This blog is part of a series on Teams. For more articles, check back often

Written: 04/07/2021 | Updated: N/A

To all my friends and readers from the US – happy independence day! And to everyone else I hope you are enjoying the summer. It’s nearly time for a break. But unlike my Scandinavian friends Vesa Nopanen and Adam Deltinger who are taking a month off – a month! (they tell me it’s cultural), I still have a few weeks of grafting. Well, not all graft since Microsoft Inspire is here on the 14th and since I am going as an attendee it’ll be enjoyable to just kick back and watch some sessions; something I have rarely done the last few years as I have been doing lots of speaking and moderating. So after focusing on Stream and the new web experience last week I am going to jump back into Teams this week. I originally thought about writing on Teams Meeting Recordings since I have an upcoming talk at the end of the month on exactly this. Yet something caught my eye in the Teams Admin Centre (TAC) and you know me…I thought I just have to write it TMR’s can wait. Now this functionality is called Org Wide Admin Consent to an App. Sounds abstract right? Yeah. In layman’s it’s all about allowing apps permission to do what they need to do in your environment on behalf of users. Examples would include the ability for an app to read information stored in a team, for an app to read a user’s profile, for an app to send an email on behalf of users and so on. Typically, when a user adds an app from the Teams App Store or starts using a custom or third party app, they have to grant the app permission. So administrators doing it on their users behalf can be beneficial. Why? It saves time, potentially a lot of confusion and makes the process of adding an app much more user friendly. Secondly, for the admin it gives them more control of apps and another tool alongside blocking, app permissions and custom app configuration. Third, users may not even be allowed to give consent as the admin may have locked this down already in Azure AD as part of their enterprise app configuration. Now, some things to know right off the bat is that org wide admin consent to an app can only be done by a global admin – not even the Teams Service Admin can do it. Secondly, it applies only to custom and third party apps. Microsoft’s are exempt. Finally, org wide admin consent to an app is a much broader brush than resource specific consent (RSC) which is granular and applies to specific teams, so careful review has to be given before applying it. Sound good? Let’s get going

This blog will cover

  • What issues org wide admin consent to an app solves
  • Applying org wide admin consent to an app
  • Can I remove org wide admin consent to an app
  • What if I want to only give specific users admin consent to an app?

Note this blog will have abridged steps which will assume some experience with Teams, Azure AD and navigating the Microsoft 365 environment

Pre-requisites

  • Global Admin Permissions
  • Teams Licence (In an Office/Microsoft 365 Subscription) for testing

WHAT ISSUES ORG-WIDE ADMIN CONSENT TO AN APP SOLVES

Org wide admin consent to an app solves two potential issues. This list is not exclusive – there well may be more

1.) The first potential issue is every user having to grant the app permission to do what it needs to do on behalf of the user. Imagine a user in my org wants to add and start to use the app Polly. They would first go to the app store by selecting Apps in the Teams Client

2.) The would search for and select Polly

3.) In this scenario they would be adding Polly to a Team, from the drop-down they select Add to a Team

4.) They will search for and select The Team and Channel and then select Set up

5.) The app will then notify about asking for permissions, the user selects continue

6.) This is the critical point. The app now asks for permissions from the user which includes the users’ name, picture and username, as well as maintaining access to the data you have given it access to (Eg. poll data since Polly is a Polling App). Some apps ask for more permissions. But the point is, every user who uses the Polly app will need to complete this. The first screenshot is by the user adding Polly to Teams, the second is another user who is accessing Polly in the Team for the first time. This can create complexity for users or for the admin who may be rolling out Polly. This is the first scenario org wide admin consent for an app will resolve

7.) The second scenario is that the admin may have already turned off the ability for users and group owners to consent to apps in Azure AD. As the global admin log into the Microsoft 365 Admin Centre and select Azure Active Directory

8.) Select Azure Active Directory

9.) Select Enterprise Applications

10.) Select Consent and Permissions

11.) If users and groups owners are not allowed to consent to granting apps permissions to access data and perform actions on their behalf, then org-wide admin consent to an app is the only way that users will be able to add and use those apps. Below shows what happens when a user tries to use the app who cannot give consent and consent has not been given by the administrator

APPLYING ORG WIDE ADMIN CONSENT TO AN APP

Having shown why org wide admin consent to an app is needed, let’s apply it

1.) Log into https://login.microsoftonline.com with global admin permissions

2.) Select Admin from the App Launcher

3.) In the Microsoft 365 Admin Centre on the left navigation select Teams

4.) In the Teams Admin Centre select Apps and then Manage Apps

5.) Search for and select the app. This example will again use Polly. Note that apps you can do this for will have View Details in the column Permissions. Not all apps for Teams have this currently.

6.) Select the Permissions tab

7.) Select the button Review Permissions and Consent

8.) You will get asked to authenticate with global admin credentials

9.) Review and Accept

10.) Permissions are now granted as shown by a green header, as well as the Org Wide Permissions now stating that permissions have been granted

11.) In Teams, the user who had previous issues accessing Polly can now do so without being asked to consent

CAN I REMOVE ORG WIDE ADMIN CONSENT TO AN APP?

Now that we have successfully applied org wide admin consent to an app, in this case Polly can we remove that consent? This could be for reasons that we don’t want to use the app anymore, granted in error, or simply had a rethink on the permissions the app has. The answer is yes, but not in the Teams Admin Centre

1.) In the Microsoft 365 Admin Centre select Azure Active Directory

2.) Select Azure Active Directory

3.) Select Enterprise Applications

4.) Select the app to remove permissions from

5.) Select Permissions

6.) Select Review Permissions

7.) Select I want to control access to this application and follow the instructions which include requiring user assignment in properties and removing all users in Users and Groups

8.) Them select This Application has more permissions than I want and then use the PowerShell to revoke all permissions the application has

9.) To follow up, you may decide to block the app, and even delete it from Azure AD

WHAT IF I WANT TO ONLY GIVE SPECIFIC USERS ADMIN CONSENT TO AN APP?

Finally, the obvious question is what if an organisation likes admin driven consent for apps but doesn’t want to give it org wide? We can achieve this, but using Azure AD as opposed to org wide admin consent via the TAC

1.) In Azure AD ensure user consent is turned off

2.) Ensure in the User Settings that Admin Consent is configured including request expiry

3.) The user can then request consent from the administrator by entering a business justification and then selecting request approval

4.) The admin gets an email to review

5.) The admin can then approve or deny the consent in Azure AD on a case by case basis

CONCLUSION

Our job here is done

Org wide admin consent for an app is another useful tool to have in the box for managing Microsoft Teams Apps alongside resource specific consent, approving/blocking and app permissions policies in the Teams Admin Centre. If a custom or third party app is approved by the organisation and all users need to use it; or if user consent is locked down by administrators due to their security or compliance posture; it can be a solution to these scenarios saving users and admins lots of time and improving the app experience in Teams. Of course, it won’t fit all scenarios; if only a specific set of users within the organisation need admin consent then we can always fall back to using Azure AD which can also handle this scenario. What is important is that our ability to control apps with Microsoft Teams is improving all the time, and it’s important that as more and more apps are being put into Teams, the more we are using Teams as a platform, the more we have the ability to manage a.) What apps we want to use and b.) What apps we permit to have access to our data and do things on our users behalf

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.