Revision as of 09:44, 26 May 2022

Configuring MS Teams with ICI

To enable this capability, you (client) can make use of the existing ICI UI and API apps (App Registrations) or create 2 new apps for the same on Azure portal. Further we are going to provide certain API Permissions to these apps for interacting with Microsoft Teams to create new teams, channel, add team members to a team, add file and so on.

In case you are using a different identity provider like Okta, Ping Identity then all the internal ICI users are required to be part of the Azure Ad for this integration to work.

With the help of the following sections, you can create/edit the ICI UI and API apps (App Registrations), add URL redirects, provide API permissions etc.

Azure Portal Configuration for ICI UI Application

1. ICI UI Application (API Permissions)

1. Clients with different identity provider (for example, Okta or Ping Identity) must create a new ICI UI app registration and provide the required API permissions (listed under Section B.3) on their Azure portal.
2. Clients with Azure AD will have to provide the required API permission (listed under Section B.2) to the existing ICI UI app registration on Azure portal.
3. In both the above scenarios the following details with respect to the newly created or modified app are required to be shared with Icertis (to be able to enable ICI integration with Microsoft Teams).

• Directory ID (Tenant ID)
• Application ID (Client ID)
• Client Secret
• (ICI UI) Redirect URI

2. ICI UI application (app registration) on Azure portal requires the following Microsoft Graph delegated API permission with Admin consent.

3. Create a new or update existing ICI UI Application: Clients who are updating the existing ICI UI app can skip points ‘a’ to ‘d’ and directly open the existing ICI UI app on Azure portal and start with point ‘e’.

a. Go to ‘App Registrations’ under ‘Azure Active Directory’ on Azure portal and on the right panel, click ‘New registration’ tab.

             i. Provide the following information:      

1. Name: Enter the name for the application
2. Select the Supported account types for your application. Select Accounts in this organizational directory only (ABC only - Single tenant).
3. For the Redirect URI:
4. Select Web.
5. Set the URL to (ICI UI Application URL)

[https://Template:Your-tenant-name.icertis.com https://Template:Your-tenant-name.icertis.com]

b. Click Register

c. Once it is created, Azure displays the Overview page for the app.

d. In the left panel, select Certificates & secrets to create a client secret for your application.

1. Under Client secrets, select ➕ New client secret.
2. Add a description to identify this secret from others.
3. Set Expires to your selection.
4. Select Add.
5. Before leaving this page, record the secret.

e. In the left panel, select ‘API permissions’ to add certain delegated permission for your UI application.

1. Click ‘Add a permission’.
2. Under ‘Microsoft APIs’ select ‘Microsoft Graph’.
3. Select ‘Delegated permissions’.
4. Now select the following permission (please find more information on usage of every API permission under ‘Section B.2’)

1. AppCatalog.Read.All
2. Channel.Create
3. Files.ReadWrite.All
4. Group.ReadWrite.All
5. Team.Create
6. Team.ReadBasic.All
7. TeamMember.ReadWrite.All
8. TeamsAppInstallation.ReadWriteForTeam
9. User.Read
10. User.ReadBasic.All

f. Copy and save the following information to a file:

1. The Application (client) ID value. You'll use this value later as the Client ID when you register this Azure identity application with your bot.
2. The Directory (tenant) ID value. You'll also use this value later as the Tenant ID to register this Azure identity application with your bot.

g. With respect to the newly created or modified ICI API app, you are required to share the following with Icertis (to be able to enable ICI integration with Microsoft Teams).

1. Directory ID (Tenant ID) [Copy value to E.1]
2. Application ID (Client ID) [Copy value to E.2]
3. Client Secret [Copy value to E.3]
4. (ICI UI) Redirect URI

Azure Portal Configuration for ICI API Application

1. ICI API Application (API Permissions)

1. Clients with different identity provider (for example, Okta or Ping Identity) must create a new ICI API app registration and provide the required API permissions (listed below) on their Azure portal.
2. Clients with Azure AD will have to provide the required API permission to the existing ICI API app registration on Azure portal.
3. For those customers who do not have an existing ICI API application, are required to create a new app registration by following the steps mentioned under Section C.3.
4. For clients with existing ICI API application, an additional ‘Redirect URI’ is required to be added:
   1. In the ICI API application go to ‘Authentication’ under ‘Manage’
   2. For the Redirect URI, click ‘Add URI’
   3. Set the URL to https://token.botframework.com/.auth/web/redirect (required to authenticate the Icertis Teamworks App)

'2. 'ICI API application (app registration) on Azure portal requires the following Microsoft Graph delegated API permission with Admin consent.

3. Create a new ICI API Application: We need an identity provider that can be used for authentication of ICI API & ‘Icertis Teamworks’ (Microsoft Teams) app. For clients who are updating the existing ICI API app can skip points ‘a’ to ‘d’ and directly open the existing ICI API app on Azure portal and start with point ‘e’.

1. Go to ‘App Registrations’ under ‘Azure Active Directory’ on Azure portal and on the right panel, click ‘New registration’ tab.
2. You'll be asked to provide the following information:
   1. • Name. Enter the name for the application
      • Select the Supported account types for your application. Select Accounts in this organizational directory only (ABC only - Single tenant).
      • For the Redirect URI
3. Select Web.
4. Set the URL to (ICI Application API URL)
   1. Error! Hyperlink reference not valid.