Deploying and

managing apps for

Teams
Subtitle or speaker name
Introduction
The use of business applications in Microsoft Teams has become strategic for all
organizations, as it accelerates the digital transformation of all business areas, generating
a very high demand for the IT Team to make these applications available.

The use of apps for Microsoft Teams can be challenging for the IT Team, as there is a
need to address many different topics (Security, Compliance, Access Permissions,
Connectivity, others) and this can involve several teams.

This deck was developed to support your organization in accelerating the deployment
and management of applications for Microsoft Teams by walking through how to define
a formal process for Apps for Microsoft Teams for your organization.

This deck also shares an overview of the process developed by Microsoft’s IT Team to
evaluate, authorize, deploy and manage third-party applications for Microsoft Teams for
their employees.

Note: Some slides in this deck will contain links to additional supporting content, such as
online documentation to provide more detailed information about a given topic area.
 • Types of Teams Apps
• The Teams App lifecycle
• Managing how users discover and
request apps
Contents • Evaluating an app for use in your
organization
• App deployment
• End of life
• How Microsoft does it
CORE WORKLOADS

Communicate
through chat, meetings & calls

Work better together

using powerful productivity tools

Collaborate
with deeply integrated Office 365 apps
EXTENSIBLE PLATFORM

Get more work done

by connecting all your systems and processes

Communicate

Collaborate

Do more
Apps in Teams
Power Platform (low/no-code)

Power BI Power Apps Power

Automate
Microsoft apps Third party apps Custom apps

App templates (low/no-code)

Processes Productivity

Company FAQ Plus HR Support Icebreaker

Communicator
(30+ total)

Employee Approvals &

Services Workflows

Built from scratch

50 available 500+ available Unlimited possibilities
Bots Tabs

MS Graph Messaging extensions

The Teams App lifecycle

User needs an App is requested App evaluation App deployment Managing and End of Life
app • Who approves? • Security, privacy monitoring • Removing access to
• Do you have an • Are there approved and legal review • User self service • Monitoring and an app
internal catalog? alternatives? • M365 certification installs managing Teams
• Can the user • Is licensing needed? • Internal, Microsoft, • Admin initiated apps
request an app? 3rd party or custom? installs • Upgrades

Microsoft Teams provides access to apps through the Microsoft Teams app catalog, which allows additional apps to be
used within the native Teams application for a richer, more integrated experience.

This deck was developed to support your organization in accelerating the deployment and management of applications
for Microsoft Teams by walking through how to define a formal process for Apps for Microsoft Teams for your
organization.
Managing how users discover and request apps
The Microsoft Teams Admin Center allows administrators to customize the Teams app store experience to add
branding and to manage which apps are made available to your users. We recommend that administrators
review the following controls for creating a guided experience for your users.

1. The customize store location in the Teams admin center allows administrators to select:
- Organization logo
- Logomark
- Background image
- Text color of organization name
This article provides more information about customizing your store.

2. Use app permissions policies to control which apps are available to users.

3. Proactively direct users to organizationally approved apps with app setup policies and tailored apps.

4. Set up user request alerting or redirect user requests to your existing app request process.
 • Understanding app
components
• App features
Evaluating an app for • Evaluating permissions
use in your organization • Publisher information and
M365 certification
 App components
Microsoft Teams apps are composed of one or more
components defined in an app manifest. Apps gain
access to some basic information when installed. The
information available to the application via the Teams
context varies by app features as noted here

If additional information is needed by an app Teams

apps request access to additional permissions for
information exposed by Microsoft or 3rd party APIs
such as Microsoft Graph or the Microsoft SharePoint
REST API

Administrators can see the access an application will

have by looking at the app features and permissions
section of the About tab
App features
Tabs: Teams-aware webpages embedded in Personal app: A dedicated space (tab) or bot to
Microsoft Teams. You can add them as part of a help users focus on their tasks or view activities
channel inside a team, group chat, or personal app important to them.
for an individual user.

Webhooks and connectors: Communicate with

Bot: App that runs simple and repetitive external apps and send or receive notifications and
automated tasks done by the users. A bot messages from other apps.
interaction can be a quick question and answer, or
it can be a complex conversation that provides
access to services. Microsoft Graph: The gateway to data and
intelligence in Microsoft 365 and can be
incorporated in any kind of Teams app.
Message extension: Enable users to interact with
your web service Teams client. Users search or start
actions in an external system, then, the result of Adaptive Cards: Help organize information into
the interaction surfaces to the Teams client as a groups and gives users the opportunity to interact
richly formatted card. with specific parts of the information.

Meeting extensions: Apps to make meetings Task modules Permit creation of a modal pop-up
more productive, like adding a survey to complete experiences in your Teams application.
during the meeting.
Evaluating app permissions
Access to M365 data via
Microsoft Graph leverage Azure
AD app registrations, which
allows access to other services
configured in API permissions
in Azure AD.

Teams data sets can also

provide access to data with
Resource Specific Consent,
which provides scoped access
to Teams chats, channels and
meetings when specified in the
app manifest.
Evaluating app permission
An application can only access
the information described
consent is provided. A global
administrator can consent on
behalf of an organization.

The permissions requested by a

Teams app can be reviewed in
the Teams admin center and the
Azure Active Directory Portal
Evaluating app permissions in the Teams admin center
1. As a Teams Admin, navigate to Teams Admin Center (TAC).
Open Teams apps > Manage apps in the left navigation.

2. Select the app that you want to validate. You can search by
app name if needed.
Evaluating app permissions in the Teams admin center
3. Navigate to ‘Permissions’ tab. Click the ‘Review permissi…’
button.
NOTE: Resource specific permissions(RSC) are listed on this
tab. Access to these resources are granted only when an
owner of the resource (e.g. team or chat) installs the app and
provides consent for access to that resource.

4. When prompted, select an account in the target

organization for this app
Evaluating app permissions in the Teams admin center
5. The consent prompt allows administrators to click Accept or
Cancel to provide or reject consent for the application to use
the listed permissions.
Evaluating app permissions in the Teams admin center
6. External domains accessed by the application and the
privacy policy is documented on the About tab.
Evaluating app permissions in the Azure Active Directory
Portal
Applications that have been granted consent to can be seen on
the Azure Active Directory Portal as an Enterprise Application.

From the Teams Admin Center, an app will provide the note
“This app has been granted consent for some permissions”
with a link to the Azure Active Directory location.
Evaluating app permissions in the Azure Active Directory
Portal
The Azure Active Directory Portal allows
administrators to view who has granted consent for an
app, if it was granted as in the admin or user context,
and to grant or revoke additional access.

Administrators can select “Review Permissions” to

further limit access to a specific list of users or block
suspicious or compromised apps.
Publisher information and M365 certification
The Microsoft 365 App Compliance Program, is a two-step approach
to app security and compliance and includes Publisher Verification,
and the Microsoft 365 Certification.
Publisher Verification

When an app is marked as publisher verified with a

blue check mark, it means that the publisher has
verified their identity using a Microsoft Partner
Network account that has completed the verification
process and has associated this MPN account with
their application registration.

Publisher verification is not a prerequisite for

Attestation or M365 certification
M365 certification and what it means
The Microsoft 365 Certification process has two
phases: Attestation and Certification.
Attestation
• Completed questionnaire about the security, data
handling and compliance attributes
• All the information is then published in one place and in
a consistent, easy to read format

Certification
• Audit of an app against a set of controls derived from
leading industry standard frameworks
• Provide evidence to demonstrate that they are meeting
each control prior to getting awarded a certification
• Microsoft 365 Certification have strong security and
compliance practices are in place to protect their data
security, and privacy
Trust: Microsoft 365 Certification (Teams only)
Application Security
Pen-test, SAST/DAST

Operational Security
Build Trust Malware, Patch Management
Incident Response
Vulnerability scan
Raise Visibility Risk Management

Data Handling Security and Privacy

Least Privilege Design
Data Retention and Disposal
Certification Data Access and Approval
GDPR
Publisher Attestation
Compliance claim checks
SOC2, PCI-DSS, ISO27001
 M365 Certified Apps
provide additional
information validated
by the certification
process in the Teams
Admin Center
 Considerations for deployment
Developer controls
Microsoft enhanced app
controls
App deployment Managing and monitoring
Updating apps
Monitoring third party
applications with a Cloud
Access Security Broker (CASB)
Considerations for deployment
 Will the app be available to all users, or a selected group?
 Should the app be installed or pinned for users?
App permission and setup policies should be configured for the desired behavior in Teams. Azure Active Directory
application access and the My Apps portal also offers app management; care should be taken to understand which
control will function as the source of truth for this app.

 Is the app enhanced for Outlook and Office.com?

 Will guest and anonymous users need to use the app?

 Is license and subscription management needed?

 Does the app require customization?

 Custom apps policies and settings apps

 Do I need to allow resource specific consent?

Developer controls
The Teams Developer
portal provides app
usage reporting for
specific apps published
from the developer portal.

This is available on https://dev.teams.microsoft.com on the Apps

blade.
Developer controls
Additional owners can be listed for collaboration
under Advanced>Owners

Owners can download

and edit the app
manifest for app
updates or review
 Developer controls
Teams administrators can seize control of orphaned apps by clicking Take ownership Teams
developer portal. This control allows administrators to search for app ids listed in Manage Apps
in the Teams Admin Center to recover ownership of published custom apps.
Microsoft enhanced app controls
App developers can enhance their Microsoft Teams apps to work in
Outlook and on Office.com, in addition to the app working in Teams.

The end-users can use the enhanced apps on Teams, in Microsoft

Outlook and Microsoft Office.com after the enhancement. Currently,
only the end-users in Targeted release can view and use these specific
apps in Teams, Outlook, and Office.com.

If targeted release is configured in the Microsoft 365 admin center, this

removes user access to the Teams app even if configured in the Teams
admin center. For a current list of enhanced apps, visit the link below.

Manage access to Teams apps across Microsoft 365 - Microsoft Teams | Microsoft Learn
Managing and monitoring apps
App usage reporting is available in:
 Teams Admin Center and
 M365 admin portal

Individual app consumption is identified by App Name or External App ID in the

Microsoft 365 Teams apps usage reports

Audit reporting is available in Microsoft Purview Audit compliance portal.

Additional sign in logs for specific applications is available in the Azure Active
Directory portal on the Enterprise Applications blade.
Updating apps
 If app developers make certain changes to their apps, then the end-users must approve the
update of app, or an administrator can provide consent on their behalf to manage the update. A
full list of app changes trigger a new consent prompt can be reviewed here.
 A Teams administrator is also required to publish or approve updates to custom apps uploaded
to an organization’s app catalog.

Monitoring third party applications

 Cloud Access Security Brokers (CASB) like Microsoft Defender for cloud apps provide protection
for select 3rd party apps like Azure-hosted apps, Service Now, or GitHub. Learn more about
Microsoft Defender for cloud apps.
 This allows you to apply controls to these apps to meet your security and compliance
requirements.
End of life
Identifying and validating apps for retirement
 Prior to removing apps you should evaluate if this is still in use and if
migration or change management to a new solution is needed.
 Administrators can also evaluate their app catalog to maintain an up
to date and hygienic app ecosystem.

App usage reporting detailed on this slide can be used to identify

app usage for this purpose.
Considerations for retiring Teams apps
 Blocking an app in the Teams Admin Center does not remove existing access already granted to
the app.
 Application access can be revoked by following the guidance provided in Azure Active Directory
Enterprise as shown below:
1. Navigate to the Azure Active Directory Portal
2. Select Enterprise Applications
3. Select the app for which access needs to be
revoked
4. Select permissions from the left hand navigation
menu
5. Select Review Permissions from the header and
follow the wizard to revoke access as needed.

 Apps can be uninstalled using Microsoft Teams PowerShell Remove-TeamsAppInstallation or

Microsoft Graph API.
How Microsoft does it
This section describes how Microsoft manages apps within our own organization. This is intended to be
an example of how an enterprise could manage their apps and should not be considered prescriptive
guidance.
Definitions
A Teams app is a collection of contributing capabilities that
accomplish or support a workflow in a team, user or group context in
App or Teams App Teams client.
All Teams apps are reflected in Azure active directory, but not all apps
listed in Azure Active Directory (Enterprise Apps) are Teams apps.
Published by Microsoft and connects to native Teams functionalities
(Poll, Tasks, etc.).
Microsoft Apps
Published by Microsoft and connects to other Microsoft services
(Azure DevOps, Planner etc).
Teams Apps built by 3p company (Adobe sign, Stack Overflow,
Kahoot, etc.).
3p (Third Party) Apps
Apps published by Microsoft that provide connectivity to 3p services
are classified as 3p (RSS, Webhooks)
Teams App built only to be distributed and used in their tenant.
LOB (Line of Business) App
Installable only within the owning tenant.
Teams App that hasn`t been published and was directly uploaded to
Sideloaded App Teams as zip package. Sideloaded apps are not listed in Teams admin
center.
Microsoft apps review process Note: Not all apps that list Microsoft as the publisher undergo Office Trust
Review.
You should validate how each Microsoft product family complies your
security, privacy and compliance requirements on the Microsoft Trust center

Office 365 services undergo

the Office Trust Review

MSFT tenant onboarding

Office Trust Review
process to ensure our

Dogfooding early

User scoping
commitment to you.

Product ERP

feedback
Accessibility
Security
Privacy
Product engineering & IT
compliance teams

Microsoft Trust Center Overview | Microsoft Trust Center

 LOB app compliance review process

Microsoft publishes recommended

guidance for internal developers as

Enablement in Teams
well as a documented process for
application review and approval.

Graph access

User scoping
Accessibility
Initial review /
consultation
The Microsoft Security

Security
Privacy
Development Lifecycle can be used
to inform your organization’s
requirements and processes.

Microsoft Azure Well-Architected

Framework applies to apps built on
Azure.

IT IT + IT IT
Business requestor and Security
their compliance teams

Microsoft Security Development Lifecycle

 Third-party app review process

Third-party apps are

evaluated for compliance

Enablement in Teams
with procurement policies, Approved Governance

M365 Certification
and governance
Vendor
Review

Graph access

User scoping
requirements.

Initial review /
consultation
If a third-party app meets

Accessibility
policy requirements, app

Security
Privacy
specific review is conducted.
Microsoft leverages M365
certification to ensure a 3p
app has been vetted against
controls derived from leading
industry standard
frameworks, and that strong IT ISV/Publisher IT + IT IT
Security
security and compliance Procurement process
practices are in place to
protect customer data.
Graph access
Permission Permission Type Description
Microsoft’s third-party app review processes
email Delegated Allows the app to read your users' primary email address
consider the scope and level of graph access
that is requested by an application and Allows the app to see and update the data you gave it access
to, even when users are not currently using the app. This
require business justification where access to offline_access Delegated does not give the app any additional permissions.
data is requested.
Allows users to sign into the app with their work or school
accounts and allows the app to see basic user profile
Permissions that provide scoped access to openid Delegated information.
data and least possible privilege (basic or Allows the app to see your users' basic profile (name, picture,
profile Delegated username)
read permissions) should be preferred over
more expansive scopes. Allows users to sign-in to the app and allows the app to read
the profile of signed-in users. It also allows the app to read
User.Read Delegated basic company information of signed-in users.
This table lists examples of permissions that
Allows the app to read a basic set of profile properties of
limit data access to a specific user, and only other users in your organization on behalf of the signed-in
to limited information such as the logged in user. This includes display name, first and last name, email
user’s email address. Third-party app User.ReadBasic.All Delegated address and photo.
requests for these permissions are approved Allows the app to read terms of use agreements on behalf of
Agreement.Read.All Delegated the signed-in user.
if the app has a reasonable use for that Allows the app to read terms of use acceptance statuses on
functionality: e.g., posting notifications for AgreementAcceptance.Read Delegated behalf of the signed-in user.
business tasks. AgreementAcceptance.Read. Allows the app to read terms of use acceptance statuses on
All Delegated behalf of the signed-in user.

TeamsActivity.Send Delegated Send a teamwork activity as the user

Resource specific
TeamsActivity.Send.Chat consent Send activity feed notifications to users in this chat
Resource specific
TeamsActivity.Send.Group consent Send activity feed notifications to users in this chat
Graph access Permission
OnlineMeetingTranscript.Read.All
TeamworkDevice.Read.All
Type
Delegated
Delegated
Description

Allows the app to read administrative units and

Graph permissions that provide access to administrative unit membership on behalf of the
multiple locations or resources, or to AdministrativeUnit.Read.All Delegated signed-in user.
Allows an app to read, write and manage bookings
content that is restricted according to appointments, businesses, customers, services,
Microsoft’s data classification policies are: Bookings.Manage.All Delegated and staff on behalf of the signed-in user.
Allows an app to read bookings appointments,
businesses, customers, services, and staff on
Bookings.Read.All Delegated behalf of the signed-in user.
 Subject to additional certification through Allows an app to read and write bookings
the Microsoft App Compliance appointments, businesses, customers, services,
and staff on behalf of the signed-in user. Does not
Certification Program, AND allow create, delete and publish of booking
Bookings.ReadWrite.All Delegated businesses.
 Internal reviews of the justification for Allows an app to read and write bookings
access. appointments and customers, and additionally
allows read businesses information, services, and
BookingsAppointment.ReadWrite.All Delegated staff on behalf of the signed-in user.
Examples of permissions that require the Calendars.Read Delegated Allows the app to read events in user calendars .
Allows the app to read events in all calendars that
Microsoft 365 certification and internal the user can access, including delegate and shared
review are shown here. Calendars.Read.Shared Delegated calendars.
Read the members of channels, on behalf of the
ChannelMember.Read.All Delegated signed-in user.
Allows an app to delete channel messages in
ChannelMessage.Delete Delegated Microsoft Teams, on behalf of the signed-in user.
Allows an app to edit channel messages in
ChannelMessage.Edit Delegated Microsoft Teams, on behalf of the signed-in user.
Allows an app to send channel messages in
ChannelMessage.Send Delegated Microsoft Teams, on behalf of the signed-in user.
 Graph access Permission Type Description
Allows the app to read email in the
signed-in user's mailbox except body,
Examples of permissions that require the Microsoft Mail.ReadBasic
previewBody, attachments and any
Delegated extended properties.
365 certification and internal review are shown here Allows the app to read, share, and
(2/3 continued from previous): Notes.ReadWrite
modify OneNote notebooks on behalf
Delegated of the signed-in user.
Allows the app to read, share, and
Permission Type Description modify OneNote notebooks that the
Read all channel names, channel signed-in user has access to in the
descriptions, and channel settings, on Notes.ReadWrite.All Delegated organization.
ChannelSettings.Read.All Delegated behalf of the signed-in user.
Allows the app to create chats on behalf This is deprecated! Do not use! This
Chat.Create Delegated of the signed-in user. permission no longer has any effect. You
Allows the app to read contacts a user Notes.ReadWrite.CreatedByAp can safely consent to it. No additional
has permissions to access, including p Delegated privileges will be granted to the app.
Contacts.Read.Shared Delegated their own and shared contacts. Allows the app to deliver its
notifications on behalf of signed-in
Allows the app to read a user's list of users. Also allows the app to read,
Device.Read Delegated devices on behalf of the signed-in user. Notifications.ReadWrite.Create update, and delete the user's
Allows the app to read your dByApp Delegated notification items for this app.
organization's devices' configuration
information on behalf of the signed-in Allows the app to read online meeting
Device.Read.All Delegated user. OnlineMeetingArtifact.Read.AllDelegated artifacts on behalf of the signed-in user.
Allow the app to read external datasets
and content, on behalf of the signed-in Allows the app to read the organization
ExternalItem.Read.All Delegated user. and related resources, on behalf of the
Allows the app to have the same access signed-in user. Related resources
to mailboxes as the signed-in user via include things like subscribed skus and
IMAP.AccessAsUser.All Delegated IMAP protocol. Organization.Read.All Delegated tenant branding information.
Allows the app to read the signed-in
Place.Read Delegated user’s personal places.
Graph access
Examples of permissions that require the Microsoft ChannelSettings.ReadWrite.Group Resource specific consent
365 certification and internal review are shown
Channel.Delete.Group Resource specific consent
ChannelMessage.Read.Group Resource specific consent
here (3/3 continued from previous): TeamsTab.Read.Group Resource specific consent
TeamsTab.Create.Group Resource specific consent
TeamsTab.ReadWrite.Group Resource specific consent
Place.Read.All Delegated TeamsTab.Delete.Group Resource specific consent
Place.Read.Shared Delegated TeamMember.Read.Group Resource specific consent
Place.ReadWrite Delegated TeamsActivity.Send.Group Resource specific consent
Place.ReadWrite.All Delegated ChatSettings.ReadWrite.Chat Resource specific consent
POP.AccessAsUser.All Delegated ChatMessage.Read.Chat Resource specific consent
Presence.Read.All Delegated Chat.Manage.Chat Resource specific consent
Presence.ReadWrite Delegated ChatMember.Read.Chat Resource specific consent
SMTP.Send Delegated TeamsTab.Read.Chat Resource specific consent
Tasks.Read Delegated TeamsTab.Create.Chat Resource specific consent
TeamsApp.ReadWrite Delegated TeamsTab.Delete.Chat Resource specific consent
User.Read.All Delegated TeamsTab.ReadWrite.Chat Resource specific consent
UserActivity.ReadWrite.Created OnlineMeeting.AccessMedia.Chat Resource specific consent
ByApp Delegated Calls.AccessMedia.Chat Resource specific consent
UserAuthenticationMethod.Rea Calls.JoinGroupCalls.Chat Resource specific consent
d Delegated OnlineMeetingTranscript.Read.Chat Resource specific consent
UserNotification.ReadWrite.Cre Presence.Read Delegated
atedByApp Delegated TeamsApp.Read Delegated
UserTimelineActivity.Write.Crea Channel.Create.Group Resource specific consent
tedByApp Delegated TeamSettings.Read.Group Resource specific consent
Directory.Read.All Delegated ChannelSettings.Read.Group Resource specific consent
GroupMember.Read.All Delegated TeamsAppInstallation.Read.Group Resource specific consent
Files.Read.Selected Delegated ChatSettings.Read.Chat Resource specific consent
Files.ReadWrite.Selected Delegated TeamsAppsInstallation.Read.Chat Resource specific consent
TeamSettings.ReadWrite.Group Resource specific consent OnlineMeeting.ReadBasic.Chat Resource specific consent
 Permission Type Description
Allows the application to read documents and list items in all site collections on

Graph access
Sites.Read.All Delegated behalf of the signed-in user

Chat.Read Delegated Allows an app to read 1 on 1 or group chats threads, on behalf of the signed-in user.
Allows an app to read and write 1 on 1 or group chats threads, on behalf of the
Permissions that provide access Chat.ReadWrite
Contacts.Read
Delegated
Delegated
signed-in user.
Allows the app to read user contacts.
to multiple users’ content, or Files.Read Delegated Allows the app to read the signed-in user's files.

sensitive content are reviewed

Files.Read.All Delegated Allows the app to read all files the signed-in user can access.
(Preview) Allows the app to read files that the user selects. The app has access for

for:
Files.Read.Selected Delegated several hours after the user selects a file.

(Preview) Allows the app to read and write files that the user selects. The app has
Files.ReadWrite.Selected Delegated access for several hours after the user selects a file.
Mail.Read Delegated Allows the app to read the signed-in user's mailbox.
 Justification, AND
Mail.Read.Shared Delegated Allows the app to read mail a user can access, including their own and shared mail.
 If the access can be scoped Allows the app to the read user's mailbox settings. Does not include permission to
MailboxSettings.Read Delegated send mail.
with the use of additional
controls.
Allows the app to read the titles of OneNote notebooks and sections and to create
Notes.Create Delegated new pages, notebooks, and sections on behalf of the signed-in user.

Notes.Read Delegated Allows the app to read OneNote notebooks on behalf of the signed-in user.
Allows the app to read OneNote notebooks that the signed-in user has access to in
Notes.Read.All Delegated the organization.

OnlineMeetings.Read Delegated Allows the app to read online meeting details on behalf of the signed-in user.

OnlineMeetings.ReadWrite Delegated Allows the app to read and create online meetings on behalf of the signed-in user.

OnlineMeetingRecording.Read.All Delegated
Allows the app to read tasks a user has permissions to access, including their own
Tasks.Read.Shared Delegated and shared tasks.
Allows the app to create, read, update, and delete the signed-in user's tasks and task
Tasks.ReadWrite Delegated lists, including any shared with the user.
Allows the app to create, read, update, and delete tasks a user has permissions to,
Tasks.ReadWrite.Shared Delegated including their own and shared tasks.
TeamsActivity.Read Delegated Allows the app to read the signed-in user's teamwork activity feed.

Allows the app to create new notifications in users' teamwork activity feeds on behalf
of the signed in user. These notifications may not be discoverable or be held or
TeamsActivity.Send Delegated governed by compliance policies.
 Permission Type Description

Graph access
Printer.FullControl.All Delegated
SearchConfiguration.Read.All Delegated
Allows the app to read the signed-in user's activity statistics, such as how much time
Analytics.Read Delegated the user has spent on emails, in meetings, or in chat sessions.
Permissions that provide access at the AppCatalog.Read.All Delegated

application scope, or provide service

Allows the app to read applications and service principals on behalf of the signed-in
Application.Read.All Delegated user.
administrator functionality should be DeviceManagementApps.Read.All Delegated
Allows the app to read the properties, group assignments and status of apps, app
configurations and app protection policies managed by Microsoft Intune.
reserved only for exceptional use Domain.Read.All Delegated Allows the app to read all domain properties on behalf of the signed-in user.

cases EduAdministration.Read
EduAdministration.ReadWrite
Delegated
Delegated
EduAssignments.Read Delegated
EduAssignments.ReadBasic Delegated
EduAssignments.ReadWrite Delegated
EduAssignments.ReadWriteBasic Delegated
EduRoster.Read Delegated
EduRoster.ReadBasic Delegated
EduRoster.ReadWrite Delegated
Family.Read Delegated Allows the app to read your family information, members and their basic profile.
Allows the app to read your organization’s identity (authentication) providers’
IdentityProvider.Read.All Delegated properties on behalf of the user.
PrinterShare.Read.All Delegated
Allows the application to read basic information about printer shares on behalf of
PrinterShare.ReadBasic.All Delegated the signed-in user. Does not allow reading access control information.
Allows the application to read and update printer shares on behalf of the signed-in
PrinterShare.ReadWrite.All Delegated user.
PrintJob.ReadWrite Delegated
Allows the app to read your tenant's service health information on behalf of the
signed-in user. Health information may include service issues or service health
ServiceHealth.Read.All Delegated overviews.
Allows the app to read your tenant's service announcement messages on behalf of
the signed-in user. Messages may include information about new or changed
ServiceMessage.Read.All Delegated features.
ServicePrincipalEndpoint.Read.All Delegated Allows the app to read service principal endpoints
Any application permissions
Lessons learned
A well documented process with transparent SLAs for procurement, IT and
security reviews improves app onboarding.
A self-service app request process that lists already approved apps in the
same category can redirect users to a quicker resolution.
Got some feedback?
Click the link below or scan the QR code on the right
and let Teams Engineering know!

http://aka.ms/TeamsPlaybookFeedback
01
Thank you.
The role of shared
meeting spaces