, maybe departments or something else that makes sense in your business then choose which apps are appropriate to each one. I would also include an 'Early Adopters' group to test new apps before wider deployment.

 

If you really need permissions to protect data that should be a function of the app, not a feature of whether the app is available, ultimate these apps are not really much more than web sites, most don't generally have fine grained permissions for access the internet, rather rely on permissions to log on to the apps.

1 best response

Accepted Solutions
best response confirmed by SC-BPC (Copper Contributor)
Solution

@SC-BPC Users can only receive one policy at a time, there is no ability currently to add together policies.

 

To achieve what you describe you would potentially need 4 policies, neither, adobe only, chatbot only and both. Now think about adding a third app to the mix, the permutations and combinations increases exponentially each time.

 

It's not worth trying to use Teams polices for fine-grain per user permissions. I would switch your model around to group users into a small number of categories, maybe departments or something else that makes sense in your business then choose which apps are appropriate to each one. I would also include an 'Early Adopters' group to test new apps before wider deployment.

 

If you really need permissions to protect data that should be a function of the app, not a feature of whether the app is available, ultimate these apps are not really much more than web sites, most don't generally have fine grained permissions for access the internet, rather rely on permissions to log on to the apps.

View solution in original post