Office Protect Event - New Teams App Installed

This event warns of any new application installed in Teams for the first time, whether it is installed org-wide, in a meeting, in a conversation, or in a specific team.



Office Protect includes the application name and ID as well as the name and email of the user who installed it to allow you to investigate why this application was added by the user and make an informed decision about its usage. 


It's essential to closely audit apps that are installed by your users. An app that has been certified by Microsoft may seem harmless on its own, but these might also have vulnerabilities that can expose company data.


We recommend that you restrict app installation and consent in Teams to Admins. All applications installed in Teams should be reviewed by an admin to confirm it respects your data retention and privacy policies and does not expose your organization. 



Remediation

If an unwanted application was added, as a Teams Admin, you can remove it and block it from available apps to ensure no further user downloads it. 


To do so, navigate to Teams Admin Center, go to the Teams Apps - Manage Apps page, locate the app in question and select it. Select 'Block" in the top bar buttons, confirm the action by clicking "Block" again. This will now block the application at the org level, meaning that for users/teams/meetings that had downloaded the application, they will no longer see it nor be able to use it. Additionally, no user can download the blocked application as it no longer appears in the App Store. 

For Microsoft documentation on how to manage apps in Teams Admin Center click here.   




Note: Blocking the application does not remove your data from the application, the application may still access some data from where it was installed. To ensure no data is captured anymore, you must remove the data access permission. You will need a Global Admin, Application Admin, or Cloud Application Admin user to go in Azure Active Directory admin center and set to False "Enable for users to sign in?". Follow the steps described here Disable how a user signs in - Azure AD | Microsoft Docs 


FAQs:

  • What does blocking an app does?

An app being blocked means users can't do any of the following:

  • Add the app personally, to a chat, or a team
  • Send messages to the app’s bot
  • Perform button actions that send information back to the app, such as actionable messages
  • View the app’s tab
  • Set up connectors to receive notifications
  • Use the app’s messaging extension
  • Can users be notified that the app is blocked?

Yes, if they had the app installed, Teams will indicate that the app is blocked. If they did not have the app, it will be seamless for the user as they will simply not find the app anywhere, including the Store.

  • Can I receive the notification again for an app?

No, Office Protect warns you only the first time an application is ever installed. The alert is aimed at notifying you of a new app installed the first time only to ensure proper investigation and evaluation is made regarding the app and how it handles your users and organization's data. We assume that after receiving our notification you have taken the appropriate actions and thus will not notify you again of further installation of the same app, no matter if the app was blocked at some point in time and allowed again.