App Management & Permissions
Teams is a platform, not just a chat app. Learn how to manage org-wide app settings, create setup policies, control permissions and consent, and decide which apps users can install.
Apps in Teams
Teams is like a smartphone β the real power comes from the apps.
Microsoft provides built-in apps (Planner, Forms, OneNote). Third-party developers make thousands more (Trello, Jira, Salesforce). And your own organisation can build custom apps.
As an admin, youβre the app store manager. You decide: which apps are allowed? Which are blocked? Which appear on every userβs app bar by default? You have three layers of control: org-wide settings (master switches), permission policies (which apps are allowed for which users), and setup policies (which apps are pinned to the app bar).
Three layers of app control
Layer 1: Org-wide app settings
Teams admin center β Teams apps β Manage apps β Org-wide app settings
| Setting | What It Controls | Default |
|---|---|---|
| Third-party apps | Allow third-party apps from the Teams store | On |
| Custom apps | Allow users to upload custom apps | On |
| Allow interaction with custom apps | Whether custom apps can interact with users | On |
These are master switches. If you turn off third-party apps here, NO permission policy can re-enable them. Org-wide settings override everything.
Layer 2: App permission policies
Teams admin center β Teams apps β Permission policies
Permission policies define which apps users can install:
| Configuration | Behaviour |
|---|---|
| Allow all apps | Users can install any Microsoft, third-party, and custom app |
| Block all apps | Users canβt install any apps (except those you specifically allow) |
| Allow specific apps | Only listed apps are available |
| Block specific apps | All apps except listed ones are available |
You can create different permission policies for different user groups:
Scenario: Kofi's app permissions at Harbour University
Harbour University needs different app permissions for different groups:
βStudent Appsβ policy:
- Microsoft apps: Allow all
- Third-party apps: Allow specific only (Zoom, Canvas, Quizlet β pre-approved for education)
- Custom apps: Block all (students canβt upload custom apps)
βFaculty Appsβ policy:
- Microsoft apps: Allow all
- Third-party apps: Allow all (faculty trusted to choose appropriate tools)
- Custom apps: Allow all (faculty can deploy research tools)
βIT Staff Appsβ policy:
- All apps: Allow all (IT needs full access for testing and support)
Kofi assigns each policy to the respective security group. Students see a curated app store; faculty see everything.
Layer 3: App setup policies
Teams admin center β Teams apps β Setup policies
Setup policies control the app bar β the sidebar/bottom bar that users see in Teams:
| Setting | What It Controls |
|---|---|
| Pinned apps | Which apps appear on every userβs app bar by default |
| App bar order | The order of pinned apps |
| Allow user pinning | Whether users can pin/unpin their own apps |
| Upload custom apps | Whether users can sideload custom apps |
Scenario: Kofi pins apps for frontline security staff
Campus security staff need immediate access to Shifts, Walkie Talkie, and Tasks. Kofi creates an app setup policy:
βCampus Security Setupβ policy:
- Pinned apps (in order): Activity, Chat, Shifts, Tasks, Walkie Talkie, Calls
- Allow user pinning: No (simplified experience β security staff shouldnβt rearrange)
- Upload custom apps: No
When security staff open Teams on their mobile, they see exactly these six apps β no clutter, no confusion.
App consent and permissions
When an app requests permissions (e.g., βread user profiles,β βaccess calendarβ), it needs consent β approval to access data.
Consent types
| Consent Type | Who Approves | Scope |
|---|---|---|
| User consent | Individual user | The app accesses only that userβs data |
| Admin consent | Entra admin role (Cloud Application Admin, Application Admin, or Privileged Role Admin) | The app accesses data for all users in the org |
| Resource-specific consent (RSC) | Team owner | The app accesses data within that specific team only |
Controlling consent
In Entra ID β Enterprise applications β Consent and permissions:
| Setting | Options |
|---|---|
| User consent | Allow all / Allow for verified publishers only / Do not allow |
| Group owner consent | Allow group owners to consent for their groups |
| Admin consent workflow | Users can request admin consent; admins approve/deny |
Best practice for regulated organisations: Disable user consent. Enable admin consent workflow. This ensures every app is reviewed by IT before accessing data.
Blocking specific apps
To block an app in the Teams admin center:
- Teams apps β Manage apps β Find the app
- Toggle the app status to Blocked
- The app is immediately unavailable to all users
Alternatively, use permission policies to block apps for specific user groups only.
π¬ Video walkthrough
Flashcards
Knowledge Check
Harbour University's org-wide app settings have 'Third-party apps' turned OFF. Kofi creates an app permission policy that allows Zoom for faculty. Can faculty install Zoom?
Nadia wants to ensure every new Teams app at Sterling Financial is reviewed by IT before it can access company data. What should she configure?
Next up: App Extensibility & Store β understanding app types (tabs, bots, messaging extensions, workflows), managing the Teams store, and uploading custom apps.