MS-700 Managing Microsoft Teams – Implementing Policies for Microsoft Teams Apps

1. Understanding App Permission Policies

So what’s the purpose of app permission policies? Well, this is going to basically let you go through and control exactly what applications are available within teams, okay? You can essentially go through and allow or block specific apps that you want. The apps can be published by Microsoft, they can be third party, they can even be what are called lob right line of business, right. When you block an application, the users who are basically affected by the policy are not going to be able to add any apps from the Team’s App Store. Okay? Now there is one requirement here that’s important of note. This is important to the real world obviously too, as well as the exam, and that is that you must be a global admin or a team service admin in order to manage these policies.

Okay? Now another thing of note here is that when you manage your app policies, you’re going to do this through the Teams Admin Center. There’s going to be a global wide default policy that you can edit or you can create and assign a custom policy if you want. Okay? Now the other thing of note here is that users in your organization are essentially going to get that global policy by default unless you create a custom policy. All right, one more thing of note here is that whenever you do go through and edit a policy, it can take a few hours before this is going to take effect. This is definitely one of those hurry up and wait things with Teams. You’re going to implement it, but it’s not going to happen immediately.

Okay, so what are your policy defaults? So when you go into the global policy, you’ll notice that you have a screen here, it says global on it. And then you’ll see there’s three little options. There Microsoft apps, third party apps, and custom apps. And you can configure those global policies through that screen, which I’m going to show you coming up here in just a minute in this next little lesson. All right? Now another thing that’s important to understand here in your organization, if you’ve got teams and you’ve configured your tenant wide settings in Microsoft 365, those are going to automatically take effect inside of teams right out of the gates. So whatever you’ve set through Microsoft 365 Admin Center is also going to take effect inside teams.

Okay? And then the other thing of note here is that if you just set up teams new to teams, basically by default, all apps are just going to be allowed. So unless you’ve restricted things and you just set up a new tenant and all of that, everything is just going to be allowed. So that’s definitely something to think about if you’re setting up teams in your organization. All right? Now the other thing here again is that not only do we have that global default. org wide policies that we can configure, we can create custom policies as well. Okay? So essentially, if we want, we create a custom policy. We can make that available to our groups of users. We can assign that to whatever groups we want, configure the permissions any way we want, and then assign those.

Okay, so one more thing here. I’d like to mention that you should make sure you’re aware that after you create a custom policy, you can’t change it. If third party apps are disabled in your orgwide app settings, they won’t allow you to change that. If you’ve disabled third party apps in orgwide settings, it will not allow you to change that policy. Okay? All right. So that gives you, hopefully, a good little understanding of what these app permission policies are. And in the next little lesson here, we’ll take a look at actually configuring it.

2. Creating and Managing App Permission Policies

Okay, so let’s take a look now at our app permission policies. We’re going to start out here on Portal Microsoft. com. We’re going to look to the left and go to the Teams Admin Center. As always, if it doesn’t show up, just click Show All and you’ll see it. So here we are on the Teams Admin center. You’re going to see a little drop down that says Teams App. So we’re going to drop that down. And first thing I want to show you is that you can actually block just individual apps if you want. All you got to do is click on Manage Apps. So these are all the apps that Microsoft currently supports for Teams. You can kind of scroll down, you’ll see it’s a pretty long list.

If you want to just deny a specific app, you can just click on the app and then you can just say just turn it off. All right, so you’ll see that it’s now blocked. Okay. Now as far as setting policies goes, we’re going to jump over to permissions policy and you’ll see that we have our global orgy default. So we’re going to go ahead and click on that. And here’s our three different sections. Microsoft apps, third party apps, and custom apps. So Microsoft apps, these are the Microsoft actual apps and its partners as well as its partners that can be installed through Teams. Now if you drop down the list here, you’ve got to allow all apps, allow specific apps and block all others. So you can specify exactly which apps that you want to allow.

All you got to do is just search for particular app here and you can allow it and then it’ll block all others. You can block specific apps and allow all others or just block all apps. Okay. So you kind of have to think about as far as these two right here, you sort of got to think about like, what is going to be the easiest for us. If we’ve got a very small amount of apps we want to allow, then it’s going to be better for us to say allow specific apps and block. If we’ve got the opposite of that, then it’s going to be block specific apps and allow all others. And of course if you just want to make it very cut and dry and say, hey, I’m going to deny everything, then you can block all. So you have that for Microsoft apps. Okay, you’ve also got third party.

All right, so these are third party applications. You see you have the same options and then finally custom apps. So custom apps are going to be, again, these are known as custom Lob. Custom lob stands for line of business. So these are apps that could be created and built by your company’s developers or developers you’ve hired. Okay? So that is our global wide. Now if we want, we can also go right here and click Add and we can create a custom one as well. If I wanted to apply this to a specific group or something like that, I could say approved for marketing or something, right? And so we could go through here and we could say allow specific apps for marketing.

We could add some apps that we want. Okay, I’m just going to throw one in there, like Azure Board and allow so we now allow that app, and then we can click Save. And we’ve now officially created our app here. And then at that point, it’s a matter of applying it. So managing users and applying it. All right, granted, you have the proper licensing and all that for teams. You can then go and apply that. Remember, you also have to have the proper role that I talked about, the roles that we talked about in the previous lesson to previous videos. But all in all, creating going through and creating this very straightforward, very easy to perform these app permission policies. And it applies just like most of the other policies you’ve already seen in teams.

3. Understanding App Setup Policies

So let’s talk about what that is. Now, as an administrator, you can control these policies and you can essentially customize inside of teams to where you can sort of highlight the apps that are most important for your user. So things that you want sort of feature to your users, you can make those apps available and essentially make it where your users can pin apps that they want. Now, what is pinning apps? Pinning apps is going to basically showcase which apps that users in your organization are going to need and make those available to your users. And those can also be the built in apps that Microsoft has. These can also be third parties party apps.

They can be a line of business app that your developers in your organization create. And you can also control whether users can pin apps if you want. Okay? Now the other thing is you can install apps on behalf of your users. You can choose which apps are going to be installed by default when the users open teams. And the other thing of note here that’s sort of important to understand is that app set up policies. Again, these aren’t really controlling which apps users can install. That’s done through app permissions. You got to make sure that you don’t mix these two things up here, okay? This is just showcasing the apps that are going to be available for the users to pin. Or you pinning it yourself.

You’re going to use app permissions to control whether somebody can actually install an application. So what does it look like when an app gets pinned? All right, well, if you are using the team’s desktop client, you’ll see it there on the left. You’ll see where pinning the pinning location of desktop apps. And then on the right teams, mobile app, iOS, and Android, you’ll see where apps will get pinned for those. So it’s either going to be on the left if it is a desktop client. It’s going to be on the bottom if it is a mobile client. Okay? Now one more thing here you have the wide policy for set up policies that you can configure and that’s going to be your default and your user is going to automatically be assigned to your wide policy.

And then if you want, you can actually create a custom policy as well. All right? So you can create and assign custom policies to different groups. Another thing that’s important to understand here is that you must be a global admin or team service admin in order to control these policies. But all in all, you’re going to find that the policy setup for app policies, app setup policies are going to be pretty straightforward, very similar to what we had with app permissions. And as far as assigning policies go, it’s going to work just like most of the other policies that we’ve seen in teams.

4. Creating and Managing App Setup Policies

So now we’re going to take a look at our apps setup policies and you’re going to find that these are actually located in the same area as the permissions policies are for apps. So we’ll start out here on Portal Microsoft. com. We’re going to go right into the Teams Admin center here. All right, once we’re in Teams Admin center, we’re going to drop down where it says Teams apps. And then you’ll see the setup policies here. Now you’ve got, you got a couple here. You got the global order. There’s a first line worker. You can create a custom, as I’ve done here with test. And then you can click Add if you want to create your own custom one or if I want to edit the existing one, I can go to global wide. And right here you’ll notice that upload custom apps is turned off.

So right now you’re not allowing the ability to upload custom line of business apps. If you wanted to allow that, you can just turn that on. Okay? So right here it says choose which apps you want to install, want installed for your users. If you want to add an app here. So you can go through here and you can set this for global. Or if you’ve done a custom policy like I did earlier with app permissions, I’ve got one called Approved for Marketing. I could select as well and configure for that. But I’m going to go global. And then if I wanted to search for specific apps here, I could search for specific apps that I want to go ahead and add. So I’ll just choose let’s do this address, look app here. And then I’ll click Add.

And that’s now added in my global policy here as one of the apps. So it tells you here, this is going to be installed for your user. They also tell you though, remember, this is something I went over earlier, that all you’re doing with the setup policies is you’re saying, okay, I’m going to make this app sort of stand out to my users. I’m going to make it to where they can easily pin it if they want. But keep in mind, they can install other apps if you’ve got permissions that are available and they tell you that right here, that’s where they’re kind of warning you about that they can still install other apps that they want by setting up those apps in permission policies. Now again, if you’re taking the exam, that’s important to know, okay? The setup policies is not what’s restricting things here.

So here’s my pinned apps, all right, these are the ones that I’ve got pinned. If I wanted to go ahead and pin an app, I could actually have that app pinned if I wanted to. Just got to search for that and there we go. I’ll set that to my global ad and that’s now a pinned app. Okay? So if I wanted to save this. I could. I’m not going to save that. But if I wanted to create a custom one you can create a custom one just like we did, with permissions, give it a name, set the configurations and save it. And at that point you can support manage users. You got the proper licensing and all that for teams. You can specify groups and all that. You want to sign this stuff, but ultimately it works just like any other policy that we got here in teams. And hopefully you can see it’s pretty straightforward, isn’t too complicated to configure your app, set up policies.