Microsoft Teams Policy Precedence

I am sure like most of you, working with Teams is now a daily task. You attend and probably create multiple meetings each day. For the past few months I have spent a lot of my time working on Teams for Education, which has been interesting due to how Teams is used for teaching classes, assignments and of course remote learning. One item that has come up a few times is the use of policies. Teams allows you to create policies to control features and functions. These policies are applied either directly to users or can be inherited from parent containers such as groups.

Due to the way that Teams policies are normally assigned it is important to understand the order that Teams policies are evaluated and applied. As an example, lets say we have a Teams Meeting policy that is applied directly to a user, then that user belongs to two groups that also have different Teams Meeting policies applied to them. Which policy is applied to the user? Is it most restrictive or least restrictive that wins?

A user can only have one effective policy for each policy type. For our example, our user is directly assigned a policy and is also a member of one or more groups that has been assigned a policy of the same type. The user’s effective policy is determined according to rules of precedence.

  • If a user is directly assigned a policy, that policy takes precedence. This is the same whether the policy is assigned directly to the user one-by-one or using a batch assignment process.
  • If a user isn’t directly assigned a policy of a given type, the policy assigned to a group that the user is a member of takes precedence.
  • If a user isn’t directly assigned a policy or isn’t a member of any groups that are assigned a policy, the user will receive the global (Org-wide default) policy for that policy type.

Using this approach, you can access the policies for a user and you can see the inheritance order.

The above image shows that the “Direct Policy” is what gets applied to the user, as that was directly applied. If we were to remove the direct policy, then the group assigned policy would be the primary, based on the “Rank” of the policy.

It is important to understand how these work, especially in environments where you need to restrict specific functionality for subsets of users or groups. Just remember it is top down:

Directly Assigned Policy > Group Assigned Policy > Organization (Org-Wide) Policy

You can read more here: https://docs.microsoft.com/en-us/microsoftteams/assign-policies

Liam Cleary

Liam began his career as a Trainer of all things computer-related. He quickly realized that programming, breaking, and hacking was a lot more fun. He spent the next few years working within core infrastructure and security services until he found SharePoint. He is the founder and owner of SharePlicity, a consulting company that focuses on all areas of Technology. His role within SharePlicity is to help organizations implement technology that will enhance internal and external collaboration, document and records management, automate business processes, and of course security controls and protection. Liam also serves as the Principal Technology Advisor at Rencore, where he is helping to develop offerings that help organizations further understand and mitigate security and compliance risks, within SharePoint and Office 365 customization's. His core focus will is to identify, control, and protect whether they are full-fledged customization's or out-of-the-box Office 365 functionality. He is also a thirteen-time Microsoft MVP focusing on Architecture but also crosses the boundary into Development. He is also a Microsoft Certified Trainer (MCT). His specialty over the past few years has been security in SharePoint and its surrounding platforms. He can often be found at user groups or conferences speaking, offering advice, spending time in the community, teaching his kids how to code, raspberry PI programming, hacking the planet or building Lego robots.

You may also like...