Creating a Microsoft Teams Application for IdentityIQ in Azure

This Azure application defines the scope that can be used by the IdentityIQ Microsoft Teams Notifications feature. In this app, you define authentication parameters, set a client secret, and choose which Microsoft Graph API permissions to expose. You will use some values from this app in IdentityIQ, to ensure secure communication between IdentityIQ and Azure.

Important: Details on how to configure Azure components are provided in this guide as an aid to implementers; however, implementers should also consult Microsoft's documentation on Azure and Microsoft Teams to ensure that they have the most accurate and up-to-date information on these platforms. This guide only discusses actions in Azure that are required as part IdentityIQ's Microsoft Teams Notifications feature, and does not discuss more general Azure concepts or actions that may be part of setting up Microsoft Teams and SSO for your organization.

  1. Navigate to your Azure Active Directory home.

  2. In the left navigation, click App registrations.

  3. Click New Registration.

  4. Enter a Name for your application. When creating applications, it's a good idea to name them according to function; for example, IdentityIQ Teams.

  5. Under Supported account types, choose the Multitenant option.

  6. Click Register.

  7. Configure an Authentication redirect URI:

    1. In the left navigation, click Authentication.

    2. Click Add platform.

    3. In the Configure Platforms panel that opens at right, click the Web tile.

    4. Enter a Redirect URIs. Use this value for the redirct:
      https://token.botframework.com/.auth/web/redirect

    5. Under Implicit grant and hybrid flows, make sure both flows are checked.

    6. Save your edits.

  8. Create a client secret for the application:

    1. In the left navigation, click Certificates and secrets.

    2. Click New client secret.

    3. Add a description and expiration date.

    4. Click Add.

      IMPORTANT: This is the only time the client secret is available to be copied. Use the copy icon to copy and save the secret. You will need the secret later, when creating your Azure bot, configuring the service code, and configuring IdentityIQ's integration properties.

  9. Configure the API permissions for the application: 

    1. In the left navigation click API permissions.

    2. Click Add a permission.

    3. Under the Microsoft APIs tab, choose Microsoft Graph and select these options in the Delegated Permissions list:

      • email

      • offline_access

      • openid

      • profile

      Then click Add permissions.

      Note: If User.Read is present and selected, you can leave it selected.

    4. In the left navigation click API permissions.

    5. Click Add a permission.

    6. Under the My APIs tab, choose the API Application you created earlier (as described in the Creating an API Application in Azure section). Select your GetToken permission and click Add permissions.

    7. The API permissions page now shows a list of the API permissions you have created. Check the Grant admin consent for (MyTenant), where MyTenant is the name of your tenant. Then click Yes to confirm.

  10. In the left navigation, click Expose an API .

  11. Click Set for the Application ID URI.

  12. Edit the URI to add botid- immediately after the api:// in the URI. Be sure to include the dash after botid. Click Save.

  13. Add an access_as_user scope:

    1. Click Add a scope. Give it a Scope name and choose Admins and users. Provide Admin and user content descriptions – these are messages that will appear to users if they need to give authorization.

    2. Enter a Scope name, for example, access_as_user.

    3. Add names and descriptions for Admin consent and User consent.

    4. Make sure the state is Enabled.

    5. Click Add Scope to save your changes.

  14. Add a GetToken scope:

    1. Click Add a scope. Give it a Scope name and choose Admins and users. Provide Admin and user content descriptions – these are messages that will appear to users if they need to give authorization.

    2. Enter a Scope name, for example, GetToken.

    3. Add names and descriptions for Admin consent and User consent.

    4. Make sure the state is Enabled.

    5. Click Add Scope to save your changes.

  15. Authorize desktop and mobile applications to use this application.

    1. Click Add a client application

    2. For a Microsoft Teams web client, enter this value as the Client ID:
      5e3ce6c0-2b1f-4285-8d4b-75ee78787346 .
      This value is provided by Microsoft; refer to Microsoft's documentation for details about the Client ID.

    3. Check the Authorized scopes option.

    4. Click Add application.

    5. Repeat steps 1-4 above, substituting this value in step 2: For a Microsoft Teams mobile and desktop clients, enter this value as the Client ID:
      1fec8e78-bce4-4aaf-ab1b-5451cc387264 .
      This value is provided by Microsoft; refer to Microsoft's documentation for details about the Client ID.

Once your Microsoft Teams application is configured, copy and save the Application (client) ID value. You will need this value later, when creating your Microsoft Teams bot and configuring IdentityIQ's integration with Microsoft Teams.

For more information, see: