-
Notifications
You must be signed in to change notification settings - Fork 40
Deployment Guide
- Prerequisites
-
Steps
- Provisioning TEOC Site
- Register AD Application
- Deploy to Azure subscription
- Set-up Authentication
- Add Permissions to your app
- Add Permissions for Office 365 Exchange Online
- Create the Teams app packages
- Install the app in Microsoft Teams
- Verify M365 group creation policy in Azure Portal
- Deploy NotifyToTeams Extension in SharePoint
- Troubleshooting
To begin deployment for Microsoft Teams Emergency Operations Center (TEOC) application, you will need:
-
An Azure subscription where you can create the following kinds of resources:
- App Service
- App Service Plan
- Application Insights
- App Registration
-
You need at least contributor access to the Azure subscription to perform the deployment.
-
To run the TEOC Provision PnP PowerShell script, you'll need PowerShell version 7.x or newer. This version is compatible with Windows, Linux, and Mac, and you can download it here.
-
If you have previously installed PnP PowerShell, ensure your version is 2.12.0 or newer. Here's the command to verify the version of PnP PowerShell you're currently using.
get-Module -Name PnP.PowerShell -ListAvailable | select-Object -Property Name, Version, Path
-
Open a new PowerShell console (7.x) as an administrator (right-click, Run As Administrator). Ensure unrestricted execution policy with the following:
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
-
Ensure the PnP.PowerShell module is loaded with the following:
Import-Module -Name PnP.PowerShell
If you have multiple versions of PnP.PowerShell installed, target a latest version with the -RequiredVersion flag.
-
Run the following script ONCE per tenant to create an Azure App Registration for PnP:
Log in with user credentials that have the Global Administrator role. If you have previously registered PnP.PowerShell, check the App Registration in the Azure portal and make sure it has delegated permissions for AllSites.FullControl and User.Read.All. Also make sure that you've granted consent as an Administrator.
Note: Replace '[Your App Name]' with your app name and '[Tenant]' with your tenant name.
Register-PnPEntraIDAppForInteractiveLogin -ApplicationName "[Your App Name]" -Tenant [Tenant].onmicrosoft.com -Interactive
Please check the Register an Entra ID Application to use with PnP PowerShell guide to setup Entra Id, if you face any issues in running the above command.
-
Provide consent on behalf of your organization
-
Make a note of the AzureAppId/ClientId GUID returned from above step as it will be needed in the below step to provision the SharePoint site. This is the ClientId of the new PnP PowerShell Azure App Registration.
To provision the SharePoint site and lists for the TEOC app,
-
Clone the TEOC repository locally.
-
Open the
Deployment/provisioning
folder to get the latest provisioning files i.eEOC-Provision.ps1
andEOC-SiteTemplate.xml
Note: Run below commands with Windows Powershell as Administrator
-
Run the command below to allow the execution of the EOC-Provision.ps1 script. By default, the execution policy is restricted for Windows computers. You may change it back to restricted after deployment is completed.
Note: Non-windows computer users can skip this as it is unrestricted by default for them.
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
-
Run the below command to unblock the deployment script.
Note: File path should be set to provisioning folder.
Unblock-File -Path .\EOC-Provision.ps1
Below are the steps you need to perform to provision the TEOC site,
-
Run the PowerShell script as Administrator. The script will ask for the following inputs:
- XML file path – enter fully qualified path of the XML file (Ex: C:/Scripts/EOC-SiteTemplate.xml)
- Tenant Name – Name of the tenant where root TEOC site needs to be provisioned (Ex: Contoso)
- Tenant Admin Email – Email of tenant admin account (Ex:
[email protected]
) - SharePoint Site Name - Name of the site that needs to be provisioned for TEOC application (Ex: Teams EOC Site)
- AzureAppId/Client Id - Enter the App Id which you registered for Interactive login.
Note: Make a note of the site name without spaces (i.e., the internal name of the site, which is shown in the URL - Ex: TeamsEOCSite). This will be needed later while deploying the resources in Step #3.
-
Once the above details are provided, script will check if the “PnP.PowerShell” module is installed, if not, it will install the module.
-
If you are running the PnP.PowerShell scripts for the first time for that tenant, it will ask for a list of permissions to be granted.
Note: The PnP.PowerShell module requests all permissions, even if they are not used in the script, to ensure smooth running of the scripts. These are delegated permissions, please make sure the user running the script has permissions to perform the action for the script to be executed successfully.
-
Below is the list of permissions it asks,
-
Only SharePoint related permission Have full control of all site collections will be utilized in the script so that the site can be provisioned.
-
Please make sure to grant permissions to users who need to use TEOC application, follow the below steps provide permissions,
-
Navigate to the URL for the TEOC site as the administrator.
-
If you are using the default configuration, this can be found at
https://<yourtenant>.sharepoint.com/sites/<SiteName>/
.-
Select site permissions
-
Advanced permissions settings
-
Select Grant permissions
-
Enter in 'Everyone except external users'
Note: In case access has to be given to specific users, enter specific users instead of directly adding 'Everyone except external users' group.
- Change permissions to 'TEOC Members [Edit]'
- Unselect send an email invitation
- Click share
-
-
You need to first create a new Azure AD Application to secure API permissions. Registering your application establishes a trust relationship between your app and the Microsoft identity platform.
-
Log in to the Azure Portal using SharePoint Tenant account where you want the app to be installed, and go to the App registrations blade.
-
Click New registration to create an Azure AD application.
- Name: Name of your Teams App.
- Supported account types: Select "Accounts in single organizational directory"
- Leave the "Redirect URI" field blank for now.
-
Click Register to complete the registration.
-
When the app is registered, you'll be taken to the app's "Overview" page. Copy the Application (client) Id and Tenant Id; we will need it later.
-
On the side rail in the Manage section, navigate to the "Certificates & secrets" section. In the Client secrets section, click on "+ New client secret". Add a description for the secret, and choose when the secret needs to expire (recommended is 12 months) and click "Add".
-
Once the client secret is created, copy its Value only; we will need it later. Once you leave this page, you may not be able to copy it again.
-
You're done with app registration and client secrets for now. This provides the groundwork for our next steps. Please ensure you have the values ready for Application Id, Tenant Id, Client Secret Value.
-
Click on the Deploy to Azure button below.
-
When prompted, log in to your Azure subscription.
-
Azure will create a "Custom deployment" based on the TEOC ARM template with pre-filled values.
-
Select a subscription and a resource group.
-
We recommend creating a new resource group.
-
The resource group location MUST be in a datacenter that supports the following resources, click here to know more about the datacenter and the resources:
- App Service
- Application Insights
-
-
Enter a Base Resource Name, which the template uses to generate names for the other resources.
- The
[Base Resource Name]
must be unique and available. For example, if you selectcontosoteoc
as the base name, the namecontosoteoc
must be available (not taken); otherwise, the deployment will fail with a Conflict error. - Remember the base resource name that you selected. We will need it later.
- The
Note: Ensure that you use lowercase letters and numbers in the field you enter; otherwise, the deployment may fail.
-
Update the following fields in the template using the values copied from step 1 & 2 in previous section,
- Client ID: The application (client) ID of the app registered mentioned in step 2
- Client Secret: The client secret Value of the app registered
- Tenant Id: The tenant Id
-
Share Point Site Name: Name of the SharePoint site that was provisioned in step 1
Note: Add just the site name and not the entire URL. For example, if the URL of your sharepoint site is 'https://example.sharepoint.com/sites/TEOCSite' add just "TEOCSite"
-
Other fields have pre-populated default values, do not change it unless you want it to be customized depending on the need.
-
Click on Review+Create. Post successful validation clicks on Create. The deployment will take around 30 to 40 Minutes. Please wait for the deployment to be completed and then proceed with the below steps.
-
Go to App Registrations page here and select the application (TEOC specific) which you created in step 2. Follow the below steps to set up the authentication for the application.
Note: For the following steps, you need to use the appDomain convention for the app service URL.
- appDomain is the App service URL without https:// or <<baseResourceName>>.azurewebsites.net
-
Under Manage, click on Authentication to bring up authentication settings.
-
Click on Add a Platform. Select Web and add Redirect URIs in below format:
-
Redirect URI: Enter
https://%appDomain%/auth-end.html
for the URL (Ex:https://<<baseResourceName>>.azurewebsites.net/auth-end.html
)
-
Redirect URI: Enter
-
Click on Add a Platform. Select Single-page application and add Redirect URIs in below format:
-
Redirect URI: Enter
https://%appDomain%/auth-end.html?clientId= %clientId%
for the URL (Ex:https://<<baseResourceName>>.azurewebsites.net/auth-end.html?clientId=<<Client Id>>
) - Click on Add URI and add another entry as,
https://%appDomain%/blank-auth-end.html
(Ex:https://<<baseResourceName>>.azurewebsites.net/blank-auth-end.html
)
-
Redirect URI: Enter
-
Click Save to commit your changes.
-
Back under Manage, click on Expose an API.
-
Click on the Set link next to Application ID URI, and change the value to
api://%appDomain%/%clientId%
(Ex:api://<<baseResourceName>>.azurewebsites.net/<<Client Id>>
. -
Click Save to commit your changes.
-
Click on Add a scope, under Scopes defined by this API. In the flyout that appears, enter the following values:
- Scope name: access_as_user
Note: Enter the scope name as access_as_user; otherwise, it may throw a 403 forbidden error while logging in to the app.
- Who can consent?: Admins and users
- Admin consent display name: Teams can access app’s web APIs
- Admin consent description: Allows Teams to call the app’s web APIs as the current user.
-
Click Add scope to commit your changes.
-
Click Add a client application, under Authorized client applications. In the flyout that appears, enter the following values:
-
Client ID:
5e3ce6c0-2b1f-4285-8d4b-75ee78787346
(Teams WebApp Client Id)
Note: This Id is different from the Client Id from step 2
-
Authorized scopes: Select the scope that ends with
access_as_user
. (There should only be 1 scope in this list.)
-
Client ID:
-
Click Add application to commit your changes.
-
Repeat the previous two steps, but with below Ids.
- 1fec8e78-bce4-4aaf-ab1b-5451cc387264 (Teams Mobile or Desktop App Client Id)
- 4345a7b9-9a63-4910-a426-35363201d503 (Office WebApp Client Id1)
- 4765445b-32c6-49b0-83e6-1d93765276ca (Office WebApp Client Id2)
- d3590ed6-52b3-4102-aeff-aad2292ab01c (Outlook Desktop App Client Id)
- 00000002-0000-0ff1-ce00-000000000000 (Outlook Web App Client Id)
-
After this step you should have 6 client applications listed under Authorized client applications.
-
-
Back under Manage, click on Manifest.
- Find the
optionalClaims
property in the JSON Azure AD application manifest, and replace it with the following block:
"optionalClaims": { "idToken": [], "accessToken": [ { "name": "idtyp", "source": null, "essential": false, "additionalProperties": [] } ], "saml2Token": [] },
-
Click Save to commit your changes.
- Find the
In this section, you’ll be adding the necessary Graph API permissions to the application.
-
Select API Permissions blade from the left hand side.
-
Click on Add a permission button to add permission to your app.
-
In the fly out, click Microsoft Graph, then select Delegated permissions and enter the following permissions one by one,
- Directory.AccessAsUser.All
- Group.ReadWrite.All
- People.Read
- Sites.Manage.All
- TeamMember.ReadWrite.All
- TeamsTab.Create
- TeamworkTag.ReadWrite
- User.Read
- User.ReadBasic.All
- Tasks.Read
- Tasks.ReadWrite
- Group.Read.All
- OnlineMeetings.ReadWrite
- TeamsAppInstallation.ReadWriteSelfForTeam
- Mail.Send
- AppCatalog.Read.All
-
Click on Add Permissions to commit your changes.
-
Below is the description/reason for each permission granted above,
- Directory.AccessAsUser.All : Allows the app to have the same access to information in the directory as the signed-in user. TEOC app uses this permission to access the Teams, SharePoint and Users information in the app.
- Group.ReadWrite.All : Allows the app to create groups, read and update group memberships, and delete groups. Also allows the app to read and write calendars, conversations, files, and other group content for all groups. All these operations can be performed by the app without a signed-in user. TEOC app uses this permission to create a group when the incident is created.
- People.Read : Allows the app to read a scored list of people relevant to the signed-in user. The list can include local contacts, contacts from social networking or your organization's directory, and people from recent communications (such as email and Skype). TEOC app uses this permission for the “People Picker” fields to work (for ex. - Incident Commander and Role assigned user).
- Sites.Manage.All : Allows the app to manage and create lists, documents, and list items in all site collections on behalf of the signed-in user. TEOC app uses this permission to create the lists in the site created for each incident.
- TeamMember.ReadWrite.All : Add and remove members from teams, on behalf of the signed-in user. Also allows changing a member's role, for example from owner to non-owner. TEOC app uses this permission to update the Teams membership when updating a role.
- TeamsTab.Create : Allows the app to create tabs in any team in Microsoft Teams, on behalf of the signed-in user. This does not grant the ability to read, modify or delete tabs after they are created, or give access to the content inside the tabs. TEOC app uses to create the tabs in the team created for the incident.
- TeamworkTag.ReadWrite : Allows the app to read and write tags in Teams without a signed-in user. TEOC app uses this permission to create and update the tags which gets created along with the incident.
- User.Read : Allows users to sign-in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. TEOC app uses to get the current user details in the app.
- User.ReadBasic.All : Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. TEOC app uses this permission search for other users and assign them roles while creating the incident.
- Tasks.Read : Allows the app to read the signed-in user's tasks and task lists, including any shared with the user. Doesn't include permission to create, delete, or update anything. TEOC app uses this permission to read the planner tasks of the signed in users, including any shared with the user.
- Tasks.ReadWrite : Allows the app to create, read, update, and delete the signed-in user's tasks and task lists, including any shared with the user.TEOC app uses this permission to create, read, update, and delete the planner tasks of the signed-in users, including any shared with the user.
- Group.Read.All : Allows the app to list groups, and to read their properties and all group memberships on behalf of the signed-in user. Also allows the app to read calendar, conversations, files, and other group content for all groups the signed-in user can access. TEOC app uses this permission for fetching and reading tasks as it has Microsoft Planner data source configured for Tasks component.
- OnlineMeetings.ReadWrite : Allows an app to create, read online meetings on behalf of the signed-in user. TEOC app uses this permission to create and join bridge (instant meeting) on behalf of the signed-in user.
- TeamsAppInstallation.ReadWriteSelfForTeam : Allows a Teams app to read, install, upgrade, and uninstall itself to teams the signed-in user can access. TEOC app uses this permission to install and read the Tab apps in the incident team.
- Mail.Send : Allows the app to send mail as users in the organization. TEOC app uses this permission to send a welcome email to guest users for joining incident team.
- AppCatalog.Read.All : Allows the app to read the apps in the app catalogs. TEOC app uses this permission to read the app id of the TEOC app to add it as a tab on the General channel of the incident team.
-
Reach out to your IT admin team to grant consent for the permissions provided. If you’re an admin, click on Grant the admin Consent for *******
In this section, you’ll be adding the Office 365 Exchange Online API permissions to the application.
-
Select API Permissions blade from the left hand side.
-
Click on Add a permission button to add permission to your app.
-
In the fly out, click Office 365 Exchange Online, then select Delegated permissions and enter the following permission
- Calendars.Read
-
Click on Add Permissions to commit your changes.
-
This permission reads the user calendar and provides suggestions for the Location picker while creating the incident.
-
Reach out to your IT admin team to grant consent for the permissions provided. If you’re an admin, click on Grant the admin Consent for *******
Now we build the teams package to upload the TEOC (Teams Emergency Operations Center) app to the Teams client. TEOC in turn will connect to the SharePoint resources/list to the Tenant deployed.
To create the team's package,
-
Make sure you have cloned the app repository locally.
-
Open the
Deployment\appPackage\manifest.json
file in a text editor. -
Change the
<<appDomain>>
placeholder in the below settings to your app domain URL, for example"configurationUrl": "https://<<appDomain>>/index.html#/config"
"contentUrl": "https://<<appDomain>>/index.html#/tab"
-
Change the
<<websiteUrl>>
placeholder in the setting below to the URL of the TEOC SharePoint site"websiteUrl": "https://<<websiteUrl>>"
-
Update the validDomains and webApplicationInfo details.
-
Change the
<<clientId>>
placeholder in the webApplicationInfo setting to the %clientId%. This is the application id we copied in step 2. -
Change the
<<appDomain>>
placeholder in the webApplicationInfo and validDomains to the%appDomain%
value.
Note: appDomain is the App service URL without https:// or <<baseResourceName>>.azurewebsites.net
"validDomains": [ "<<appDomain>>" ],
"webApplicationInfo": { "id": "<<clientId>>", "resource": "api://<<appDomain>>/<<clientId>>" }
-
-
Create a ZIP package with the manifest.json and resources folder with color.png, and outline.png. The two image files are the icons for your app in Teams.
-
Name this package
teoc.zip
, so you know that this is the app for the TEOC teams. -
Make sure that the files are the top level of the ZIP package, with no nested folders.
-
-
Upload the app (the teoc.zip package) to Teams.
-
If your tenant has sideloading apps enabled, you can install your app by following the instructions here
-
You can also upload it to your tenant's app catalog so that it can be available for everyone in your tenant to install. See here
Note: Please review app permission policies to allow access to the app
-
Log in to the Azure Portal in the tenant where the TEOC app registration is done.
-
Navigate to Groups, check for the setting "Users can create Microsoft 365 groups in Azure portals, API or PowerShell".
-
If it is set to No, then follow this documentation to create a M365 group that can be used to control who is able to create Microsoft 365 Groups in the tenant and add the users from your organization who will be creating incidents in the TEOC application to that M365 group.
-
If it is set to Yes, no action is required.
-
To get the latest package for extension, make sure you have cloned the app repository locally.
-
Get the latest package file
“eoc-extension.sppkg”
under EOC-Extensions/sharepoint/ solution folder. -
Below are the steps you need to perform to add NotifyToTeams extension in TEOC site.
-
Open SharePoint admin center.
-
Click on More features menu item. Locate the Apps section and click the Open button.
-
Click on App Catalog link.
If you do not see an app catalog available, use the instructions here to create a new app catalog before continuing.
-
Click the Distribute apps for SharePoint link.
-
Click the New option.
-
Click the Choose Files button, select the eoc-extension.sppkg file you downloaded or created earlier, and click on OK.
-
A confirmation dialog is displayed. Ensure the checkbox for Make this solution available to all sites in the organization is chosen and click Deploy.
-
Return to the SharePoint admin center. Under expand the Advanced menu in the left navigation and select API access. Select and approve all pending requests associated with eoc-extension.
Please check the Troubleshooting guide.