Microsoft Teams Policy Precedence
I am sure like most of you, working with Teams is now a daily task. You attend and probably create multiple meetings each day. For the past few months I have spent a lot of my time working on Teams for Education, which has been interesting due to how Teams is used for teaching classes, assignments and of course remote learning. One item that has come up a few times is the use of policies. Teams allows you to create policies to control features and functions. These policies are applied either directly to users or can be inherited from parent containers such as groups.
Due to the way that Teams policies are normally assigned it is important to understand the order that Teams policies are evaluated and applied. As an example, lets say we have a Teams Meeting policy that is applied directly to a user, then that user belongs to two groups that also have different Teams Meeting policies applied to them. Which policy is applied to the user? Is it most restrictive or least restrictive that wins?
A user can only have one effective policy for each policy type. For our example, our user is directly assigned a policy and is also a member of one or more groups that has been assigned a policy of the same type. The user’s effective policy is determined according to rules of precedence.
- If a user is directly assigned a policy, that policy takes precedence. This is the same whether the policy is assigned directly to the user one-by-one or using a batch assignment process.
- If a user isn’t directly assigned a policy of a given type, the policy assigned to a group that the user is a member of takes precedence.
- If a user isn’t directly assigned a policy or isn’t a member of any groups that are assigned a policy, the user will receive the global (Org-wide default) policy for that policy type.
Using this approach, you can access the policies for a user and you can see the inheritance order.
The above image shows that the “Direct Policy” is what gets applied to the user, as that was directly applied. If we were to remove the direct policy, then the group assigned policy would be the primary, based on the “Rank” of the policy.
It is important to understand how these work, especially in environments where you need to restrict specific functionality for subsets of users or groups. Just remember it is top down:
Directly Assigned Policy > Group Assigned Policy > Organization (Org-Wide) Policy
You can read more here: https://docs.microsoft.com/en-us/microsoftteams/assign-policies