Puzzel Microsoft Teams Azure authentication setup

Some features in Puzzel’s contact centre agent application requires users (agents) to authenticate themselves in Azure AD. The authentication is among others used to enable contact search in Microsoft Teams but can also be used for Azure authentication towards custom/external widgets.

This document shows a step by step description on how to configure Microsoft Teams in Azure AD to get the App ID URI required by the agent application for authenticating the user (agent).

Please note that if you already have Skype for business configured within Azure AD and have an App ID URI, you will only need to add more permissions listed in Adding permissions to Microsoft Teams section. You will not be required to configure a separate Microsoft Teams app as the App ID URI for Skype will work.

Registering Microsoft Teams App in Azure

The following procedure will take you through the steps of configuring Microsoft Teams App in Azure AD. At the end of this process, you will be given an App ID URI, required by the Agent Application for authenticating the agents

Microsoft Teams do not require a separate App ID URI if you already have Skype for Business registered within Azure. Please perform the steps mentioned in this section ONLY if you do not have Skype for Business configured. Otherwise you can move to Section 3 for adding permissions to be able to use contacts and calendars from Teams.

Setup Microsoft Teams App in Azure

Step 1:

Go to https://portal.azure.com and login with the Global Admin privileges for your domain. Choose “Azure Active Directory” from the list of featured apps.

Step 2:

Select App registrations

Step 3:

Click on the New registration option

Step 4:

Puzzel has recently made changes to the Application registration process to be in line with Microsoft recommendation for registering an app. we have added support for user authentication with Authorization Code Flow with PKCE according to Microsoft guidance. Method 1 is the old way and we advise all our new customers to follow Method 2 described below. While we are still supporting Method 1, we would urge our existing customers to migrate to Method 2 as soon as possible as described in Step 7.

For more details on MSAL update from Microsoft read here.

Method 1:

Fill in the following 3 sections:

  • Name - Choose a name for the application (e.g. Microsoft Teams)
  • Supported account types – Choose the option that is relevant for you. The recommended option is “Accounts in this organisational directory only (<directory name>)
  • Redirect URI (optional) – Choose “Web” and ”https://agent.puzzel.com
Method 2:

Fill in the following 3 sections:

  • Name - Choose a name for the application (e.g. Microsoft Teams)
  • Supported account types – Choose the option that is relevant for you. The recommended option is “Accounts in this organisational directory only (<directory name>)
  • Redirect URI (optional) – Choose "Single-page application" and Hostname : https://agent.puzzel.com

Click on the Register button. Now you should be able to see the given Application (client) ID you need for the admin portal later.

Step 5:

This section will help you configure all the required permissions for Microsoft Teams App. If you have Skype for business configured, some of the permissions will already exist. You will only need the additional ones required for Microsoft Teams.

Add User and Teams presence permissions:

  1. Choose API permissions, click on the Add a permission button and select Microsoft Graph in the right pane. Choose Delegated permissions and select User. Tick the User.read and User.ReadAll check box. 
  2.  Select Presence from the list and tick Presence.Read.All check box.
  3. Select Calendars and tick Calendars.Read.Shared check box
If you have Skype for Business configured, then you might have Calendar permission configured under Exchange. Therefore this step can be ignored. In the scenario, where you do not have Skype for business, you will have to grant this permission
  1. Click on Add permissions.
Step 6:

Click on the Grant admin consent for <directory name> and click Yes to confirm

You should see a “Successfully granted admin consent for the requested permissions” confirmation at the top of the screen.

You will see permissions related to Skype for Business if you are adding permissions to the existing Skype for Business App.
Step  7:

The last thing to do is to choose “Authentication” in the menu and add the following Redirect URI.

For Method 1 in Step 4:

TYPE - Web

Redirect URI - https://agent.puzzel.com/redirect.html

Also, you must tick the ”Access tokens” and “ID tokens” checkboxes under Implicit grant

Click on Save on the top left of the screen.

For Method 2 in step 4, there are no changes to be done and the screen looks like this:

Migration from Method 1 authentication to Method 2:

As mentioned above we highly recommend our customers to migrate to Method 2 authentication process. It can be done fairly easily by following the 4 steps listed below:

  1. Go to Authentication page and you will see the following warning as shown in the picture.
  2. Click on the warning to open the Migrate URIs window
  3. Select the URI and click on Configure
  4. Untick the Access tokens and ID tokens under Implicit grant and save the changes.

Setup for Microsoft Teams integration in Puzzel’s admin portal

In the admin portal, you need to add your Azure app details for Microsoft Teams functionality to work properly.

  1. Add the general agent application authentication properties for your Teams integration. This is done in the admin portal under Users -> Products -> Agent Application. The relevant 5 properties are easily found if you enter “Azure” in the top right filter field. If you have registered the app using Method 1 in step 4, the configuration would be as shown below:
    • Azure AD Login at startup – Enables to log on to Teams upon signing into the agent application, if authenticated.
    • Azure AD Use agent e-mail as login hint – Upon authentication, the user’s e-mail address registered in his or her Puzzel account is suggested.
    • Azure AD Application ID – Add the Azure App ID fetched from the Azure App setup
    • Azure AD Tenant – Add your tenant/domain (without https://) for the directory used for fetching contact information.
    • Azure AD use Microsoft identity platform[V2.0][A] - By default this property is turned off to enable the existing customers using the old method to continue without disruption to their services.

             If you have registered the app using Method 2 in step 4, do the following:

  • Azure AD Application ID – Add the Azure App ID fetched from the Azure App setup
  • Azure AD Login at startup – Enables to log on to Skype for Business upon signing into the agent application, if authenticated.
  • Azure AD Tenant – Add your tenant/domain (without https://) for the directory used for fetching contact information.
  • Azure AD Use agent e-mail as login hint – Upon authentication, the user’s e-mail address registered in his or her Puzzel account is suggested.
  • Azure AD use Microsoft identity platform[V2.0][A] - Turn this on for Microsoft recommended way of authentication using MSAL.

 

  1. Save your settings
  2. Activate the Microsoft Teams widget on your solution if you already haven’t. This is done under Widget -> Widget Administration. Find the “Microsoft Teams” widget (Owner 10000) and tick the rightmost check box
  3. The Microsoft Teams widget should now be available under Widget -> Widget Configuration -> Microsoft Teams. Unless you want to disable Microsoft Teams for some agents, you should use the default settings
    • Allowed – Enable or disable Microsoft Teams features for users
    • Module – System property. Do not change
    • Unique Source name – System property. Do not change
  4. Remember to save your settings.

All users in your organization should now have access to search for your company’s Microsoft Teams contacts.

If not already authenticated, users are prompted to do so when signing in or searching for a contact in the Teams search source. They should then sign in with their corporate e-mail address. 

Published

28/07/2020 - 10:57

Last updated

28/04/2022 - 13:53
0
0