Creating a Microsoft Teams Application for IdentityIQ in Azure

The Microsoft Teams application for IdentityIQ in Azure specifies the scope utilized by the IdentityIQ Microsoft Teams feature. Within this application, you configure authentication parameters, establish a client secret, and select the appropriate Microsoft API permissions. This application will be associated with the Azure bot resource. Values from this application will also be needed for the .env file used to configure the IdentityIQ service code.

Note: It is essential to follow the specified sequence of steps as mentioned in the document when creating the necessary applications for integrating IdentityIQ with Microsoft Teams. For a visual guide to the recommended setup order, refer to Best Practices for Configuring IdentityIQ Microsoft Teams.

Important: This guide ONLY provides instructions for configuring specific Azure component configurations required to support IdentityIQ’s Notifications and Access Request Approval work item features in Microsoft Teams. It is intended as an aid to implementers but should be used in conjunction with Microsoft’s official documentation to ensure access to the most accurate and up-to-date information. For broader information on Azure or general setup tasks related to Microsoft Teams and SSO, please refer to Microsoft's official documentation.

Perform the following steps to create a Microsoft Teams application for IdentityIQ:

1. Sign into Azure portal and navigate to your Microsoft Entra ID.

2. Under Manage > App registrations, select + New registration.

   

3. On the Registration page, provide the following details:

   

   1. Name - Type a name for Microsoft Teams application for IdentityIQ. See Best Practices for Configuring IdentityIQ Microsoft Teams to define an appropriate application name.

   2. Supported account types – Select Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant).

   3. Redirect URL (Optional) – Leave this field blank.

   4. Select Register.

      Note: Once created, overview details of the application including Display name, Application (client) ID, Object ID, Directory (tenant) ID etc. will be displayed. Copy and save Application (client) ID for use during Creating an Azure Bot for IdentityIQ's Microsoft Teams , Creating an Azure Active Directory Application in IdentityIQ, and Installing and Configuring the IdentityIQ Service Code.

4. Configure an Authentication redirect URI:

   1. In the left navigation, select Authentication.

   2. Select + Add a platform.

   3. On the Configure platforms dialog, select Web.

   4. On the Configure Web dialog, provide the following details:

      

      1. Add https://token.botframework.com/.auth/web/redirect as the Redirect URIs.

      2. Under Implicit grant and hybrid flows section, select the checkbox for Access tokens and ID tokens.

      3. Select Configure.

5. Create a client secret for the application:

   1. In the left navigation, select Certificate and secrets.

   2. Under the Client secrets tab, select + New client secret.

   3. In the dialog that displays:

      

      1. Provide a Description for the secret.

      2. Select a time of expiration in Expires field.

      3. Select Add.

      Note: After the client secrets are added, its details are displayed including description, expiration, value, and secret ID. These details will be required for the IdentityIQ service code configuration in Creating an Azure Bot for IdentityIQ's Microsoft Teams and Installing and Configuring the IdentityIQ Service Code. Therefore, make a note of all the details and keep it safe.

6. Configure the API permissions for the application:

   1. In the left navigation, select API permissions.

   2. Select + Add a permission.

   3. In the dialog that displays:

      1. Under the Microsoft APIs tab, select Microsoft Graph.

         

      2. Select Delegated permissions.

         

      3. Under OpenId permissions, add the following:

         • email

         • offline_access

         • openid

         • profile

      4. Select Add permissions

   4. Select + Add a permission.

   5. In the dialog that displays, perform the following steps:

      1. Under the My APIs tab, select API Access application created.

         Note: A dialog appears and displays the API Access Application name, and the Application ID URI which was set in Creating an API Access Application in Azure.

      2. Select Delegated Permission.

      3. Select GetToken checkbox.

         Note: GetToken was created in Creating an API Access Application in Azure.

      4. Select Add permissions.

   6. On the API permissions page, select Grant admin consent for <tenant name>.

      

   7. Select Yes on the confirmation pop-up. The page displays all the permissions that are now granted.

7. In the left navigation, select Expose an API.

8. Select Add for Application ID URI.

9. On the pop-up that displays, add botid- to the URI syntax.

   For example, if the URI syntax is, api://<application (client) id>, update it to, api://botid-<application (client) id>.

   

10. Select Save.

11. Add a GetToken scope:

    

    1. On the Expose an API page, select + Add a scope.

    2. In the dialog that displays:

       1. Scope name – Type GetToken.

       2. Who can consent – Select Admins and users.

       3. Add display names and descriptions for Admin consent and User consent.

       4. Select Enabled state.

       5. Select Add scope.

12. Add an access_as_user scope:

    

    1. On the Expose an API page, select + Add a scope.

    2. In the dialog that displays:

       1. Scope name – Type access_as_user.

       2. Who can consent – Select Admins and users.

       3. Add display names and descriptions for Admin consent and User consent.

       4. Select Enabled state.

       5. Select Add scope.

13. Authorize desktop and mobile applications to use this application.

    

    1. On the Expose an API page, select + Add a client application.

    2. In the dialog that displays:

       1. Add 5e3ce6c0-2b1f-4285-8d4b-75ee78787346 into Client ID field.

          Note: This is Global Client ID for Microsoft Teams web. This value is provided by Microsoft; refer to Microsoft's documentation for details about the Client ID.

       2. Select the Authorized scopes for GetToken and access_as_user.

       3. Select Add application.

    3. On the Expose an API page, select + Add a client application.

    4. In the dialog that displays:

       1. Add 1fec8e78-bce4-4aaf-ab1b-5451cc387264 into Client ID field.

          Note: This is Global Client ID for Microsoft Teams mobile. This value is provided by Microsoft; refer to Microsoft's documentation for details about the Client ID.

       2. Select the Authorized scopes for GetToken and access_as_user.

       3. Select Add application.

You now have successfully created a Microsoft Team application in Azure. For next step, refer Creating an Azure Active Directory Application in IdentityIQ.