(Updated) Introducing resource-specific consent for Microsoft Teams

New Feature: Teams

From Microsoft Corporation

MC218561, Stay Informed, Published date: Jul 15, 2020

Major update: AnnouncementApplies To: AllUpdated September 18, 2020: We are pleased to announce that this feature has completed rolling out and is available in your organization as applicable.

Resource-specific consent (RSC) for Microsoft Teams makes it possible for team owners to consent to apps accessing their team data without explicit admin approval. Admins may choose which team owners can consent.

Key points

  • Microsoft 365 Roadmap ID 56605
  • Timing: end of August (previously mid-August); complete end of September (previously mid-September)
  • Roll-out: tenant level
  • Control type: admin control 
  • Action: review and assess  

How this will affect your organization

Apps provide out-of-the-box or custom tools for your organization to get more out of Teams.

Previously, any app that accessed Microsoft Graph APIs for Microsoft Teams needed global admin consent. Most other Graph APIs support user consent, i.e., consent by someone other than an admin, which allows apps using those APIs to be run without admin consent.

RSC permissions

With RSC, you no longer need to grant an app tenant-wide approval. Instead, you can give a team owner the ability to install an RSC app that will have access to only that team’s Teams Graph API. RSC allows apps to create, rename and delete channels; read channel messages; create tabs; and read team membership and settings.

There is no change in how you track apps that have been installed in your tenant. You can continue to block a specific application from being installed in your tenant.
What you need to do to prepare

From the Microsoft Teams admin center, manage RSC through the setting, “Users can consent to apps accessing company data for the groups they own.”

  • By default the RSC setting mirrors the setting, “Users can consent to apps accessing company data on their behalf.”
    • If users can consent to accessing company data, they can also consent to accessing company data in groups they own.
    • If a user cannot consent to apps accessing company data for the groups they own, they cannot install RSC apps.
  • If you do not want your Team owners to be able to use RSC approvals for apps, you can disable this feature.
  • You may also limit the ability to consent to RSC apps to specific team owners, rather than all team owners.

In this example, all group owners are allowed to consent to apps accessing their group data.

Apps that have already been installed are not affected by this policy.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.