MC1134747 - Security Update: New Authentication Requirements for integration with Microsoft Teams PowerShell Module

MessageCenter Aug 13, 2025

Message Center ID: MC1134747

What is changing

On September 15, 2025 Microsoft will update authentication requirements for application-based authentication used with the Microsoft Teams PowerShell Module. Entra applications (service principals) that automate or manage Teams via PowerShell must have specific application permissions assigned or their access will be blocked.

New required permissions

RoleManagement.Read.Directory: required for all Entra applications to verify association with an Administrative Unit.
GroupMember.Read.All: required only if the app calls the following cmdlets:
- *-CsGroupPolicyAssignment
- *-CsGroupPolicyPackageAssignment

No changes are required for delegated permissions.

Who is affected

Admins who use Entra applications or service principals to run scripts, automation, CI/CD jobs, or backend services against the Teams PowerShell Module. If you authenticate via an app instead of a delegated user identity you need to act.

Why this matters for admins

Without these permissions your app-based automation can stop working on the enforcement date, causing service disruption.
This enforces tighter scoping and auditing of admin automation, aligning with least privilege.
Reviewing and updating app permissions reduces incident risk and supports operational continuity.

Recommended actions

Inventory Entra applications used with Teams PowerShell:
- Microsoft Entra ID > Roles and administrators. Check Global Administrator, Teams Administrator, Skype for Business Administrator for any service principals.
Update API permissions:
- Microsoft Entra ID > App registrations. Add RoleManagement.Read.Directory and add GroupMember.Read.All if you use the group policy cmdlets.
Grant admin consent and test integrations before September 15, 2025.

Learn more: Application-based authentication in Teams PowerShell Module.

Tip: I recommend scheduling tests in a staging tenant or off-hours window to confirm no automation breaks after permission changes.

Recommended for you

MessageCenter

MC1135399 - Reporting labels retirement in Teams admin center

3 days ago • 1 min read

MessageCenter

MC1134736 - Quarantine experience update in Microsoft Defender and Exchange Online: Restore temporarily deleted items

4 days ago • 1 min read

MessageCenter

MC1115983 - Microsoft Viva | New Microsoft Graph APIs for Viva Engage role management

4 days ago • 1 min read

GPT-5 Arrives in Microsoft Copilot: What You Need to Know

How to use GPT-5 in Microsoft Copilot

Microsoft Text to Speech for Free with Clipchamp

How to Install Microsoft Copilot as an App using Microsoft Edge

MC1134747 - Security Update: New Authentication Requirements for integration with Microsoft Teams PowerShell Module

What is changing

New required permissions

Who is affected

Why this matters for admins

Recommended actions

Tags

Sean Shares

Recommended for you

MC1135399 - Reporting labels retirement in Teams admin center

MC1134736 - Quarantine experience update in Microsoft Defender and Exchange Online: Restore temporarily deleted items

MC1115983 - Microsoft Viva | New Microsoft Graph APIs for Viva Engage role management

GPT-5 Arrives in Microsoft Copilot: What You Need to Know

How to use GPT-5 in Microsoft Copilot

Microsoft Text to Speech for Free with Clipchamp

How to Install Microsoft Copilot as an App using Microsoft Edge

What is changing

New required permissions

Who is affected

Why this matters for admins

Recommended actions

Tags

Subscribe to our newsletter

Sean Shares

Recommended for you

MC1135399 - Reporting labels retirement in Teams admin center

MC1134736 - Quarantine experience update in Microsoft Defender and Exchange Online: Restore temporarily deleted items

MC1115983 - Microsoft Viva | New Microsoft Graph APIs for Viva Engage role management