Blocked Teams app still prompts to join meetings

Question

A user has installed the Read.ai app into Teams, and it has spread like wildfire, without being approved. The app has been blocked at the tenant level, however it is still requesting to join meetings, even when the users in the meetings have turned off the integration features and disabled/deleted their accounts. How can I completely block this app from requesting to join every meeting?

Answer 1

Hi Jon,

Thanks for posting your question. We encountered the same issue and had to block Read.ai from the Teams Admin Center. Here are the instructions you can follow:

Go to the Microsoft Teams admin center at https://admin.teams.microsoft.com/

Navigate to the Manage Apps Section:

• In the left-hand sidebar, expand the Teams apps section. Click on Manage apps. Use the search bar to find the Read.ai app. Click on the app name (Read.ai) to open its details. In the app details page, you will see an option to block the app. Toggle the Status switch to Blocked. Confirm your action to block the app. This will prevent users in your organization from using the Read.ai app in Microsoft Teams.
• Side Note: Optionally, you can also manage app permission policies to control which apps are allowed or blocked for specific users or groups. In the left-hand sidebar, go to Teams apps > Permission policies. Edit an existing policy or create a new one to specify allowed and blocked apps. Assign the policy to users or groups as needed.

Let me know if that works!

Regards,

Akbar

Answer 2

Hi Jon,

My pleasure and thanks for the update! I understand the issue with the app still requesting access. I'll continue to investigate the issue and will reach out if I find anything helpful.

Regards,

Akbar

Answer 3

Hi! I followed the instructions to block Read AI app and it worked but just for prevent users for download and install the app; users who has installed the app before we blocked are still able to run it. Any suggestion? Thanks.

Regards,

Pedro S.

Answer 4

Update: Was able to revoke user-assigned rights via Powershell.

# Get Service Principal using objectId
$sp = Get-MgServicePrincipal -ServicePrincipalId c4388f37-5283-474f-9d95-dee17b94f5d3
# Get MS Graph App role assignments using objectId of the Service Principal
$assignments = Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $sp.Id -All
# Remove all users and groups assigned to the application
$assignments | ForEach-Object {
    if ($_.PrincipalType -eq "User") {
        Remove-MgUserAppRoleAssignment -UserId $_.PrincipalId -AppRoleAssignmentId $_.Id
    } elseif ($_.PrincipalType -eq "Group") {
        Remove-MgGroupAppRoleAssignment -GroupId $_.PrincipalId -AppRoleAssignmentId $_.Id
    }
}

# Get Service Principal using objectId
$sp = Get-MgServicePrincipal -ServicePrincipalId c4388f37-5283-474f-9d95-dee17b94f5d3
# Get all delegated permissions for the service principal
$spOAuth2PermissionsGrants = Get-MgServicePrincipalOauth2PermissionGrant -ServicePrincipalId $sp.Id -All
# Remove all delegated permissions
$spOAuth2PermissionsGrants | ForEach-Object {
    Remove-MgOauth2PermissionGrant -OAuth2PermissionGrantId $_.Id
}
# Get all application permissions for the service principal
$spApplicationPermissions = Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $sp.Id
# Remove all app role assignments
$spApplicationPermissions | ForEach-Object {
    Remove-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $_.PrincipalId -AppRoleAssignmentId $_.Id
}

# Get Service Principal using objectId
$sp = Get-MgServicePrincipal -ServicePrincipalId c4388f37-5283-474f-9d95-dee17b94f5d3
# Get MS Graph App role assignments using objectId of the Service Principal
$assignments = Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $sp.Id -All | Where-Object {$_.PrincipalType -eq "User"}
# Revoke refresh token for all users assigned to the application
$assignments | ForEach-Object {
    Invoke-MgInvalidateUserRefreshToken -UserId $_.PrincipalId
}

Hope this helps.