Configuring an Azure app to support the Microsoft Teams app
This task is accomplished using the Developer Portal app within Microsoft Teams.
Before you begin
Make sure you've completed the steps in Updating WebSphere to support single sign-on with Connections for Microsoft Teams.
Create the Azure bot and app registration
-
Log in as the AD administrator with sufficient rights to create applications, for example Application Developer or Application Administrator.
Note
For details on the permissions required by the administrator, refer to Azure AD built-in roles in the Microsoft documentation.
-
Navigate to Microsoft Teams and in the navigation, select the Apps catalog and find the Developer Portal app from Microsoft. Add this app if needed and open it.
- In the top navigation of the app, select Tools.
- Choose Bot Management, and click the + New Bot button.
- In the bot name field, pick a name for your HCL Connections app, such as "HCL Connections" and then click Add.
- After the bot is successfully created, click the < Bots button and copy the bot ID to a text file to use later.
- Select this bot from the Existing bot registrations list.
- Click the Client secrets tab. Then, click Add a client secret for your bot, copy the newly generated bot client secret to a text file for use later, and click Okay.
- Next, click the Configure tab.
-
In the configure endpoint address field, enter the following URL, replacing connections.example.com with the host name for your environment:
https://connections.example.com/teams-share-service/api/msteams/command
Add single sign-on permissions to your Azure app
-
Log into the Azure portal to complete the single sign-on permissions. You must use an AD administrator account with sufficient rights to manage applications.
Note
For details on the permissions required by the administrator, refer to Azure AD built-in roles in the Microsoft documentation.
-
Select or find App Registrations and then click on the Azure app that was just created.
- Navigate to Manage > Authentication. Under Supported account types, make sure that Accounts in any organizational directory (Any Azure AD Directory - Multitenant) is selected.
- Navigate to Manage > API Permissions.
- Click Add a permission and select Microsoft Graph > Delegated permissions.
- Select the check box for these Openid permissions:
- offline_access
- openid
- profile
- Click Add permissions.
- Click Grant admin consent for your tenant name. This will remove your users having to grant consent each time they use this app in Microsoft Teams.
- In the navigation, select Manage > Expose an API.
- If your Application ID URI is not set, click Set and update the URI. Add your Connections server hostname between api:// and the {appID}. For example: api://connections.example.com/{appID}.
- Add a scope and give it a scope name of access_as_user. Your API URL should look like this: api://connections.example.com/{appID}/access_as_user. In the "who can consent" step, enable it for Admins and users. Make sure it is set to enabled.
- Next, add two client applications that are allowed to access this API. Make sure the api scope is checked. These are for the Microsoft Teams desktop client and the Microsoft Teams mobile client:
- 5e3ce6c0-2b1f-4285-8d4b-75ee78787346
- 1fec8e78-bce4-4aaf-ab1b-5451cc387264
- In the navigation, select Manage > Token configuration.
- Select the option to add an optional claim, and choose the Access token. From the list of claims, select email and then click Add.
What to do next
Setting up the Connections app for the Microsoft Teams client