TeamsApp Permission Policy assign to Security Group

%3CLINGO-SUB%20id%3D%22lingo-sub-2993342%22%20slang%3D%22en-US%22%3ETeamsApp%20Permission%20Policy%20assign%20to%20Security%20Group%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2993342%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3Eneed%20a%20solid%20way%20to%20assign%20Teams%20App%20Permission%20Policy%20to%20a%20set%20of%20security%20groups.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20are%20some%20hints%2C%20but%20they%20doesn't%20work%20for%20me%20like%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%24group%20%3D%20Get-AzureADGroup%20-SearchString%20%22GROUPENAME%22%3CBR%20%2F%3E%24members%20%3D%20Get-AzureADGroupMember%20-ObjectId%20%24group.ObjectId%20-All%20%24true%20%7C%20Where-Object%20%7B%24_.ObjectType%20-eq%20%22User%22%7D%3CBR%20%2F%3ENew-CsBatchPolicyAssignmentOperation%20-PolicyType%20TeamsAppPermissionPolicy%20-PolicyName%20%22POLICYNAME%22%20-Identity%20%24members.UserPrincipalName%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2993342%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdministrator%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2993528%22%20slang%3D%22en-US%22%3ERe%3A%20TeamsApp%20Permission%20Policy%20assign%20to%20Security%20Group%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2993528%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F218889%22%20target%3D%22_blank%22%3E%40upfaffer%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDoes%20your%20SIP%20address%20match%20the%20user%20principal%20name%20%3F%20Also%20how%20big%20is%20your%20group%2C%20the%20limit%20for%20batch%20assignment%20is%205000.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20general%2C%20I%20discuss%20with%20my%20client%20that%20they%20should%20have%20very%20few%20App%20Permission%20Policies%2C%20one%20for%20everyone%20and%20another%20for%20a%20small%20group%20of%20pilot%20users.%20While%20it's%20tempting%20to%20think%20of%20it%20as%20some%20kind%20of%20security%20control%2C%20it's%20not%20flexible%20enough%2C%20Permissions%20should%20live%20inside%20the%20apps%20that%20you%20are%20using.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello,

need a solid way to assign Teams App Permission Policy to a set of security groups.

 

There are some hints, but they doesn't work for me like:

 

$group = Get-AzureADGroup -SearchString "GROUPENAME"
$members = Get-AzureADGroupMember -ObjectId $group.ObjectId -All $true | Where-Object {$_.ObjectType -eq "User"}
New-CsBatchPolicyAssignmentOperation -PolicyType TeamsAppPermissionPolicy -PolicyName "POLICYNAME" -Identity $members.UserPrincipalName

3 Replies

@upfaffer 

 

Does your SIP address match the user principal name ? Also how big is your group, the limit for batch assignment is 5000.

 

In general, I discuss with my client that they should have very few App Permission Policies, one for everyone and another for a small group of pilot users. While it's tempting to think of it as some kind of security control, it's not flexible enough, Permissions should live inside the apps that you are using.

Where i get this SIP Adress?
The mapping should be dynamic, a export of the SIP ID and assigne to the Permission does not help. If found this workaround already in googlesearch

@upfaffer81 

 

It is not possible to have a dynamic assignment of a App Permission Policy to a group.

 

This script fetches all the member of a group then assigns those members to a policy, it's not dynamic and would only work with the groups member at the time you ran the script. The cmdlet its using accepts a list of SIP addresses, most companies match these to their email and upn, but it doesn't need to be. If it's not going to match I would be creating a loop in the script to find the SIP address of each user etc. Much longer process.

 

It doesn't' sound like it'll meet your requirement anyway, as I said before it's better to minimize the need to assign App Permission Policies.