cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

TeamsApp Permission Policy assign to Security Group

upfaffer
Brass Contributor

‎Nov 22 2021 07:30 AM

‎Nov 22 2021 07:30 AM

TeamsApp Permission Policy assign to Security Group

Hello,

need a solid way to assign Teams App Permission Policy to a set of security groups.

 

There are some hints, but they doesn't work for me like:

 

$group = Get-AzureADGroup -SearchString "GROUPENAME"
$members = Get-AzureADGroupMember -ObjectId $group.ObjectId -All $true | Where-Object {$_.ObjectType -eq "User"}
New-CsBatchPolicyAssignmentOperation -PolicyType TeamsAppPermissionPolicy -PolicyName "POLICYNAME" -Identity $members.UserPrincipalName

Labels:
4,069 Views
1 Like
4 Replies
Reply
4 Replies
Steven Collier

‎Nov 22 2021 08:04 AM

‎Nov 22 2021 08:04 AM

Re: TeamsApp Permission Policy assign to Security Group

@upfaffer 

 

Does your SIP address match the user principal name ? Also how big is your group, the limit for batch assignment is 5000.

 

In general, I discuss with my client that they should have very few App Permission Policies, one for everyone and another for a small group of pilot users. While it's tempting to think of it as some kind of security control, it's not flexible enough, Permissions should live inside the apps that you are using.

1 Like
Reply
upfaffer81

‎Nov 22 2021 08:12 AM

‎Nov 22 2021 08:12 AM

Re: TeamsApp Permission Policy assign to Security Group

Where i get this SIP Adress?
The mapping should be dynamic, a export of the SIP ID and assigne to the Permission does not help. If found this workaround already in googlesearch
0 Likes
Reply
Steven Collier

‎Nov 22 2021 08:23 AM

‎Nov 22 2021 08:23 AM

Re: TeamsApp Permission Policy assign to Security Group

@upfaffer81 

 

It is not possible to have a dynamic assignment of a App Permission Policy to a group.

 

This script fetches all the member of a group then assigns those members to a policy, it's not dynamic and would only work with the groups member at the time you ran the script. The cmdlet its using accepts a list of SIP addresses, most companies match these to their email and upn, but it doesn't need to be. If it's not going to match I would be creating a loop in the script to find the SIP address of each user etc. Much longer process.

 

It doesn't' sound like it'll meet your requirement anyway, as I said before it's better to minimize the need to assign App Permission Policies.

0 Likes
Reply
upfaffer

‎Nov 27 2021 10:19 PM

‎Nov 27 2021 10:19 PM

Re: TeamsApp Permission Policy assign to Security Group

Thx but this not help in complex companies ;)
0 Likes
Reply