Registering the Microsoft Teams Bot in Azure
- Kiss, Mate
- Zszugyi
In order to complete the steps below, you must have Application Administrator or Global administrator role in Microsoft Entra.
The registration consists of the following steps:
The following steps have to be done only once per bot. Once it's done, the bot can be used in multiple Microsoft Entra tenants.
Azure Active Directory is now Microsoft Entra ID.
Creating a bot channel registration
Step 1 - Log in to the Azure portal.
Step 2 - Search for Azure Bot in the search box on the top, then click on the link under the Marketplace section.
Step 3 - In the left panel, provide a unique name at the Bot handle, then select the Subscription, the Resource group. Set the Type of App to either Single Tenant or Multi Tenant. If the Bot will be used by multiple tenants, then select Multi Tenant.
Step 4 - Click on the Review + Create button and if the configuration is correct the Create button again. Creating the Azure Bot may take some seconds. Azure will actually create an App Registration and a Bot Service assigned to it.
Adding a Teams Channel to the Bot Service
Step 5 - Once the Bot Channels Registration is completed, search for Bot Services in the search box on the top, then click on the Bot Services link under the Services section.
(Alternatively, the Bot Services can be also found by opening the hamburger menu in the upper right corner, then selecting All services, then the AI + machine learning category.)
Step 6 - Select the Bot Service from the list that was created previously using the name provided at Step 3 (Bot handle).
Step 7 - In the second left panel, under the Settings section, click on the Channels menu.
Step 8 - Under the Available channels section select Microsoft Teams option.
Step 9 - Accept the terms of service, select the Microsoft Teams Commercial option, then click Apply.
Step 10 - Select the Calling tab, then tick the Enable calling checkbox.
Step 11 - At the Webhook (for calling) setting, provide the following URL: https://verba_bot_vm.domain.com:9440/api/calling
Replace the verba_bot_vm part with the hostname of the Azure virtual machine which will host the Verba Bot service. At the domain part, use the domain of the Teams tenant (also specified in the SSL certificate).
Step 12 - Click on the Apply button.
Configuring authentication for the bot
Step 13 - Search for App registrations in the search box on the top, then click on the App registrations link under the Services section.
(Alternatively, the App registrations can be also found by opening the hamburger menu in the upper right corner, then selecting the Microsoft Entra ID, then selecting App registrations in the left panel.)
Step 14 - Select the App Registration from the list that was created previously using the name provided at Step 3 (Bot handle).
Step 15 - Take a note of the Application (client) ID and the Directory (tenant) ID. They will be needed later.
Step 16 - Select the Certificates & secrets menu in the left panel.
Step 17 - Under the Client secrets section, click on the New Client Secret button.
Step 18 - Provide a Description, set when the secret Expires, then click on the Add button.
Step 19 - Take a note of the new Client secret. It will be needed later.
Step 20 - In the left panel, under the Manage section, click on the Authentication menu.
Step 21 - Under the Platform configuration sections, click on the Add a platform button.
Step 22 - In the right panel, select Web.
Step 23 - Provide a Redirect URI. It can be any website. Take a note of the URI provided, it will be needed later.
Step 24 - Click on the Configure button in the bottom.
Configuring permissions to the bot
Step 25 - In the left panel, under the Manage section, click on the API permissions menu.
Step 26 - Click on the Add a permission button.
Step 27 - Select Microsoft Graph, then select Application permissions.
Step 28 - Select the following permissions:
- Calendars.Read
- Calls.AccessMedia.All
- Calls.JoinGroupCall.All
- Calls.JoinGroupCallAsGuest.All
- OnlineMeetings.Read.All
- User.Read.All
Using the same App Registration for Chat Recording also
The same App Registration can be used for the chat recording. In that case, add the following permissions also:
- Group.Read.All
- Chat.Read.All
- ChannelMessage.Read.All
- ChannelMember.Read.All
Directory.Read.All
Files.Read.All
Sites.Read.All
If the Chat recording will be used, the protected API access has to be requested. See Protected API Access for Chat Recording section at the bottom.
Step 29 - Click on the Add permissions button.
Granting admin consent to the permissions
Separate Azure tenants for the recording provider (bot) and for the Teams environment to record
In the case when the recorded Teams environment and the recording bot are in separate Microsoft Entra tenants, the following steps have to be done using the Tenant ID of the Microsoft Entra tenant where the Teams environment to record resides, and also using a user that has the Teams Service Admin or Global Admin role in that tenant. In order to gather the Tenant ID for Step 29, you have to log in to the Azure portal of that tenant, then go to Microsoft Entra ID.
Multi-Tenant configuration:
If the same bot is being used in multiple tenants, then the following steps have to be done for each tenants using the guidelines above.
Step 30 - Build the consent URL. The format is the following:
https://login.microsoftonline.com/{tenant_id}/adminconsent?client_id={microsoft_app_id}&state=12345&redirect_uri={redirect_uri}
Replace the {tenant_id} part with the Directory (tenant) ID and the {microsoft_app_id} part with the Application (client) ID from Step 14. Replace {redirect_uri} part with the URI from Step 22.
Step 31 - Copy the previously created consent URL into the browser, then hit enter. Log in with a Teams Service Admin or Global Admin user of the Microsoft Entra tenant where the Teams environment to record resides. Click on the Accept button. The page will redirect to the webpage provided in the Redirect URI setting.
2N Recording
Step 32 (Optional) - In the case of 2N recording, all the steps above have to be done twice. Take a note of the second Application (client) ID also at Step 14. It will be needed in the next part of the configuration guide.
The Microsoft Teams Bot can be also registered using Azure CLI and PowerShell commands.
Step 1 - Download and install the Azure CLI.
Step 2 - Open PowerShell and log in to Azure using the az login command. For example:
az login -u "[user_UPN]" -p "[password]"
Step 3 - Create the App registration using the az ad app create command. Provide an App secret also. When it is done, take a note of the App Id; it will be needed in the later commands, in Verba configuration, and in the Teams recording policy.
$app = az ad app create --display-name "[app_display_name]" --available-to-other-tenants --reply-urls "https://www.verba.com" --password "[app_secret]" --credential-description "[app_secret_description]" --end-date [app_secret_validity_in_years] | ConvertFrom-Json $appID = $app.appId echo $appID
Step 4 (Optional) - Assign an user to the App registration as owner using the az ad app owner add command:
az ad app owner add --id $appID --owner-object-id "[user_object_id]"
Step 5 - Add permissions to the App registration using the az ad app permission add command:
az ad app permission add --id $appID --api 00000003-0000-0000-c000-000000000000 --api-permissions a7a681dc-756e-4909-b988-f160edc6655f=Role 284383ee-7f6e-4e40-a2a8-e85dcb029101=Role 4c277553-8a09-487b-8023-29ee378d8324=Role f6b49018-60ab-4f81-83bd-22caeabfed2d=Role fd7ccf6b-3d28-418b-9701-cd10f5cd2fd4=Role c1684f21-1984-47fa-9d61-2dc8c296bb70=Role df021288-bdef-4463-88db-98f22de89214=Role
Step 6 (Optional) - If the same App Registration will be used for Chat recording also, then add the following permissions also:
az ad app permission add --id $appID --api 00000003-0000-0000-c000-000000000000 --api-permissions 3b55498e-47ec-484f-8136-9013221c06a9=Role 5b567255-7703-4780-807c-7be8301ae99b=Role 7b2449af-6ccd-4f4d-9f78-e550c193f0d1=Role 6b7d71aa-70aa-4810-a8d9-5d9fb2830017=Role
Step 7 - Grant admin consent using the az ad app permission admin-consent command:
az ad app permission admin-consent --id $appID
Step 8 - Create the Bot channels registration using the az bot create command:
az bot create -n "[bot_channels_registration_name]" -k "registration" --appid $appID --subscription "[Azure_subscription_name]" -l "[location]" -g "[resource_group_name]"
Step 9 - Add the Teams channel to the Bot channels registration using the az bot msteams create command:
az bot msteams create -n "[bot_channels_registration_name]" -g "[resource_group_name]" --subscription "[Azure_subscription_name]" --enable-calling --calling-web-hook "https://[bot_server_CNAME]:9440/api/calling"
Step 10 (Optional) - If the Chat recording will be used, the prteted API access has to be requested. See Protected API Access for Chat Recording section at the bottom.