Teams Real Simple with Pictures: Granting Org Wide Admin Consent to an App

To all my friends and readers from the US - happy independence day! And to everyone else I hope you are enjoying the summer. It's nearly time for a break. But unlike my Scandinavian friends Vesa Nopanen and Adam Deltinger who are taking a month off - a month! (they tell me it's cultural), I still have a few weeks of grafting. Well, not all graft since Microsoft Inspire is here on the 14th and since I am going as an attendee it'll be enjoyable to just kick back and watch some sessions; something I have rarely done the last few years as I have been doing lots of speaking and moderating. So after focusing on Stream and the new web experience last week I am going to jump back into Teams this week. I originally thought about writing on Teams Meeting Recordings since I have an upcoming talk at the end of the month on exactly this. Yet something caught my eye in the Teams Admin Centre (TAC) and you know me...I thought I just have to write it TMR's can wait. Now this functionality is called Org Wide Admin Consent to an App. Sounds abstract right? Yeah. In layman's it's all about allowing apps permission to do what they need to do in your environment on behalf of users. Examples would include the ability for an app to read information stored in a team, for an app to read a user's profile, for an app to send an email on behalf of users and so on. Typically, when a user adds an app from the Teams App Store or starts using a custom or third party app, they have to grant the app permission. So administrators doing it on their users behalf can be beneficial. Why? It saves time, potentially a lot of confusion and makes the process of adding an app much more user friendly. Secondly, for the admin it gives them more control of apps and another tool alongside blocking, app permissions and custom app configuration. Third, users may not even be allowed to give consent as the admin may have locked this down already in Azure AD as part of their enterprise app configuration. Now, some things to know right off the bat is that org wide admin consent to an app can only be done by a global admin - not even the Teams Service Admin can do it. Secondly, it applies only to custom and third party apps. Microsoft's are exempt. Finally, org wide admin consent to an app is a much broader brush than resource specific consent (RSC) which is granular and applies to specific teams, so careful review has to be given before applying it. Sound good? Let's get going