How to Update Entra ID Apps to Run Teams Cmdlets
Find and Update Apps to Run Teams PowerShell
When message center notification MC1134747 first appeared on 13 August 2025, a slew of poorly-grounded commentary ensued. Microsoft updated the content on 2 September 2025, and hopefully the same kind of overreaction won’t happen again.
The post describes a new authentication requirement for Entra ID apps that use the Teams PowerShell module to run Teams cmdlets without the presence of a signed-in user. For example, a tenant might have an Azure Automation runbook that uses cmdlets from the Teams PowerShell modules to process actions such as reporting team structures (channels, apps, etc.) and membership.
I’m sure that most of the previous fuss and bother was generated because Microsoft labelled this change as an important security and authentication update. In reality, the change is only important if a tenant has apps that call the Teams PowerShell module to interact with Teams.
Authentication is involved because the apps now two additional Graph application permissions. The RoleManagement.Read.Directory permission is used to validate if the app can read information about Entra administrative units, and the GroupMember.Read.All permission is needed to read group membership if the app calls the Group Policy Assignment and Group Policy Package Assignment cmdlets.
Respecting the boundaries of Entra administrative units is important and justifies the statement that this change strengthens security. You don’t want unauthorized apps to read information about teams governed by administrative units.
It doesn’t take much to add these permissions to an Entra ID app and any tenant affected by the update should find that it takes little time to address the problem.
Finding Entra ID Apps that Use the Teams PowerShell Module
The first step is to discover if any Entra ID apps are in the tenant that use the Teams PowerShell module. One way to check is to find which apps have been assigned the Teams service administrator role. Apps don’t need the Teams administrator role unless they’re going to sign into Teams in app-only mode to run Teams cmdlets, so the presence of the role assignment for an app is a good litmus test.
With a good repository of PowerShell scripts for Microsoft 365 to call upon, we can steal some code from the script used in the article describing how to report PIM role assignments and repurpose it as follows:
$TeamsAdminRole = Get-MgDirectoryRoleTemplate | Where-Object {$_.displayName -eq "Teams administrator"} | Select-Object -ExpandProperty Id
[array]$ActiveAssignments = Get-MgBetaRoleManagementDirectoryRoleAssignmentSchedule -Filter "(RoleDefinitionId eq '$($TeamsAdminRole)')" -ExpandProperty RoleDefinition, Principal, DirectoryScope -All
$Report = [System.Collections.Generic.List[Object]]::new()
ForEach ($Member in $ActiveAssignments.Principal.Id) {
$SP = Get-MgServicePrincipal -ServicePrincipalId $Member -ErrorAction SilentlyContinue -Property Id, displayName, AppId, ServicePrincipalType, Owners
If ($SP) {
$ReportLine = [PSCustomObject]@{
SPIdentifier = $SP.Id
Name = $SP.DisplayName
AppId = $SP.AppId
Type = $SP.ServicePrincipalType
}
$Report.Add($ReportLine)
} # End if
}
The output looks like Figure 1. It’s raw, but it’s enough to advise which apps need attention.
Reporting Holders of The Teams Administrator Role
Proving that there’s usually many ways to do something in PowerShell, this code reports all the holders of the Teams administrator role, including users, groups, and service principals (apps or managed identities).
$Report = [System.Collections.Generic.List[Object]]::new()
Get-MgRoleManagementDirectoryRoleAssignment -Filter "roleDefinitionId eq '$($TeamsAdminRole)'" |
ForEach-Object {
$Principal = Get-MgDirectoryObject -DirectoryObjectId $_.PrincipalId
Switch ($Principal.AdditionalProperties.'@odata.type') {
"#microsoft.graph.user" {
$ObjectType = "User account"
}
"#microsoft.graph.group" {
$ObjectType = "Group"
}
"#microsoft.graph.servicePrincipal" {
$ObjectType = "App or managed identity"
}
}
$ReportLine = [PSCustomObject]@{
PrincipalName = $Principal.AdditionalProperties.displayName
PrincipalType = $ObjectType
Scope = $_.DirectoryScopeId
Id = $_.PrincipalId
RoleAssignmentId = $_.Id
}
$Report.Add($ReportLine)
}
Updating Entra ID Apps with the Permissions Needed to Run Teams Cmdlets
The point is that there’s no problem discovering what apps need to be updated, and if you want to use PowerShell to add the missing permissions, that’s easily done too. First, extract the list of service principal identifiers from the report:
[array]$Apps = $Report | Where-Object {$_.PrincipalType -eq 'App or Managed Identity'} | Select-Object -ExpandProperty IdNow loop through the identifiers to assign the permissions now required to run Teams PowerShell cmdlets:
[array]$Permissions = "RoleManagement.Read.Directory", "GroupMember.Read.All"
# Get Graph app details
$GraphApp = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"
# Loop through each app and assign the permissions to the app
ForEach ($App in $Apps) {
# Loop through each permission and assign it to the target
ForEach ($Permission in $Permissions) {
$Role = $GraphApp.AppRoles | Where-Object {$_.Value -eq $Permission}
$AppRoleAssignment = @{}
$AppRoleAssignment.Add("PrincipalId",$App)
$AppRoleAssignment.Add("ResourceId",$GraphApp.Id)
$AppRoleAssignment.Add("AppRoleId", $Role.Id)
# Assign Graph permission
Try {
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $App -BodyParameter $AppRoleAssignment -ErrorAction Stop
} Catch {
Write-Host ("Unable to assign {0} permission to service principal {1}" -f $Permission, $App)
}
}
}
No bother, no fuss, just some extra permissions assigned to Entra ID apps that need to run cmdlets from the Microsoft Teams PowerShell module.
Need some assistance to write and manage PowerShell scripts for Microsoft 365, including Azure Automation runbooks? Get a copy of the Automating Microsoft 365 with PowerShell eBook, available standalone or as part of the Office 365 for IT Pros eBook bundle.
