We are an enterprise in the midst of rolling out Teams to approximately 7K users. An area of concern we have is around managing the App Permission Policies. We have developed a process to approve additional apps that our business units might find useful.
Our initial thought was to manage the app access via AD groups, but that appears to require some kind of automated PowerShell script to get the correct app permission policy applied to the users of the group. Then we have the challenge of a 1:1 ratio of a user to app permission policy rather than building a base policy for the enterprise, and if you are in x group, you also get this additional app. This approach comes across to me as a maintenance nightmare. We have also recently run into a token bloat issue with users having many AD groups that this approach may exacerbate.
We are looking for ideas or suggestions of how others might be handling multiple app permission policies. Are you limiting the number of policies you create? Are you using the global policy and taking the stance that all approved apps are available enterprise-wide?