2021 Annual Petri Reader Survey - We want to know what's important to you! 2021 Annual Petri Reader Survey - We want to know what's important to you!
Microsoft Teams|Office|Office 365|Security|Security & Compliance

Understanding the new Granular Permissions for App Access to Teams data

Microsoft announced in the message center this week that resource-specific content will roll-out to tenants, beginning mid-August. This opens the door for installing richer applications than you would have previously considered approving and allows self-service installation by Team owners.

Teams applications based on the Graph API to read and write content within a Team, such as full team membership, channel structure, chats and files, were often difficult to deploy. This is because an application was not able to limit its request to access data for only that specific team.

Instead, an administrator needed to grant access to the application for all Microsoft 365 Groups data, creating both a potential security risk and work for  administrators who processed access requests for routine application access by users.

Image #1 Expand
Figure 1: Admin approval process for granting full access to an app (image credit: Microsoft)

This would mean that if a user wanted to add a Team-specific application, such as one that provided specific capabilities only applicable to their team, the administrator would need to grant access to that application at a tenant-level, providing access to all messages, channels, membership list, files, calendar, and plans.

The resource-specific content model is the solution to this problem and provides the opportunity for Teams application developers to design applications that can request specific permissions related to the resource, such as a particular Team, that they are trying to access.

Applications designed to take advantage of this model request permissions when they are added to the Team itself, as part of the normal installation process by a Team owner:

Image #2 Expand
Figure 2: User process to add a new app using the resource-specific consent model (image credit: Microsoft)

Application developers can now create applications with granular permissions, including the ability to be read-only for settings, channels, or messages; or have specific create, update and delete abilities, such as the ability to edit the Team’s settings, configure tabs, manage memberships and manage channels.

This potentially opens additional concerns regarding the type of applications that users may choose to install, especially if the applications have not been pre-approved by the business before end-users install them.

Additionally, even for previously trusted applications, the storage of data in their services – outside of the boundaries of Microsoft 365, may be undesirable.

The defaults for resource-specific consent are designed to follow existing settings you may have configured for Azure AD. Therefore, if you already allow a user to provide consent to applications accessing company data, then this new capability will be enabled by default.

If you are following what many other organizations are doing and preventing users from consenting to applications at a user level, the good news is that resource-specific consent will be disabled by default.

These Azure AD level settings are found in the Azure AD Portal, within Enterprise applications, under user consent settings. The defaults are shown below:

Image #3 Expand
Figure 3: Configuring Azure AD settings to allow or disallow the resource-specific consent model (image credit: Steve Goodman)

The specific settings that affect Teams resource-specific consent are the group owner consent for apps accessing data.

You can update these new settings in advance of resource-specific consent roll-out to either:

  • Do not allow group owner consent
  • Allow group owner consent for selected group owners
  • Or leave the default – allow group owner consent for all group owners.

Given the impact of allowing users to provide consent to potentially any application, it is worth considering whether you wish the default to remain as-is, and instead consider whether it’s worth limiting this capability to a particular set of group owners.

Additionally, if you do plan to allow consent to be given, ensure you take time to review the Teams applications available to the organization in the Teams Admin Center. You can block applications that do not meet your security policies, and ensure new applications are not automatically approved at an organization level within the Manage Apps section:

Image #4 Expand
Figure 4: Configuring settings for organization access to Teams apps (image credit: Steve Goodman)

If there are applications that only certain groups of users within your organization need access to, you can then restrict applications using App Permission Policies. These will allow you to create policies only allowing approved applications for user access.

Image #5 Expand
Figure 5: Allowing or disallowing app access for specific users via policy (image credit: Steve Goodman)

By combining the ability to review at an organization-level the applications that are safe, then restrict by a particular team the allowed applications – and ensure that only specific users can consent to allowing safe applications resource-specific consent, you can make sure that your users can take advantage of these great new capabilities for Teams applications safely.


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

Technology Writer for Petri, focused on Microsoft Teams and UC news. A nine-time Microsoft MVP, author of several Exchange Server books and regular conference speaker, including at Microsoft conferences including Ignite, TechEd and Future Decoded. Steve has worked with Microsoft technology for over 20 years beginning and has been writing about Exchange and the earliest iterations of Office 365 since its inception. As Principal Technology Strategist at Content+Cloud, Steve helps customers plan their digital transformation journey and gets hands on with Microsoft Teams, Exchange and Identity projects.

Register for the Hybrid Identity Protection (HIP) Europe Conference!

Hybrid Identity Protection (HIP) Europe 2021 - Virtual Conference

Mobile workforces, cloud applications, and digitalization are changing every aspect of the modern enterprise. And with radical transformation come new business risks. Hybrid Identity Protection (HIP) is the premier educational forum for identity-centric practitioners. At the inaugural HIP Europe, join your local IAM experts and Microsoft MVPs to learn all the latest from the Hybrid Identity world.