A question I often get asked is “How to assign Teams policies to a group of users?”. The answer to this question is quite involved. In this article, I will explain all the possible options available to you.
Microsoft Teams has a large feature set. By default, all features are turned on and available for user consumption. However, organisations may want to apply restrictions on some features for some user groups within their company.
To do this, Microsoft Teams has the ability for administrators to manage what features are available to users by creating feature component policies. These policies target a specific component within Microsoft Teams and turn on or off sub features for users who have the policy applied.
It is a very granular and effective way to implement compliance into an organisation as well as providing a cleaner interface to users who do not need a full feature set.
At the time of writing, there are a whopping 37 different Teams components that can be restricted by policy assignments. These are:
|Teams App Permissions Policy|
|Teams App Setup Policy|
|Teams Audio Conferencing Policy|
|Teams Calling Policy|
|Teams Call Park Policy|
|Teams Caller ID Policy|
|Teams Compliance Recording Policy|
|Teams Cortana Policy|
|Teams Emergency Call Routing Policy|
|Teams Enhanced Encryption Policy|
|Teams Events Policy|
|Teams Files Policy|
|Teams IP Phone Policy|
|Teams Media Logging Policy|
|Teams Meeting Broadcast Policy|
|Teams Mobility Policy|
|Teams Network Roaming Policy|
|Teams Notifications and Feeds Policy|
|Teams Room Video Teleconferencing Policy|
|Teams Shifts App Policy|
|Teams Shifts Policy|
|Teams Survivable Branch Appliance Policy|
|Teams Targeting Policy|
|Teams Upgrade Policy|
|Teams VDI Policy|
|Teams Video Interop Policy|
|Teams Voice Applications Policy|
|Teams Workload Policy|
|Teams Call Hold Policy|
|Teams Channels Policy|
|Teams Emergency Calling Policy|
|Teams Feedback Policy|
|Teams Meeting Branding Policy|
|Teams Meeting Policy|
|Teams Messaging Policy|
|Teams Update Management Policy|
How Are Teams Policies Are Applied?
Microsoft Teams policy assignments follow a hierarchical approach when assigned. Each component has a Global policy. The Global policy is automatically created with Teams and should never be modified or deleted.
The Global policy contains the presets for each sub-feature. In almost all cases, this preset is set to ON or the most favoured setting for Teams.
Administrators can then create custom policies for each component that are targeted towards each user group. These policies will alter the default setting for that component when applied to a user. These are called User Policies.
When assigning to a user, the policy setting that has changed from the Global setting will be inherited for that user. For example; if a calling setting is set to Allow in the global policy, but set to Disallow in the assigned user policy, the effective policy setting for the affected user is Disallow.
A user can only have one user policy assigned per component.
How to Assign Teams Policies To A User?
There are two ways to assign a policy to a user. The first is to use the Teams Admin Center. Login as an administrator, find the user and then click on the policies tab for the user and then click the edit button.
This will then open a configuration blade on the right where you can select what policies to apply to this user.
The second method is to use Microsoft Teams PowerShell module. Each policy will need to be explicitly granted by its own commandlet using the below example:
Grant-CsCallingPolicy -Identity email@example.com -PolicyName "custom policy identity"
To find a full list of policy grant commands use the command below
When assigning a user policy it can take up to 24 hours for the policy to become effective. This is due to the Teams client cache. To force an update, close the Teams client and clear the cache.
How to assign Teams Policies to a Group of Users?
Assigning Teams policies to groups of users can be performed in three ways.
- PowerShell Scripting
- Group Policy Assignment
- Microsoft Teams Policy Packages
Assigning Teams Policies Using PowerShell
This method is used commonly within organisations and is usually part of a provisioning script created by IT. There are a two ways these scripts are implemented.
- Standalone PowerShell script that performs a specific set of instructions that is run manually or via scheduled task
- A script that runs as part of an automation process flow using Power Automate and Azure Runbooks
There are pro’s and con’s for using PowerShell scripting, but often this is the only cost effective way to automate and manage user provisioning along with policy assignments.
- If your organisation posesses the skills to create a script it allows you to tailor this into your existing MACD user provisioning process
- Free to create using existing frameworks and modules
- Quick to implement and consume
- Fairly cheap to run – requires Power Automate Per User License or per run to automate using Azure Runbooks
- Script is internally supported. If the knowledge leaves the business, then the solution is unsupported
- Total cost of ownership may be higher than a vendor solution due to in house engineering effort
- Requires constant monitoring and maintenance
- Solution is dispersed over multiple micro services. Not easy to understand.
Group Policy Assignment
Another way to assign Teams policies to groups of users is to use Microsoft Teams Group Policy Assignment. Not to be confused with Active Directory Group Policy, this is Teams only feature.
Group Policy Assignment in Teams uses AzureAD Group membership and maps these to a specific policy within a Teams component.
Create an AzureAD group for each user demographic and then configure Teams to assign Teams policies to members of that group based on the mapping created in Teams Admin Center.
You can select in what order these policies are applied using the ranking system.
Where a user is a member of more than one group, the effective policy for that user will be the policy that ranks highest in that user policy assignment.
- Allows you to group your users together based on common business grouping rules
- Allows you to define a set of policies to apply to each user group using native Microsoft features you already pay for
- Does not require scripting or automation
- Saves time in MACD / user provisioning processes and enforces a level of standardisation
- Not all policies are supported for Group Policy Assignment. Policies like the voice policy and phone number are not compatible and need to be applied independently
- Requires extensive documentation to ensire that group matrices are maintained for each user group
- Managing group membership requires additional effort in scripting / automating
- Can get very complex to understand for IT teams in large organisations
Policy Packages in Teams allow administrators to create a package of policies and apply that package to a Teams user.
This combines the best of both of the alternative solutions available by allowing administrators to reduces the overhead of policy assignment in Teams. Simply, create a package containing all the Teams policies you want to assign to a particular user group and then apply that package in one step to those users, either by PowerShell or by Group Package Assignment.
The biggest consideration for using Policy Packages is that it requires Teams Premium user license which costs $12.00 per user per month on top of their standard Teams license.
Therefore, this becomes a significant investment for organisations who want to use this feature. Of course, the value of Teams Premium should be evaluated across all its feature offerings. However, if you do want to use this feature for all your users, then it means that everyone needs the Teams Premium uplift and not just selective ones.
What if there was a free alternative?
How Using Callroute User Persona Management Helps Your Organisation
Did you know that you can use Callroute’s user persona management to assign Teams policies to all your users, including non-voice users for no additional cost?
Using our user persona management, administrators can create personas in a similar way to Teams policy packages. Create a persona that matches each of your user groups and then add in each Teams component policy that should be applied to users affected by the persona. Then simply apply that to the user in our self service portal and job done!
Callroute’s user persona management for Microsoft Teams synchronises the Teams policies you create in your Teams Admin Center and allows you to create unlimited personas for both your voice and non-voice enabled users.
Using Callroute User Personas combined with our number management capability, administrators can now set all Teams policies and automatically assign the next free number in a given range to users who are assigned this persona.
Crucially, user persona’s also work with your non-voice users too. Create a persona without a number range to apply just the Teams policies to your non-voice users.
With our platform, you only pay for your active Callroute voice users. Your non-voice users (information workers) can still be managed for group Teams policy assignment by using Callroute user persona’s for absolutely free potentially saving your organisation thousands in operational costs.
If you would like to try this in your organisation, you can sign up for a free 30 day trial of Callroute today.