Home > Appendices > App Profiles in Classic Mode Required by Rules
Export to PDFApp Profiles in Classic Mode Required by Rules
When referring to app profiles in classic mode required by Policies for Microsoft 365, there are two distinct app types: Microsoft Entra ID and Microsoft 365 (All permissions). The following sections list the app profiles in classic mode required by rules for service-level policies and tenant-level policies.
Rules for Service Level Policies
The table below lists the app profiles in classic mode required by rules for service-level policies.
| Rule Name | Rule Description | Microsoft Entra ID Required | Microsoft 365 (All permissions) Required |
|---|---|---|---|
| Access Request Settings | Control access request settings within a site to manage who can request and approve access to a site. | No | Yes |
| Automatic Forwarding Restriction | Restrict users from auto-forwarding emails. | No | Yes |
| Classification Change Restriction | Prevent changes to the classification of Groups or Teams. | Yes | No |
| Classification Enforcement | Enforce that all Groups or Teams have a classification assigned to them and assign a default classification if there is none. | Yes | No |
| Content Creation and Upload Restriction | Control content creation and upload including items, attachments, and documents based on user, size, file extension, content type, and sensitivity label. | No | Yes |
| Content Sensitivity Label Enforcement | Enforce sensitivity labels for documents based on their risk level, sensitivity level, and exposure level. | No | Yes |
| Control Access from Unmanaged Devices | Block or limit access to SharePoint and OneDrive content from unmanaged devices. | No | Yes |
| Control Group Visibility in Global Address List | Control the visibility of mail-enabled security groups and distribution lists in the global address list. | Yes | No |
| Deleted Item Retention Period Enforcement | Set the retention period that permanently deleted mailbox items are kept in the Recoverable Items folder. | No | Yes |
| Deletion Restriction | Control users and groups that have the ability to delete objects in sites. | No | Yes |
| External Sharing Settings | Control the external sharing settings for Groups or Teams. | Yes | No |
| Guest User Access Enforcement | Control users who have the ability to add guest users to Groups or Teams. | Yes | No |
| Groups/Teams Creation Restriction | Control users who have the ability to create Groups or Teams. | Yes | No |
| Guest User Full Control Permission Restriction | Report guest users who have the site-level Full Control permission and remove this permission from them. | No | Yes |
| Library Default Sensitivity Label Enforcement | Enforce a default sensitivity label for document libraries so that the sensitivity label will be applied to all newly created or edited Office files. | No | Yes |
| Library Versioning Settings Enforcement | Enforce the versioning settings for all libraries in sites. | No | Yes |
| List/Library Creation Restriction | Control users who have the ability to create lists and libraries. | No | Yes |
| List/Library Object Number Restriction | Control the number of items, documents, and folders in a list/library. | No | Yes |
| Membership Restriction | Control users who can be added to Microsoft 365 Groups, Teams, security groups, or distribution lists as members. | Yes | No |
| Member Number Restriction | Control the number of members in Microsoft 365 Groups, Teams, security groups, or distribution lists. | Yes | No |
| Microsoft 365 Group Visibility in Outlook Client | Control if a Microsoft 365 Group is visible in the Outlook client. | Yes | No |
| Owner Number Restriction | Control the number of owners in Microsoft 365 Groups, Teams, security groups, and distribution lists. | Yes | No |
| Ownership Enforcement | Enforce specific users to be in the owner group of a site. | Yes | No |
| Ownership Restriction | Control users who can be added to Groups or Teams as owners. | Yes | No |
| Permission Inheritance Protection | Protect permission inheritance from being broken at specific object levels. | No | Yes |
| Permission Level Enforcement for Built-in SharePoint Groups | Enforce permission levels for built-in SharePoint groups, including site owners, site members, and site visitors. | No | Yes |
| Pre-defined Group Members (Cloud Governance) | Enforce that users you have defined via site collection properties (example: Cloud Governance site contacts) can be added to specified SharePoint Online groups. | No | Yes |
| Privacy Restriction | Control the privacy settings of Groups or Teams. | Yes | No |
| Private Channel Ownership Enforcement | Enforce specific users to be owners of Teams private channels. | Yes | No |
| Private Channel Owner Number Restriction | Control the number of owners in Teams private channels. | Yes | No |
| Remove Licenses from Inactive Users | Remove licenses from users who do not have activities in Microsoft 365 services for a certain period. | Yes | No |
| Remove Licenses from Blocked Users | Remove licenses from users who have been blocked from signing in. | Yes | No |
| Remove Shadow Users | Remove users who have access to the SharePoint Online site but are not part of the Group/Team membership. | Yes | No |
| Restrict Member Invitations | Control users who have the ability to add users to Groups or Team. | Yes | No |
| Restrict Member Removal | Control users who have the ability to remove members from Microsoft 365 Groups or Teams. | Yes | No |
| Restrict Sharing Links | Restrict sharing links that are created by or shared with specific users and groups. | No | Yes |
| Restrict Sharing Links with Edit Permission | Restrict sharing links with Edit permission that are created by or shared with specific users and groups. | No | Yes |
| Scan External Users | Scan external users in sites where external sharing is disabled. | No | Yes |
| Scan Orphaned Users | Scan users or groups that have been deleted or blocked in your Microsoft Entra ID. | No | Yes |
| Search and Offline Availability Enforcement | Control whether site content can be searched or downloaded to offline clients | No | Yes |
| Shared Channel Ownership Enforcement | Enforce specific users to be owners of Teams shared channels. | Yes | No |
| SharePoint Permission Enforcement | Control permission levels for the specified users and groups on SharePoint sites. | No | Yes |
| Shared Channel Creation Restriction | Control users who have the ability to create shared channels inside Teams. | Yes | No |
| SharePoint Group Membership Enforcement | Enforce specific users to be in the owners, members, or visitors group of a site. | No | Yes |
| Sharing Link Expiration Enforcement | Enforce the duration of how long sharing links remain active after being created in sites. | No | Yes |
| Site Collection Administrator Enforcement | Enforce specific users and groups to be in the Site Collection Administrators group of a site. | No | Yes |
| Site Collection Administrator Number Restriction | Control the number of site collection administrators in a site. | No | Yes |
| Site Collection Administrator Restriction | Control users who can be added to the Site Collection Administrators group of a site. | No | Yes |
| Site Content Sharing Settings | Control the external sharing settings for sites. | No | Yes |
| Site Owner Number Restriction | Control the number of site owners in a site. | No | Yes |
| Site Owner Restriction | Control users who can be added to the owner group of a site. | No | Yes |
| Site Sensitivity Label Enforcement | Enforce a defined sensitivity label on sites and remove any existing ones. | No | Yes |
| Site Storage Enforcement | Enforce storage limit for sites. | No | Yes |
| Groups/Teams Name Enforcement | Prevent owners of Groups or Teams from changing their Group or Team name. | Yes | No |
| Teams Settings Enforcement | Enforce certain Teams settings. | Yes | No |
| User Permission Replacement | Report or remove permissions from a specific user and assign the permissions to other designated users. | No | Yes |
| User/Group Restriction | Control users and groups that can be added to sites. | No | Yes |
| Legacy Email Protocols Restriction | Restrict the use of legacy email protocols, including POP, SMTP, and IMAP protocols, to prevent password spray attacks that may breach mailboxes in your tenants. | No | Yes |
| Message Size Restriction | Restrict the maximum size for messages sent and received by mailboxes. | No | Yes |
NOTE
For app profiles in classic mode, a Microsoft 365 (All permissions) app profile will be required if you want to filter SharePoint Online and OneDrive sites in rules.
Rules for Tenant Level Policies
The table below lists the app profiles in classic mode required by rules for tenant-level policies.
| Rule Name | Rule Description | Microsoft Entra ID Required | Microsoft 365 (All permissions) Required |
|---|---|---|---|
| Automatic Forwarding Restriction | Restrict users from auto-forwarding emails. | No | Yes |
| Bypass Spam Filtering Rule Restriction | Restrict users from creating the mail flow rule to skip spam filtering when receiving emails from specific domains. | No | Yes |
| Control Access from Unmanaged Devices | Block or limit access to SharePoint and OneDrive content from unmanaged devices. | No | Yes |
| Control Anonymous Calendar Sharing | Control whether users are allowed to share their calendars with anonymous users outside the organization. | No | Yes |
| Control Exchange Online PowerShell Access for Non-administrators | Control Exchange Online PowerShell access for non-administrators. | Yes | Yes |
| Control Focused Inbox | Control whether to enable the focused inbox view for users. | No | Yes |
| Control Mailbox Auditing for All Users | Control whether to enable mailbox auditing for all users. | No | Yes |
| Control Plus Addressing | Control whether users can use plus addressing to quickly create custom email addresses based on their standard email addresses. | No | Yes |
| Control Sending Emails from Aliases | Control whether users are allowed to send emails from aliases. | No | Yes |
| Deleted Item Retention Period Enforcement | Set the retention period that permanently deleted mailbox items are kept in the Recoverable Items folder. | No | Yes |
| DKIM Signature Enforcement | Sign emails with DKIM (Domain Keys Identified Mail) signatures for your domains to help recipients ensure the identities of senders. | No | Yes |
| Ghost Guest User Detection | Detect guests who do not have any membership in SharePoint Online sites, Groups, and Teams.(Groups include Microsoft 365 Groups, distribution groups, dynamic distribution groups, security groups, mail-enabled security groups, and shared mailboxes.) | No | Yes |
| Groups Guest Access Restriction | Control whether people outside your organization can be invited as guests and access group content. | Yes | No |
| Groups/Teams Creation Restriction | Control users who have the ability to create Groups or Teams. | Yes | No |
| Groups/Teams Deletion Restriction | Control users who have the ability to delete Groups or Teams. | Yes | No |
| International Spam Prevention | Prevent email messages that are written in specific languages or sent from specific countries or regions. | No | Yes |
| Legacy Email Protocols Restriction | Restrict the use of legacy email protocols, including POP, SMTP, and IMAP protocols, to prevent password spray attacks that may breach mailboxes in your tenants. | No | Yes |
| Malware Prevention | Protect your organization from malware by quarantining email messages where malware is detected. | No | Yes |
| Message Size Restriction | Restrict the maximum size for messages sent and received by mailboxes. | No | Yes |
| Outbound Spam Prevention | Protect your organization from outbound spam. | No | Yes |
| Outlook External Email Tag Enforcement | Choose whether to add tags to external emails in Outlook to help users identify emails from external senders. | No | Yes |
| Remove Inactive Guest Users | Remove guest users who do not have any activities in SharePoint Online sites, Groups, and Teams for certain days. | No | Yes |
| Rich-Text Format Restriction | Restrict the rich-text format in emails to prevent malformed emails sending to other users. | No | Yes |
| Shared Mailbox Sign-In Restriction | Control whether to allow users to sign in to the shared mailboxes by their associated user accounts. | Yes | Yes |
| Tenant-level Site Content External Sharing Settings | Control the tenant-level external sharing settings for SharePoint and OneDrive. | Yes | Yes |
| Teams Tagging Settings | Control how tags are used across your organization. | Yes | No |
| User Restriction | Enforce that specific users can only be assigned membership of the specified Groups/Teams. | Yes | No |
On this page