Org-Wide App Settings and App Permission Policies
Org-wide app settings act as a master switch controlling whether third-party apps, custom apps, and Microsoft apps can be installed in Teams at all across the tenant. Beneath that, app permission policies govern which specific apps, categorized as Microsoft apps, third-party apps, or custom apps, individual users or groups are allowed to install, are blocked from installing, or must have explicitly approved by an admin. A block always takes precedence over an allow when an app appears on both a policy's allow and block list simultaneously.
Cricket analogy: A stadium's master gate switch decides if any spectators enter at all, but individual turnstile rules then decide which ticket categories, general admission versus premium box, are allowed through, just as org-wide app settings gate everything before app permission policies filter specific apps.
Custom App Permission Policies and Publisher Verification
Admins create custom app permission policies that specify allowed and blocked apps per category, and can assign a different policy to, for example, the legal department versus the sales department. Publisher verification, shown as a blue verified badge earned through Microsoft 365 Publisher Attestation or Partner Center identity verification, signals that an app's publisher completed identity and security attestation, giving admins a stronger signal before allowing an app tenant-wide, especially for apps requesting broad Microsoft Graph permissions.
Cricket analogy: A cricket board granting a broadcaster full stadium access only after they pass an accreditation and background check mirrors how Teams admins lean on publisher verification before allowing an app broad Graph permissions.
# Create a custom app permission policy that blocks all third-party apps by default
New-CsTeamsAppPermissionPolicy -Identity "RestrictedThirdPartyApps" `
-DefaultCatalogAppsType AllowedAppList `
-GlobalCatalogAppsType BlockedAppList
# Allow a specific, publisher-verified third-party app for this policy
Set-CsTeamsAppPermissionPolicy -Identity "RestrictedThirdPartyApps" `
-GlobalCatalogApps @(New-CsTeamsAppPermissionPolicyAppItem -AppId "com.example.reportingbot" -Action Allow)
# Assign the custom policy to the legal department security group
New-CsGroupPolicyAssignment -GroupId "8a1c2d3e-..." `
-PolicyType "TeamsAppPermissionPolicy" `
-PolicyName "RestrictedThirdPartyApps" `
-Rank 1
Microsoft Defender for Cloud Apps Governance
The App governance add-on, part of Microsoft Defender for Cloud Apps, continuously evaluates OAuth-consented apps registered in Microsoft Entra ID and calculates a risk score based on the sensitivity of the Microsoft Graph permissions they hold, such as Mail.ReadWrite or Files.ReadWrite.All being far riskier than User.Read. It surfaces anomaly alerts, for example an app suddenly calling Graph from an unfamiliar country, and lets admins configure automated policies that alert on, or automatically revoke, tokens for apps deemed over-privileged or behaving suspiciously.
Cricket analogy: A team's analytics department flagging a data vendor that suddenly requests access to injury medical records instead of just match statistics mirrors how App governance flags an app requesting Graph permissions far beyond its stated purpose.
App governance risk scores factor in: the sensitivity tier of requested Graph permissions, how many users consented, whether the publisher is verified, and behavioral anomalies such as unusual sign-in locations or a spike in API calls.
Least Privilege for Custom and Line-of-Business Apps
When publishing internal line-of-business Teams apps, developers should request the narrowest Microsoft Graph scopes needed for the feature, for instance requesting Chat.Read instead of Chat.ReadWrite for a bot that only summarizes conversations. Admins should route consent requests for apps needing high-privilege, tenant-wide, or admin-consent-required permissions through the admin consent workflow in Entra ID rather than allowing individual users to consent, since user consent for sensitive scopes bypasses centralized security review.
Cricket analogy: A team analyst requesting read-only access to match footage instead of write access to the official scoring system mirrors how a Teams bot should request Chat.Read rather than Chat.ReadWrite when it only needs to summarize conversations.
Allowing individual users to consent to apps requesting high-privilege Graph permissions, such as full mailbox or Files.ReadWrite.All access, creates a shadow IT risk: a convincing phishing-style consent screen can trick a user into granting an attacker-controlled app persistent data access. Disable user consent for high-risk permissions tenant-wide and route those requests through admin consent.
- Org-wide app settings act as a master toggle; app permission policies then refine which specific apps individual users or groups can use.
- When an app is on both an allow list and a block list, the block always wins.
- Publisher verification (Partner Center / Publisher Attestation) signals that an app's identity was independently vetted before broad approval.
- The App governance add-on in Defender for Cloud Apps risk-scores OAuth-consented apps based on Graph permission sensitivity and behavioral anomalies.
- Internal LOB Teams apps should request the narrowest Graph scope that satisfies the feature, e.g., Chat.Read instead of Chat.ReadWrite.
- High-privilege permission requests should go through the admin consent workflow rather than user consent.
- Disabling user consent for risky permission tiers tenant-wide reduces shadow-IT and data-exfiltration risk.
Practice what you learned
1. If an app appears on both the allow list and the block list within the same app permission policy, what is the result?
2. What does a Microsoft 365 publisher-verified badge on a Teams app primarily indicate?
3. Which Microsoft Graph permission request pattern would most likely raise an App governance risk alert?
4. Why should high-privilege Graph permission requests be routed through the admin consent workflow instead of user consent?
5. What is the relationship between org-wide app settings and app permission policies?
Was this page helpful?
You May Also Like
Managing Teams Policies
Learn how to configure and assign messaging, meeting, calling, and update policies in the Teams admin center and via PowerShell to control the user experience at scale.
Teams Lifecycle Management
Govern how teams are created, named, expired, archived, and deleted across their full lifecycle using Microsoft 365 Group policies, templates, and retention.
Reporting and Usage Analytics
Understand the Teams admin center's usage reports, Call Quality Dashboard versus Call Analytics, the Graph reports API, and the privacy considerations around identifiable usage data.
Related Reading
Related Study Notes in Microsoft Technologies
Browse all study notesWindows 10 / UWP Development Study Notes
.NET · 30 topics
Microsoft TechnologiesWindows Batch Scripting Study Notes
Batch · 30 topics
Microsoft TechnologiesMFC (Microsoft Foundation Classes) Study Notes
C++ · 30 topics
Microsoft TechnologiesSilverlight Study Notes
.NET · 30 topics
Microsoft TechnologiesXAML Study Notes
.NET · 30 topics
Microsoft TechnologiesWPF (Windows Presentation Foundation) Study Notes
.NET · 30 topics