Assign Teams policies to a group of users

How To Assign Teams Policies To A Group Of Users?

A question I often get asked is “How to assign Teams policies to a group of users?”. The answer to this question is quite involved. In this article, I will explain all the possible options available to you.

Microsoft Teams has a large feature set. By default, all features are turned on and available for user consumption. However, organisations may want to apply restrictions on some features for some user groups within their company.

To do this, Microsoft Teams has the ability for administrators to manage what features are available to users by creating feature component policies. These policies target a specific component within Microsoft Teams and turn on or off sub features for users who have the policy applied.

It is a very granular and effective way to implement compliance into an organisation as well as providing a cleaner interface to users who do not need a full feature set.

At the time of writing, there are a whopping 37 different Teams components that can be restricted by policy assignments. These are:

Policy
Dial Plan
Teams App Permissions Policy
Teams App Setup Policy
Teams Audio Conferencing Policy
Teams Calling Policy
Teams Call Park Policy
Teams Caller ID Policy
Teams Compliance Recording Policy
Teams Cortana Policy
Teams Emergency Call Routing Policy
Teams Enhanced Encryption Policy
Teams Events Policy
Teams Files Policy
Teams IP Phone Policy
Teams Media Logging Policy
Teams Meeting Broadcast Policy
Teams Mobility Policy
Teams Network Roaming Policy
Teams Notifications and Feeds Policy
Teams Room Video Teleconferencing Policy
Teams Shifts App Policy
Teams Shifts Policy
Teams Survivable Branch Appliance Policy
Teams Targeting Policy
Teams Upgrade Policy
Teams VDI Policy
Teams Video Interop Policy
Teams Voice Applications Policy
Teams Workload Policy
Teams Call Hold Policy
Teams Channels Policy
Teams Emergency Calling Policy
Teams Feedback Policy
Teams Meeting Branding Policy
Teams Meeting Policy
Teams Messaging Policy
Teams Update Management Policy

How Are Teams Policies Are Applied?

Microsoft Teams policy assignments follow a hierarchical approach when assigned. Each component has a Global policy. The Global policy is automatically created with Teams and should never be modified or deleted.

The Global policy contains the presets for each sub-feature. In almost all cases, this preset is set to ON or the most favoured setting for Teams.

Administrators can then create custom policies for each component that are targeted towards each user group. These policies will alter the default setting for that component when applied to a user. These are called User Policies.

When assigning to a user, the policy setting that has changed from the Global setting will be inherited for that user. For example; if a calling setting is set to Allow in the global policy, but set to Disallow in the assigned user policy, the effective policy setting for the affected user is Disallow.

A user can only have one user policy assigned per component.

How to Assign Teams Policies To A User?

There are two ways to assign a policy to a user. The first is to use the Teams Admin Center. Login as an administrator, find the user and then click on the policies tab for the user and then click the edit button.

How to Assign Teams Policies to a User

This will then open a configuration blade on the right where you can select what policies to apply to this user.

Assigning a Teams Policy to a User

The second method is to use Microsoft Teams PowerShell module. Each policy will need to be explicitly granted by its own commandlet using the below example:

Grant-CsCallingPolicy -Identity [email protected] -PolicyName "custom policy identity"

To find a full list of policy grant commands use the command below

Get-Command Grant-CsTeams*Policy

When assigning a user policy it can take up to 24 hours for the policy to become effective. This is due to the Teams client cache. To force an update, close the Teams client and clear the cache.

How to assign Teams Policies to a Group of Users?

Assigning Teams policies to groups of users can be performed in three ways.

  1. PowerShell Scripting
  2. Group Policy Assignment
  3. Microsoft Teams Policy Packages

Assigning Teams Policies Using PowerShell

This method is used commonly within organisations and is usually part of a provisioning script created by IT. There are a two ways these scripts are implemented.

  1. Standalone PowerShell script that performs a specific set of instructions that is run manually or via scheduled task
  2. A script that runs as part of an automation process flow using Power Automate and Azure Runbooks

There are pro’s and con’s for using PowerShell scripting, but often this is the only cost effective way to automate and manage user provisioning along with policy assignments.

Pro’s

  • If your organisation posesses the skills to create a script it allows you to tailor this into your existing MACD user provisioning process
  • Free to create using existing frameworks and modules
  • Quick to implement and consume
  • Fairly cheap to run – requires Power Automate Per User License or per run to automate using Azure Runbooks

Con’s

  • Script is internally supported. If the knowledge leaves the business, then the solution is unsupported
  • Total cost of ownership may be higher than a vendor solution due to in house engineering effort
  • Requires constant monitoring and maintenance
  • Solution is dispersed over multiple micro services. Not easy to understand.

Group Policy Assignment

Another way to assign Teams policies to groups of users is to use Microsoft Teams Group Policy Assignment. Not to be confused with Active Directory Group Policy, this is Teams only feature.

Group Policy Assignment in Teams uses AzureAD Group membership and maps these to a specific policy within a Teams component.

Microsoft Teams Group Policy Assignment

Create an AzureAD group for each user demographic and then configure Teams to assign Teams policies to members of that group based on the mapping created in Teams Admin Center.

You can select in what order these policies are applied using the ranking system.

Where a user is a member of more than one group, the effective policy for that user will be the policy that ranks highest in that user policy assignment.

Pro’s

  • Allows you to group your users together based on common business grouping rules
  • Allows you to define a set of policies to apply to each user group using native Microsoft features you already pay for
  • Does not require scripting or automation
  • Saves time in MACD / user provisioning processes and enforces a level of standardisation

Con’s

  • Not all policies are supported for Group Policy Assignment. Policies like the voice policy and phone number are not compatible and need to be applied independently
  • Requires extensive documentation to ensire that group matrices are maintained for each user group
  • Managing group membership requires additional effort in scripting / automating
  • Can get very complex to understand for IT teams in large organisations

Policy Packages

Policy Packages in Teams allow administrators to create a package of policies and apply that package to a Teams user.

Policy Packages for Microsoft Teams

This combines the best of both of the alternative solutions available by allowing administrators to reduces the overhead of policy assignment in Teams. Simply, create a package containing all the Teams policies you want to assign to a particular user group and then apply that package in one step to those users, either by PowerShell or by Group Package Assignment.

The biggest consideration for using Policy Packages is that it requires Teams Premium user license which costs $12.00 per user per month on top of their standard Teams license.

Therefore, this becomes a significant investment for organisations who want to use this feature. Of course, the value of Teams Premium should be evaluated across all its feature offerings. However, if you do want to use this feature for all your users, then it means that everyone needs the Teams Premium uplift and not just selective ones.

What if there was a free alternative?

How Using Callroute User Persona Management Helps Your Organisation

Did you know that you can use Callroute’s user persona management to assign Teams policies to all your users, including non-voice users for no additional cost?

Using our user persona management, administrators can create personas in a similar way to Teams policy packages. Create a persona that matches each of your user groups and then add in each Teams component policy that should be applied to users affected by the persona. Then simply apply that to the user in our self service portal and job done!

Assign Teams Policies to Users using Callroute

Callroute’s user persona management for Microsoft Teams synchronises the Teams policies you create in your Teams Admin Center and allows you to create unlimited personas for both your voice and non-voice enabled users.

Assigning a Number Ranges to a Callroute User Persona

Using Callroute User Personas combined with our number management capability, administrators can now set all Teams policies and automatically assign the next free number in a given range to users who are assigned this persona.

Crucially, user persona’s also work with your non-voice users too. Create a persona without a number range to apply just the Teams policies to your non-voice users.

Teams policy assignment

With our platform, you only pay for your active Callroute voice users. Your non-voice users (information workers) can still be managed for group Teams policy assignment by using Callroute user persona’s for absolutely free potentially saving your organisation thousands in operational costs.

If you would like to try this in your organisation, you can sign up for a free 30 day trial of Callroute today.

Some Other Articles You Might Like

Intermittent Microsoft Teams calling issues reported globally. This issue appears to be affecting all Microsoft customers worldwide. Microsoft are currently investigating the issue. All Callroute systems are fully operational. More information will be provided as soon as possible.