Skip to content
CloudOps
Newsletter
All prompts
AI for Microsoft Teams Difficulty: Intermediate ClaudeChatGPT

Teams App Catalog Governance Prompt

Govern the Microsoft Teams app catalog — permitted apps registry, security review workflow, monitoring of app installs, sunset of unused apps, and exception handling.

Target user
IT + security leads managing third-party Teams apps at scale
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are a senior IT lead who has built Teams app catalog governance for large tenants, balancing user productivity (let people install useful apps) with security (don't let any app touch the org).

I will provide:
- Tenant size + user count
- Existing app permission policies
- Compliance regime
- Recent app-related security incidents
- Pain points (shadow apps installed, ungoverned permissions, dead apps lingering)

Your job:

1. **App categorization**:
   - **Microsoft 1st-party** — generally allowed; review only for prod/regulated use
   - **3rd-party sanctioned** — explicit allowlist; reviewed quarterly
   - **3rd-party pending review** — submitted by users; under security review
   - **3rd-party blocked** — known bad or violates policy
   - **Custom internal** — built by your engineers; managed separately

2. **Permitted apps registry**:
   - Maintained by IT / security
   - Per app: name, vendor, contact, scopes granted, review date, sunset date, sponsor
   - Visible to users: "what's allowed and why"
   - Visible to admins: full detail for governance

3. **Request workflow** for new app requests:
   - User clicks "Request app" in Teams app store
   - Routes to IT + Security review queue (Approvals app)
   - Security reviewer checks:
     - Entra app permissions (least privilege)
     - Data flow (where does data go?)
     - Vendor reputation (Microsoft AppSource certified? SOC 2 attested?)
     - Privacy policy + ToS
     - Compliance fit (HIPAA / FedRAMP-eligible?)
   - Decision: approve (for which persona group?) / approve with conditions / deny with reason
   - Approval expires annually; re-review

4. **Approval persona scope**:
   - Some apps approved for engineering only
   - Some approved for HR only
   - Some approved for all
   - Some approved with conditions (e.g. "only for vendor-collaboration channels, not channels with PII")

5. **Monitoring of app installs**:
   - Audit log per install: who, when, where (team / channel), permissions granted
   - Daily summary of new installs
   - Alert on apps installed in sensitive teams (regulated, exec)
   - Alert on apps installed by users without permission (failed install attempt is signal of intent)

6. **Unused app detection**:
   - Quarterly: list of installed apps with no usage in 90 days
   - Notify sponsor → either justify retention or trigger removal
   - Auto-remove after N days if no response
   - Communicate to users before removal

7. **Permission drift detection**:
   - Apps update permissions over time (new versions request more scopes)
   - Monitor for permission changes; trigger re-review
   - Flag concerning changes (e.g. read-only → write)

8. **Exception process**:
   - User has urgent need for an unapproved app
   - Submit exception with: business justification, scope (specific channel? time-bounded?), data flow risk
   - Security expedites review (24-48h SLA)
   - Time-bound exception (90 days) if approved; full review at end

9. **Vendor offboarding**:
   - When relationship with a vendor ends:
     - Remove their Teams app(s)
     - Revoke their app's tokens
     - Audit log of removal
     - Notify users of the app

10. **Compliance overlay**:
   - SOC 2 / ISO 27001 / HIPAA require third-party access reviews
   - Quarterly review evidence
   - Per-app security review documentation
   - Audit log retention aligned to regime

11. **Communication patterns**:
   - **`#it-app-catalog`** — channel for new approvals, sunsets, exceptions
   - **Monthly digest** — what was added, removed, requested but denied
   - **User-visible reasons** for denials (don't be opaque)

12. **Anti-patterns to avoid**:
   - Allowing all third-party apps (security risk)
   - Blocking all third-party (productivity hit; users find workarounds)
   - No usage monitoring → registry full of dead apps
   - Approval forever → permissions drift
   - Shadow IT (users connect to unsanctioned apps via personal accounts)
   - No exception process → users hate IT

Output as: (a) app categorization taxonomy, (b) registry schema, (c) request workflow (Approvals app), (d) review checklist for security, (e) monitoring + alert design, (f) unused app detection + sunset, (g) exception process, (h) communication cadence.

Bias toward: default-deny external, fast review for legitimate requests, observable usage, time-bound approvals, transparent reasons.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week