New Method to Control Teams App Management?

[zachurrutia]

Microsoft has done away with managing Teams apps via Policy

How do we address controls TEAMS 5.1-5.3 in this case? Given that the instructions

https://github.com/cisagov/ScubaGear/blob/v1.4.0/PowerShell/ScubaGear/baselines/teams.md#5-app-management

Are no longer correct?

Thanks.

[nanda-katikaneni]

Thanks for raising the issue - will do more analysis and take appropriate action. In the first look, seems we do have to update implementation instructions for MS.TEAMS.5.1v1-5.3v1.

Microsoft seems to have started this migration in Feb 25. For tenants with current App permission policies, seems the migration can be either automatic (for tenants with a single/global app permission policy) or a manual migration to 'Manage apps' config. In either case the functionality does not change but we may have to update ScubaGear code (from checking the app policy config to checking app-centric config).

[zachurrutia]

Thanks, Nanda. I am trying to implement this to be compliant with this control. Does the SCuBA team have any guidance with how to proceed on the Microsoft end? Zach Urrutia IT Systems Engineer [Agilyx]<https://www.agilyx.com/> 104 Washington Street, Dover, NH 03820 agilyx.com<https://www.agilyx.com/> | LinkedIn<https://www.linkedin.com/company/agilyx/> From: Nanda Katikaneni ***@***.***> Sent: Tuesday, March 25, 2025 9:51 AM To: cisagov/ScubaGear ***@***.***> Cc: Zach Urrutia ***@***.***>; Author ***@***.***> Subject: [EXTERNAL]-Re: [cisagov/ScubaGear] New Method to Control Teams App Management? (Issue #1651) CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. You don't often get email from ***@***.*** Learn why this is important<https://url.avanan.click/v2/r01/___https://aka.ms/LearnAboutSenderIdentification___.YXAzOmFnaWx5eDphOm86MTU4MzdkNTdkODNlM2MyNGYxODc5Zjg0MjU4NTE3YjM6NzphZGI3OjdhZDkyMzBkYmE1ZmJhNzRlZGZmMDMxOTFmY2I2MzMzN2EwMWU3ZjI1OTJjYzk2ODYzNWJlYTQ2MzgyOGQ1NzI6aDpUOk4> Thanks for raising the issue - will do more analysis and take appropriate action. In the first look, seems we do have to update implementation instructions for MS.TEAMS.5.1v1-5.3v1. Microsoft seems to have started this migration in Feb 25. For tenants with current App permission policies, seems the migration can be either automatic (for tenants with a single/global app permission policy) or a manual migration to 'Manage apps' config. In either case the functionality does not change but we may have to update ScubaGear code (from checking the app policy config to checking app-centric config). - Reply to this email directly, view it on GitHub<https://url.avanan.click/v2/r01/___https://github.com/cisagov/ScubaGear/issues/1651%23issuecomment-2751333666___.YXAzOmFnaWx5eDphOm86MTU4MzdkNTdkODNlM2MyNGYxODc5Zjg0MjU4NTE3YjM6NzplMDFhOmY3MjlhOTcxMjViODdiMTI5ODZiYWFmZjNiMjgwM2Q4Y2NjMGE0MTc0NjAzOTk0ZGMwMDQ1ZTU4ZjBjNDA5NWM6aDpUOk4>, or unsubscribe<https://url.avanan.click/v2/r01/___https://github.com/notifications/unsubscribe-auth/BHLD34HUHNIEX6A3KYDVZRT2WFNL5AVCNFSM6AAAAABZVMGDU2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDONJRGMZTGNRWGY___.YXAzOmFnaWx5eDphOm86MTU4MzdkNTdkODNlM2MyNGYxODc5Zjg0MjU4NTE3YjM6NzpkZmEwOjhmMzU0MGU2Y2YyZGZmOWIxNDk3NmIzMWYxODg4NmZhY2EwMTJiMTMwMDJkZjljYWQ4NjMyNGU1Mjg0MjQ5YTM6aDpUOk4>. You are receiving this because you authored the thread.Message ID: ***@***.***> [Image removed by sender. nanda-katikaneni]nanda-katikaneni left a comment (cisagov/ScubaGear#1651)<https://url.avanan.click/v2/r01/___https://github.com/cisagov/ScubaGear/issues/1651%23issuecomment-2751333666___.YXAzOmFnaWx5eDphOm86MTU4MzdkNTdkODNlM2MyNGYxODc5Zjg0MjU4NTE3YjM6NzozMGM0OjNiYzc5NTc5MTgwOTg1NjlkOWI4Y2NmNzBiOTgzZjI1ODRmZTI2Yjc0YzYwNzA0MGRiMzAyN2E2MzYyNGQxMjU6aDpUOk4> Thanks for raising the issue - will do more analysis and take appropriate action. In the first look, seems we do have to update implementation instructions for MS.TEAMS.5.1v1-5.3v1. Microsoft seems to have started this migration in Feb 25. For tenants with current App permission policies, seems the migration can be either automatic (for tenants with a single/global app permission policy) or a manual migration to 'Manage apps' config. In either case the functionality does not change but we may have to update ScubaGear code (from checking the app policy config to checking app-centric config). - Reply to this email directly, view it on GitHub<https://url.avanan.click/v2/r01/___https://github.com/cisagov/ScubaGear/issues/1651%23issuecomment-2751333666___.YXAzOmFnaWx5eDphOm86MTU4MzdkNTdkODNlM2MyNGYxODc5Zjg0MjU4NTE3YjM6NzphZDY0OjgwYTFmNmJhOTI1Y2EzZDc2Mjg4NzRkOTQzMmMzZjIwYjQwN2IwNWRlYTk0MTg0ZjhiMjUxNWJjYmQ0NjMxOGU6aDpUOk4>, or unsubscribe<https://url.avanan.click/v2/r01/___https://github.com/notifications/unsubscribe-auth/BHLD34HUHNIEX6A3KYDVZRT2WFNL5AVCNFSM6AAAAABZVMGDU2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDONJRGMZTGNRWGY___.YXAzOmFnaWx5eDphOm86MTU4MzdkNTdkODNlM2MyNGYxODc5Zjg0MjU4NTE3YjM6NzoxMjAxOmNlNDI1YWYyZGVmNGZmYzk2NmQwNTRhNjJhZmU4ZDQ5MTdjNTMyNWQ0MDhjMzBmZmM2M2EzYTgzOWYyMzZkZmQ6aDpUOk4>. You are receiving this because you authored the thread.Message ID: ***@***.***>

[zachurrutia]

Does CISA have an idea of when this change may be implemented? Zach Urrutia IT Systems Engineer [Agilyx]<https://www.agilyx.com/> agilyx.com<https://www.agilyx.com/> | LinkedIn<https://www.linkedin.com/company/agilyx/> From: Nanda Katikaneni ***@***.***> Sent: Tuesday, March 25, 2025 9:51 AM To: cisagov/ScubaGear ***@***.***> Cc: Zach Urrutia ***@***.***>; Author ***@***.***> Subject: [EXTERNAL]-Re: [cisagov/ScubaGear] New Method to Control Teams App Management? (Issue #1651) CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. You don't often get email from ***@***.*** Learn why this is important<https://url.avanan.click/v2/r01/___https://aka.ms/LearnAboutSenderIdentification___.YXAzOmFnaWx5eDphOm86MTU4MzdkNTdkODNlM2MyNGYxODc5Zjg0MjU4NTE3YjM6NzphZGI3OjdhZDkyMzBkYmE1ZmJhNzRlZGZmMDMxOTFmY2I2MzMzN2EwMWU3ZjI1OTJjYzk2ODYzNWJlYTQ2MzgyOGQ1NzI6aDpUOk4> Thanks for raising the issue - will do more analysis and take appropriate action. In the first look, seems we do have to update implementation instructions for MS.TEAMS.5.1v1-5.3v1. Microsoft seems to have started this migration in Feb 25. For tenants with current App permission policies, seems the migration can be either automatic (for tenants with a single/global app permission policy) or a manual migration to 'Manage apps' config. In either case the functionality does not change but we may have to update ScubaGear code (from checking the app policy config to checking app-centric config). - Reply to this email directly, view it on GitHub<https://url.avanan.click/v2/r01/___https://github.com/cisagov/ScubaGear/issues/1651%23issuecomment-2751333666___.YXAzOmFnaWx5eDphOm86MTU4MzdkNTdkODNlM2MyNGYxODc5Zjg0MjU4NTE3YjM6NzplMDFhOmY3MjlhOTcxMjViODdiMTI5ODZiYWFmZjNiMjgwM2Q4Y2NjMGE0MTc0NjAzOTk0ZGMwMDQ1ZTU4ZjBjNDA5NWM6aDpUOk4>, or unsubscribe<https://url.avanan.click/v2/r01/___https://github.com/notifications/unsubscribe-auth/BHLD34HUHNIEX6A3KYDVZRT2WFNL5AVCNFSM6AAAAABZVMGDU2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDONJRGMZTGNRWGY___.YXAzOmFnaWx5eDphOm86MTU4MzdkNTdkODNlM2MyNGYxODc5Zjg0MjU4NTE3YjM6NzpkZmEwOjhmMzU0MGU2Y2YyZGZmOWIxNDk3NmIzMWYxODg4NmZhY2EwMTJiMTMwMDJkZjljYWQ4NjMyNGU1Mjg0MjQ5YTM6aDpUOk4>. You are receiving this because you authored the thread.Message ID: ***@***.***> [Image removed by sender. nanda-katikaneni]nanda-katikaneni left a comment (cisagov/ScubaGear#1651)<https://url.avanan.click/v2/r01/___https://github.com/cisagov/ScubaGear/issues/1651%23issuecomment-2751333666___.YXAzOmFnaWx5eDphOm86MTU4MzdkNTdkODNlM2MyNGYxODc5Zjg0MjU4NTE3YjM6NzozMGM0OjNiYzc5NTc5MTgwOTg1NjlkOWI4Y2NmNzBiOTgzZjI1ODRmZTI2Yjc0YzYwNzA0MGRiMzAyN2E2MzYyNGQxMjU6aDpUOk4> Thanks for raising the issue - will do more analysis and take appropriate action. In the first look, seems we do have to update implementation instructions for MS.TEAMS.5.1v1-5.3v1. Microsoft seems to have started this migration in Feb 25. For tenants with current App permission policies, seems the migration can be either automatic (for tenants with a single/global app permission policy) or a manual migration to 'Manage apps' config. In either case the functionality does not change but we may have to update ScubaGear code (from checking the app policy config to checking app-centric config). - Reply to this email directly, view it on GitHub<https://url.avanan.click/v2/r01/___https://github.com/cisagov/ScubaGear/issues/1651%23issuecomment-2751333666___.YXAzOmFnaWx5eDphOm86MTU4MzdkNTdkODNlM2MyNGYxODc5Zjg0MjU4NTE3YjM6NzphZDY0OjgwYTFmNmJhOTI1Y2EzZDc2Mjg4NzRkOTQzMmMzZjIwYjQwN2IwNWRlYTk0MTg0ZjhiMjUxNWJjYmQ0NjMxOGU6aDpUOk4>, or unsubscribe<https://url.avanan.click/v2/r01/___https://github.com/notifications/unsubscribe-auth/BHLD34HUHNIEX6A3KYDVZRT2WFNL5AVCNFSM6AAAAABZVMGDU2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDONJRGMZTGNRWGY___.YXAzOmFnaWx5eDphOm86MTU4MzdkNTdkODNlM2MyNGYxODc5Zjg0MjU4NTE3YjM6NzoxMjAxOmNlNDI1YWYyZGVmNGZmYzk2NmQwNTRhNjJhZmU4ZDQ5MTdjNTMyNWQ0MDhjMzBmZmM2M2EzYTgzOWYyMzZkZmQ6aDpUOk4>. You are receiving this because you authored the thread.Message ID: ***@***.***>

[nanda-katikaneni]

@zachurrutia, based on further testing this requires an update to implementation steps for MS.TEAMS.5.1v1-MS.TEAMS.5.3v1, this also need corresponding scubagear code changes. These updates will be made in one of our next sprints and are being tracked in #1663 and #1664. Thanks.