Registering the Microsoft Teams Bot in Azure
- Kiss, Mate
In order to complete the steps below, you must have Application Administrator or Global administrator role in Azure.
The registration consists of the following steps:
The following steps have to be done only once per bot. Once it's done, the bot can be used in multiple Azure tenants.
Creating a bot channel registration
Step 1 - Log in to the Azure portal.
Step 2 - Search for Bot Channels Registration in the search box on the top, then click on the link under the Marketplace section.
Step 3 - In the left panel, provide a unique name at the Bot handle, then select the Subscription, the Resource group, and the Location of the bot channel registration. The Location should be the same region where the Verba Bot virtual machine resides in Azure.
Step 4 - Click on the Create button. Creating the Bot Channel Registration may take some seconds.
Step 5 - Once the Bot Channels Registration is completed, search for Bot Services in the search box on the top, then click on the link under the Services section.
Step 6 - Select the previously created Bot service from the list.
Step 7 - In the second left panel, under the Bot management section, click on the Channels menu.
Step 8 - Under the Add featured channel section select the Teams icon (Configure Microsoft Teams channel).
Step 9 - Select the Calling tab, then tick the Enable calling checkbox.
Step 10 - At the Webhook (for calling) setting, provide the following URL: https://verba_bot_vm.domain.com:9440/api/calling
Replace the verba_bot_vm part with the hostname of the Azure virtual machine which will host the Verba Bot service. At the domain part, use the domain of the Teams tenant (also specified in the SSL certificate).
Step 11 - Click on the Save button. Agree with the terms of service.
Step 12 - In the second left panel, under the Bot management section, click on the Settings menu.
Step 13 - Take a note of the Microsoft App ID. It will be needed later.
Configuring authentication for the bot
Step 14 - Click on the Manage link next to the Microsoft App ID.
Step 15 - Under the Client secrets section, click on the New Client Secret button.
Step 16 - Provide a Description, set when the secret Expires, then click on the Add button.
Step 17 - Take a note of the new Client secret. It will be needed later.
Step 18 - In the left panel, under the Manage section, click on the Authentication menu.
Step 19 - Under the Platform configuration sections, click on the Add a platform button.
Step 20 - In the right panel, select Web.
Step 21 - Provide a Redirect URI. It can be any website. Take a note of the URI provided, it will be needed later.
Step 22 - Click on the Configure button in the bottom.
Configuring permissions to the bot
Step 23 - In the left panel, under the Manage section, click on the API permissions menu.
Step 24 - Click on the Add a permission button.
Step 25 - Select Microsoft Graph, then select Application permissions.
Step 26 - Select the following permissions:
- Calls.AccessMedia.All
- Calls.Initiate.All
- Calls.InitiateGroupCall.All
- Calls.JoinGroupCall.All
- Calls.JoinGroupCallAsGuest.All
- OnlineMeetings.Read.All
- User.Read.All
Step 27 - Click on the Add permissions button.
Granting admin consent to the permissions
Separate Azure tenants for the recording provider (bot) and for the Teams environment to record
In the case when the recorded Teams environment and the recording bot are in separate Azure tenants, the following steps have to be done in the Teams tenant. In order to gather the Tenant ID in steps 28-29, you have to log in to the Azure tenant where the Teams environment to record resides: Log in to the Azure portal.
Step 28 - Open the main Azure hamburger menu (in the upper left corner) and select the Azure Active Directory menu.
Step 29 - Take a note of the Tenant ID. It will be needed later.
The Microsoft Teams Bot can be also registered using Azure CLI and PowerShell commands.
Step 1 - Download and install the Azure CLI.
Step 2 - Open PowerShell and log in to Azure using the az login command. For example:
az login -u "[user_UPN]" -p "[password]"
Step 3 - Create the App registration using the az ad app create command. Provide an App secret also. When it is done, take a note of the App Id; it will be needed in the later commands, in Verba configuration, and in the Teams recording policy.
$app = az ad app create --display-name "[app_display_name]" --available-to-other-tenants --reply-urls "https://www.verba.com" --password "[app_secret]" --credential-description "[app_secret_description]" --end-date [app_secret_validity_in_years] | ConvertFrom-Json $appID = $app.appId echo $appID
Step 4 (Optional) - Assign an user to the App registration as owner using the az ad app owner add command:
az ad app owner add --id $appID --owner-object-id "[user_object_id]"
Step 5 - Add permissions to the App registration using the az ad app permission add command:
az ad app permission add --id $appID --api 00000003-0000-0000-c000-000000000000 --api-permissions a7a681dc-756e-4909-b988-f160edc6655f=Role 284383ee-7f6e-4e40-a2a8-e85dcb029101=Role 4c277553-8a09-487b-8023-29ee378d8324=Role f6b49018-60ab-4f81-83bd-22caeabfed2d=Role fd7ccf6b-3d28-418b-9701-cd10f5cd2fd4=Role c1684f21-1984-47fa-9d61-2dc8c296bb70=Role b8bb2037-6e08-44ac-a4ea-4674e010e2a4=Role df021288-bdef-4463-88db-98f22de89214=Role 741f803b-c850-494e-b5df-cde7c675a1ca=Role
Step 6 - Grant admin consent using the az ad app permission admin-consent command:
az ad app permission admin-consent --id $appID
Step 7 - Create the Bot channels registration using the az bot create command:
az bot create -n "[bot_channels_registration_name]" -k "registration" --appid $appID --subscription "[Azure_subscription_name]" -l "[location]" -g "[resource_group_name]"
Step 8 - Add the Teams channel to the Bot channels registration using the az bot msteams create command:
az bot msteams create -n "[bot_channels_registration_name]" -g "[resource_group_name]" --subscription "[Azure_subscription_name]" --enable-calling --calling-web-hook "https://[bot_server_CNAME]:9440/api/calling"