100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Microsoft 365

App Governance and Permission Policies

Understand how org-wide app settings, app permission policies, publisher verification, and Defender for Cloud Apps' App governance work together to control third-party app risk in Teams.

AdministrationIntermediate9 min readJul 10, 2026
Analogies

Org-Wide App Settings and App Permission Policies

Org-wide app settings act as a master switch controlling whether third-party apps, custom apps, and Microsoft apps can be installed in Teams at all across the tenant. Beneath that, app permission policies govern which specific apps, categorized as Microsoft apps, third-party apps, or custom apps, individual users or groups are allowed to install, are blocked from installing, or must have explicitly approved by an admin. A block always takes precedence over an allow when an app appears on both a policy's allow and block list simultaneously.

🏏

Cricket analogy: A stadium's master gate switch decides if any spectators enter at all, but individual turnstile rules then decide which ticket categories, general admission versus premium box, are allowed through, just as org-wide app settings gate everything before app permission policies filter specific apps.

Custom App Permission Policies and Publisher Verification

Admins create custom app permission policies that specify allowed and blocked apps per category, and can assign a different policy to, for example, the legal department versus the sales department. Publisher verification, shown as a blue verified badge earned through Microsoft 365 Publisher Attestation or Partner Center identity verification, signals that an app's publisher completed identity and security attestation, giving admins a stronger signal before allowing an app tenant-wide, especially for apps requesting broad Microsoft Graph permissions.

🏏

Cricket analogy: A cricket board granting a broadcaster full stadium access only after they pass an accreditation and background check mirrors how Teams admins lean on publisher verification before allowing an app broad Graph permissions.

powershell
# Create a custom app permission policy that blocks all third-party apps by default
New-CsTeamsAppPermissionPolicy -Identity "RestrictedThirdPartyApps" `
    -DefaultCatalogAppsType AllowedAppList `
    -GlobalCatalogAppsType BlockedAppList

# Allow a specific, publisher-verified third-party app for this policy
Set-CsTeamsAppPermissionPolicy -Identity "RestrictedThirdPartyApps" `
    -GlobalCatalogApps @(New-CsTeamsAppPermissionPolicyAppItem -AppId "com.example.reportingbot" -Action Allow)

# Assign the custom policy to the legal department security group
New-CsGroupPolicyAssignment -GroupId "8a1c2d3e-..." `
    -PolicyType "TeamsAppPermissionPolicy" `
    -PolicyName "RestrictedThirdPartyApps" `
    -Rank 1

Microsoft Defender for Cloud Apps Governance

The App governance add-on, part of Microsoft Defender for Cloud Apps, continuously evaluates OAuth-consented apps registered in Microsoft Entra ID and calculates a risk score based on the sensitivity of the Microsoft Graph permissions they hold, such as Mail.ReadWrite or Files.ReadWrite.All being far riskier than User.Read. It surfaces anomaly alerts, for example an app suddenly calling Graph from an unfamiliar country, and lets admins configure automated policies that alert on, or automatically revoke, tokens for apps deemed over-privileged or behaving suspiciously.

🏏

Cricket analogy: A team's analytics department flagging a data vendor that suddenly requests access to injury medical records instead of just match statistics mirrors how App governance flags an app requesting Graph permissions far beyond its stated purpose.

App governance risk scores factor in: the sensitivity tier of requested Graph permissions, how many users consented, whether the publisher is verified, and behavioral anomalies such as unusual sign-in locations or a spike in API calls.

Least Privilege for Custom and Line-of-Business Apps

When publishing internal line-of-business Teams apps, developers should request the narrowest Microsoft Graph scopes needed for the feature, for instance requesting Chat.Read instead of Chat.ReadWrite for a bot that only summarizes conversations. Admins should route consent requests for apps needing high-privilege, tenant-wide, or admin-consent-required permissions through the admin consent workflow in Entra ID rather than allowing individual users to consent, since user consent for sensitive scopes bypasses centralized security review.

🏏

Cricket analogy: A team analyst requesting read-only access to match footage instead of write access to the official scoring system mirrors how a Teams bot should request Chat.Read rather than Chat.ReadWrite when it only needs to summarize conversations.

Allowing individual users to consent to apps requesting high-privilege Graph permissions, such as full mailbox or Files.ReadWrite.All access, creates a shadow IT risk: a convincing phishing-style consent screen can trick a user into granting an attacker-controlled app persistent data access. Disable user consent for high-risk permissions tenant-wide and route those requests through admin consent.

  • Org-wide app settings act as a master toggle; app permission policies then refine which specific apps individual users or groups can use.
  • When an app is on both an allow list and a block list, the block always wins.
  • Publisher verification (Partner Center / Publisher Attestation) signals that an app's identity was independently vetted before broad approval.
  • The App governance add-on in Defender for Cloud Apps risk-scores OAuth-consented apps based on Graph permission sensitivity and behavioral anomalies.
  • Internal LOB Teams apps should request the narrowest Graph scope that satisfies the feature, e.g., Chat.Read instead of Chat.ReadWrite.
  • High-privilege permission requests should go through the admin consent workflow rather than user consent.
  • Disabling user consent for risky permission tiers tenant-wide reduces shadow-IT and data-exfiltration risk.

Practice what you learned

Was this page helpful?

Topics covered

#Microsoft365#MicrosoftTeamsDevelopmentStudyNotes#MicrosoftTechnologies#AppGovernanceAndPermissionPolicies#App#Governance#Permission#Policies#StudyNotes#SkillVeris