Resource-specific consent in Microsoft Teams
Resource-specific consent (RSC) is a Microsoft Teams and Microsoft Graph API integration that enables apps to use API endpoints to manage specific resources of a team within your organization. The RSC permissions enable team owners to grant consent for an application to access and modify a team's data. Resource-specific consent in Microsoft Teams lets team owners give consent to apps to access team data. Examples of such access include the ability to read channel messages, create and delete channels, and create and remove channel tabs.
As an admin, you control whether team owners in your organization can give consent through settings that you configure by using the Microsoft Graph PowerShell module or the Azure portal and the Microsoft Teams admin center.
Set whether team owners can give consent to apps
Here are the settings that you must set to control whether team owners can give consent to apps. Be sure to review all the following settings.
Settings in Microsoft Entra admin center
The following two settings determine whether team owners can give consent to apps.
Important
Changing any of these settings doesn't affect data access for apps that were already granted consent. For example, if you configure these settings to prevent team owners from giving consent, these changes don't remove data access that's already been granted.
The Users can consent to apps accessing company data on their behalf setting
This setting controls whether users in your organization can consent to apps on their behalf. To enable team owners to give consent, this setting must be set to Yes. To manage this setting, do the following:
- In the Azure portal, go to Enterprise applications > User settings.
- Under Enterprise applications, set Users can consent to apps accessing company data on their behalf to No or Yes.
You can also manage this setting using PowerShell. To learn more, see Configure user content to applications.
Control to let group owners consent to apps that access company data
This setting controls whether users in your organization can consent to apps accessing company data for the groups that they own. This setting must be enabled for team owners to give consent. For steps on how to manage this setting by using PowerShell, see Configure group owner consent to apps accessing group data.
Settings in the Microsoft Teams admin center
In addition to settings in Microsoft Entra ID, org-wide app settings on the Manage apps page, whether an app is blocked or allowed on the Manage apps page, and the app permission policy assigned to the team owner determine whether a team owner can give consent.
Important
Changing any of these settings doesn't affect data access for apps that were already granted consent. For example, if you disable third-party apps org-wide or if you block specific apps to prevent team owners from giving consent, these changes don't remove data access that's already been granted.
The Allow third party apps option in org-wide app settings
This org-wide app setting controls whether users in your organization can use third-party apps. This setting must be on to enable team owners to give consent. To manage this setting, do the following:
Sign in to the Teams admin center and access Teams apps > Manage apps.
Select Org-wide app settings and under Third party apps, turn off or turn on Allow third party apps.
It may take up to 24 hours for your changes to take effect.
Allow or block the app at the org level
When you block or allow an app on the Manage apps page, that app is blocked or allowed for all users in your organization. Team owners can only give consent to an app if the app is allowed. To allow or block an app at the org level, do the following:
- Sign in to the Teams admin center and access Teams apps > Manage apps.
- On the Manage apps page, select the app, and then select Block to block it or select Allow to allow it.
App permission policy assigned to the team owner
Team owners can only give consent to apps that their app permission policy allows them to run. To view and manage the app permission policy that's assigned to a team owner, do the following:
In the left navigation of the Microsoft Teams admin center, go to Users.
Double-click the display name of the team owner, and then select Policies.
The policy assigned to the team owner is listed under App permission policy.
- To assign a different policy, select Edit, and then select the policy that you want to assign.
- To edit the settings of the policy that's assigned to the team owner, select the policy name, and then make the changes that you want.
Upload custom apps
When uploading a custom app that uses resource-specific consent, the app must come from the tenant that it's being installed to. In other words, the Microsoft Entra app registration must be from this tenant. Global admins are exempted from this restriction, and can upload custom apps from any tenant, either directly to a team or to the tenant app catalog.
Related articles
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for