Practical Teams: App Management In Microsoft 365

App-Centric Management

The way administrators manage apps in Microsoft 365 is changing with additional improvements on the horizon. App permissions policies in Teams Admin Center are being replaced by “App-Centric Management”, and management of apps working across multiple products, such as Outlook and Teams, will be consolidated.

In this article, I will explain what App-Centric Management is, how Integrated Apps work and how Unified App Management differs from earlier methods.

Challenges With App Permission Policies

Before the introduction of App-Centric Management, Teams relied on App Permission Policies to control app access in Teams.

• Each app had an allow or block status set by the administrator. A blocked app was completely unavailable to users.
• To target apps to specific users, administrators created app permission policies. Each policy was a list of allowed and blocked apps, which could be assigned to users or groups. Users got whichever apps their assigned policy allowed (besides those globally blocked).

App Permission Policies were effective for smaller organizations that primarily used org-wide policies with occasional exceptions. However, managing these policies quickly became challenging, especially since each user could only have one app permission policy assigned.

App-Centric Management

With App-Centric Management, Microsoft flips perspective. Instead of assigning apps per user, administrators assign users or groups per app. For every app in the Teams Admin Center, there are three availability options to be chosen from:

• Everyone – The app is available to all users in the organization. This includes any new users by default.
• Specific users or groups – Only specified users can use the app. Individual users, security groups, M365 groups or distribution lists can be used to set the scope.
• No one – The app is disabled for all users. This is the new way to block an app entirely.

The above options cover every scenario that App Permission Policies can accomplish, but in a much simpler and clearer way. There’s no need to create or assign multiple custom policies since the apps themselves store the availability to users.

Benefits of App-Centric Management

For administrators, this new approach offers several benefits:

• Granular and Clear Access Control: You can target specific groups or users for an app but without creating custom special-case policies.
• Quicker Changes: Changes to App Permission Policies could take many hours to propagate. The new model is designed for much faster propagation, which means less waiting.
• Easier administration: Administrators can easily add new applications and manage them without significant effort and without complexity.

Migration To App-Centric Management

Microsoft has started auto-migrating tenants from App Permission Policies to App-Centric Management in multiple phases. As part of phase one, organizations with no custom App Permission Policies have begun to auto-migrate. Phase two means administrators can initiate a migration themselves using a Microsoft-assisted approach, where access for each app is matched from the existing App Permission Policies to App-Centric Management. It is important to notice that once the migration has been completed, there is no way back using App Permission Policies. In the upcoming phase three, Microsoft will auto-migrate all remaining tenants.

I recommend reading Microsoft’s documentation before migrating to ensure a fluent transition, and follow any updates for Message Center post “MC688930”.

Once a tenant has been migrated, administrators manage all apps and their availability from the Teams Admin Center > Teams apps > Manage apps.

The allow/block settings are replaced by the availability options once App-Centric Management is enabled. Previously blocked apps now show as “unblocked” but will have the availability option set as “no one”.

Select any app in the list and click “Edit availability” to configure any of the above-mentioned options (Everyone, Specific, and No one). If needed, search and add the specific groups or users that should be allowed to use the app. There are no conflicting policies to worry about or further required steps for deployment.

For default app availability settings, the Org-wide app settings are still present and accessible from the action button on the upper right corner. To default any existing or new third-party apps to “No one”, turn the setting “Allow users to use new third-party apps by default” to “Off”. To trust apps published by Microsoft, leave the “Microsoft apps” toggle to “On” to reduce administrative overhead. Any app configured using the “Specific” scope will override any org-wide default settings.

Previous org-wide app settings are kept after the migration to App-Centric Management, and any custom-configured app will be excluded from the org-wide defaults.

To view available apps for a user, go to “Manage users” in Teams Admin Center and select “Apps” from the menu.

View and Edit App Availability with PowerShell

Connect to the Microsoft Teams module:

Connect-MicrosoftTeams

Run the following cmdlet to return a list of all Teams apps with their statuses:

Get-AllM365TeamsApps |Select-Object -Property Id, IsBlocked -ExpandProperty AvailableTo

To view the availability for a specific app, run the following cmdlet:

<em>Get-M365TeamsApp -Id &lt;appId&gt; | select-Object -Property Id -ExpandProperty AvailableTo</em>

To add users or groups to an app, use the cmdlet:

Update-M365TeamsApp -Id <appId> -AppAssignmentType UsersAndGroups -OperationType Add -Users <userId>
Update-M365TeamsApp -Id <appId> -AppAssignmentType UsersAndGroups -OperationType Add -Groups <groupId>
The “AppAssignmentType” value can be changed to “Everyone” or “Noone”:
Update-M365TeamsApp -Id <appId> -AppAssignmentType <Everyone/Noone>

App-Centric Management Limitations

Administrators should be aware of a few limitations.

• If an app is restricted to specific users or groups, any guest accounts in those groups will not be included. Guests only get access to an app if the availability is set to “Everyone.”
• The following groups are currently not supported for app scoping: non-mail-enabled security groups, dynamic distribution groups, and nested groups.
• You can only add up to 99 users or groups to an app at a time.

Integrated Apps Page In Admin Center

Apart from being present in Teams, many apps can be made available in other Microsoft 365 products like Outlook and Word. Any cross-platform app can be configured by administrators in two places. The configuration in Teams Admin Center is solely responsible for Teams and won’t have any effect on the availability in other parts of Microsoft 365. The Integrated Apps page in the M365 Admin Center is where apps are controlled for other parts of Microsoft 365.

An app allowed in Teams might still be blocked in Outlook if not separately enabled from the Integrated apps page. This dual-management model can create confusion and policy drift, ending up with users having inconsistent experiences.

Unified App Management

To streamline app management, Microsoft announced Unified App Management back in 2023, which means allowing administrators to manage app availability and deployment across Teams and Microsoft 365 from a single place. When changing settings in one admin portal, it will automatically sync with the other.

This unified approach means that administrators will no longer need to remember to configure apps from both the Teams admin portal and the M365 Integrated apps page. For example, disabling “Allow user installs for new third-party apps” in Teams Admin Center will reflect the same within Integrated apps, and vice versa.

Further, if a specific app is allowed or blocked, it will have the same impact within all products the app works in.

Currently On Hold

Originally, Microsoft was supposed to perform a two-phase rollout of Unified App Management, starting with tenants with no custom app configurations and having completed the migration to App-Centric Management. Unfortunately, Microsoft recently announced that the rollout is currently on hold, with further information expected shortly.

Follow any updates for the Message Center post “MC796790”.

Meanwhile, Microsoft has updated both Manage apps in Teams Admin Center and the Integrated Apps page in M365 Admin Center to prepare for Unified App Management. There is a new column available in both locations listing what products an app can be made available in. This is an important change to be able to use a single location to manage apps for all products. When Unified App Management is rolled out, all listed products will be affected by any configuration made for that app, independently from location. For now, administrators need to manage apps in both places.

Unified App Management assumes that if an app is allowed, it is allowed on all products it supports. Organizations may want to enable an app in Teams only and not in other products or vice versa. Unified App Management will not support these scenarios at the start, according to Microsoft.

Conclusion

The move to App-Centric Management for Teams apps is a big step up for Teams administrators. It brings more simplicity by managing availability on the apps themselves, unlike App Permission Policies, where policies are assigned on user level. The key benefits are easier governance and flexibility to better tailor app access to business needs.

Once Unified App Management is available, administrators will have a consolidated place for all Microsoft 365 apps. Although, stay aware of any current limitations. I expect future improvements like more guest controls, bulk operations for App-Centric Management, and a solution for the all-or-nothing nature of cross-platform apps. Nonetheless, Microsoft 365 and Teams administrators will find it much easier to balance between enabling productivity with apps and maintaining control in their tenant.