diff --git a/lib/livebook/hubs/team_client.ex b/lib/livebook/hubs/team_client.ex
index 7dc9e14da..a007a5ef8 100644
--- a/lib/livebook/hubs/team_client.ex
+++ b/lib/livebook/hubs/team_client.ex
@@ -158,6 +158,14 @@ defmodule Livebook.Hubs.TeamClient do
     GenServer.call(registry_name(id), {:check_app_access, groups, slug})
   end
 
+  @doc """
+  Returns if the Team client uses Livebook Teams authorization groups.
+  """
+  @spec authorization_groups_enabled?(String.t()) :: boolean()
+  def authorization_groups_enabled?(id) do
+    GenServer.call(registry_name(id), :authorization_groups_enabled?)
+  end
+
   @doc """
   Returns if the Team client is connected.
   """
@@ -319,6 +327,13 @@ defmodule Livebook.Hubs.TeamClient do
     end
   end
 
+  def handle_call(:authorization_groups_enabled?, _caller, %{deployment_group_id: id} = state) do
+    case fetch_deployment_group(id, state) do
+      {:ok, deployment_group} -> {:reply, deployment_group.groups_auth, state}
+      _ -> {:reply, false, state}
+    end
+  end
+
   @impl true
   def handle_info(:connected, state) do
     Hubs.Broadcasts.hub_connected(state.hub.id)
@@ -492,6 +507,7 @@ defmodule Livebook.Hubs.TeamClient do
       clustering: nullify(deployment_group.clustering),
       url: nullify(deployment_group.url),
       teams_auth: deployment_group.teams_auth,
+      groups_auth: deployment_group.groups_auth,
       authorization_groups: authorization_groups
     }
   end
@@ -531,6 +547,7 @@ defmodule Livebook.Hubs.TeamClient do
         clustering: atomize(deployment_group_updated.clustering),
         url: nullify(deployment_group_updated.url),
         teams_auth: deployment_group_updated.teams_auth,
+        groups_auth: deployment_group_updated.groups_auth,
         authorization_groups: authorization_groups
     }
   end
diff --git a/lib/livebook/teams/deployment_group.ex b/lib/livebook/teams/deployment_group.ex
index 346d9b4fb..606140fdf 100644
--- a/lib/livebook/teams/deployment_group.ex
+++ b/lib/livebook/teams/deployment_group.ex
@@ -13,6 +13,7 @@ defmodule Livebook.Teams.DeploymentGroup do
           clustering: :auto | :dns | nil,
           hub_id: String.t() | nil,
           teams_auth: boolean(),
+          groups_auth: boolean(),
           authorization_groups: Ecto.Schema.embeds_many(Teams.AuthorizationGroup.t()),
           secrets: Ecto.Schema.has_many(Secrets.Secret.t()),
           agent_keys: Ecto.Schema.has_many(Teams.AgentKey.t()),
@@ -27,6 +28,7 @@ defmodule Livebook.Teams.DeploymentGroup do
     field :clustering, Ecto.Enum, values: [:auto, :dns]
     field :url, :string
     field :teams_auth, :boolean, default: true
+    field :groups_auth, :boolean, default: false
 
     has_many :secrets, Secrets.Secret
     has_many :agent_keys, Teams.AgentKey
diff --git a/lib/livebook/zta/livebook_teams.ex b/lib/livebook/zta/livebook_teams.ex
index ebc578c9a..f1b91c9ce 100644
--- a/lib/livebook/zta/livebook_teams.ex
+++ b/lib/livebook/zta/livebook_teams.ex
@@ -168,7 +168,8 @@ defmodule Livebook.ZTA.LivebookTeams do
       } = payload
 
       restricted_apps_groups =
-        if Livebook.Hubs.TeamClient.user_full_access?(team.id, groups) do
+        if Livebook.Hubs.TeamClient.authorization_groups_enabled?(team.id) and
+             Livebook.Hubs.TeamClient.user_full_access?(team.id, groups) do
           nil
         else
           groups