@Jay Carper
I received this reply from Microsoft support:
"Regarding the apps for teams, it would be tied into the specific Teams group, which would then lead to its own site collection. The apps themselves are only plugins that attach to the Team once used. For instance, a form created on Team A will be attached to Team A's site directly vs a form on Team B. Due to this group functionality, there would be no way to group together all the apps into one site, as they plugin to the direct Team site being used. From my understanding, you would have to create custom Setup Policies within the Teams admin center, and specifically add members to polices that will allow them to see a set list of apps pinned to their chat bar. This would be very time consuming, as a larger organization would be recreating groups with specific app policies to allow certain users access or deny access. You could control the apps allowed on the organization via Permission Policies as well. With blocking the apps that may cause concern, it could help limit any strange access to read/write items and lists, but most of the time it is needed to add files to the document library of a Teams site. Overall, the policies that can be set would affect either a per user basis, or an entire organizational block/restriction. Natively, teams will allow the users to download any apps they want and would involve a heavy hand within permissions and setup to either restrict access or guide a certain pinned user experience that you'd want them to see."
I asked....
If I am reading your reply correctly, approving this app's permissions will not automatically allow it to read items and lists in all of my Sharepoint sites unless the app is installed in the Teams associated with those sites. Is that correct?
Microsoft replied...
"That's right! The app will only need those permissions once it is used. The permissions really fall back on to storage of files and information, and the creation of the app instance or document the app creates. Without access it will not be able to save to the site allowing others to view it. In our day an age, using our phones with apps and those accessing permissions are a bit more pervasive than the permissions used for apps within teams, so I understand the wearied approach."
The app has permission to read items and lists in all site collections, but it doesn't have access to all site collections until a Team owner installs the app in a Team. Then it has access to that Team's Sharepoint site only.
The response seemed a little convoluted, so I could still have misunderstood.
