Office Protect Event - New Teams App Installed
This event warns of any new application installed in Teams for the first time, whether it is installed org-wide, in a meeting, in a conversation, or in a specific team.
Office Protect includes the application name and ID as well as the name and email of the user who installed it to allow you to investigate why this application was added by the user and make an informed decision about its usage.
It's essential to closely audit apps that are installed by your users. An app that has been certified by Microsoft may seem harmless on its own, but these might also have vulnerabilities that can expose company data.
We recommend that you restrict app installation and consent in Teams to Admins. All applications installed in Teams should be reviewed by an admin to confirm it respects your data retention and privacy policies and does not expose your organization.
If an unwanted application was added, as a Teams Admin, you can remove it and block it from available apps to ensure no further user downloads it.
To do so, navigate to Teams Admin Center, go to the Teams Apps - Manage Apps page, locate the app in question and select it. Select 'Block" in the top bar buttons, confirm the action by clicking "Block" again. This will now block the application at the org level, meaning that for users/teams/meetings that had downloaded the application, they will no longer see it nor be able to use it. Additionally, no user can download the blocked application as it no longer appears in the App Store.
For Microsoft documentation on how to manage apps in Teams Admin Center click here.
Note: Blocking the application does not remove your data from the application, the application may still access some data from where it was installed. To ensure no data is captured anymore, you must remove the data access permission. You will need a Global Admin, Application Admin, or Cloud Application Admin user to go in Azure Active Directory admin center and set to False "Enable for users to sign in?". Follow the steps described here Disable how a user signs in - Azure AD | Microsoft Docs