App Permission Policies
Control which Teams apps users can install and use. Block risky third-party apps, allow only approved Microsoft apps, or permit specific custom line-of-business apps. App permission policies and setup policies work together to define the complete app experience for users.
Note: Teams policies are available with any Microsoft 365 license that includes Teams. Policy management via Graph API requires
Directory.ReadWrite.AllandTeamsPolicy.ReadWrite.Allpermissions.
App Categories
| Category | Options | Description |
|---|---|---|
| Microsoft apps | All / Block / Specific | Built-in first-party Microsoft apps |
| Third-party apps | All / Block / Specific | Apps published in the Teams store |
| Custom apps | All / Block / Specific | Line-of-business apps built by your organization |
| App setup policies | Pin / Install apps | Control which apps appear pinned for users |
App Permission Policy Settings
App permission policies determine which apps are available to each user. You can configure three scopes independently:
- Microsoft apps — Allow all, block all, or allow/block specific Microsoft apps
- Third-party apps — Allow all, block all, or allow/block specific third-party apps from the Teams store
- Custom apps — Allow all or block all custom (sideloaded) line-of-business apps
App Setup Policy Settings
App setup policies control how apps are presented to users:
- Pinned apps — Apps pinned to the Teams left rail for quick access
- App bar order — The display order of pinned apps in the sidebar
- Upload custom apps — Whether users can sideload custom apps into Teams
Policy Assignment
Policies follow a precedence order where direct user assignments override group assignments, which override the global default.
| Assignment Type | Use Case | Scalability |
|---|---|---|
| Direct to User | Exceptions, VIPs, specific overrides | Manual, suitable for small numbers |
| Group Assignment | Departments, roles, teams | Automatic via group membership |
| Batch Assignment | Large user populations | Up to 5,000 users per batch |
Assignment Precedence (Highest to Lowest)
- Direct User Assignment — Policy assigned directly to a specific user
- Group Assignment (Ranked) — Policy assigned via group with priority ranking
- Global (Org-wide default) — Default policy applied to all users without specific assignment
Best Practices
Policy Design
- Use group-based assignment for scalability
- Keep the global policy restrictive as a baseline
- Document exceptions with business justification
- Test policies in pilot groups before wide deployment
- Use policy packages for common role types
Security Considerations
- Block third-party apps by default, allow by exception
- Review app permission policies quarterly
- Monitor policy changes via audit logs
- Only allow custom apps that have been security-reviewed
Policy Drift Detection
Monitor policy configurations across tenants to detect drift from your baseline standards:
- Compliant — Matches baseline configuration
- Warning — Minor deviations detected
- Drifted — Significant policy changes found
Remediation options include auto-remediate, alert only, update baseline, or exempt tenant.
API Reference
# Get Teams app settings
GET /teamwork/teamsAppSettings# Assign app policy to user via PowerShell
Grant-CsTeamsAppPermissionPolicy -Identity user@domain.com -PolicyName "RestrictedApps"# OpsPilot365 API - Bulk deploy policy to tenants
POST /api/teams/policies/deploy
{
"policyType": "appPermission",
"policyName": "MSP-Standard-Apps",
"tenantIds": ["tenant-1", "tenant-2"],
"assignmentType": "global",
"conflictResolution": "overwrite"
}GET /api/teams/policies/apps— List app policiesPOST /api/teams/policies/apps— Create policyPUT /api/teams/policies/apps/:id— Update policy