Nov 22 2021 07:30 AM
Hello,
need a solid way to assign Teams App Permission Policy to a set of security groups.
There are some hints, but they doesn't work for me like:
$group = Get-AzureADGroup -SearchString "GROUPENAME"
$members = Get-AzureADGroupMember -ObjectId $group.ObjectId -All $true | Where-Object {$_.ObjectType -eq "User"}
New-CsBatchPolicyAssignmentOperation -PolicyType TeamsAppPermissionPolicy -PolicyName "POLICYNAME" -Identity $members.UserPrincipalName
Nov 22 2021 08:04 AM
Does your SIP address match the user principal name ? Also how big is your group, the limit for batch assignment is 5000.
In general, I discuss with my client that they should have very few App Permission Policies, one for everyone and another for a small group of pilot users. While it's tempting to think of it as some kind of security control, it's not flexible enough, Permissions should live inside the apps that you are using.
Nov 22 2021 08:12 AM
Nov 22 2021 08:23 AM
It is not possible to have a dynamic assignment of a App Permission Policy to a group.
This script fetches all the member of a group then assigns those members to a policy, it's not dynamic and would only work with the groups member at the time you ran the script. The cmdlet its using accepts a list of SIP addresses, most companies match these to their email and upn, but it doesn't need to be. If it's not going to match I would be creating a loop in the script to find the SIP address of each user etc. Much longer process.
It doesn't' sound like it'll meet your requirement anyway, as I said before it's better to minimize the need to assign App Permission Policies.
Nov 27 2021 10:19 PM