Configure the Microsoft Teams tenant

Connecting to Microsoft Teams is done through access to Microsoft's Graph APIs. This connection ensures robust and comprehensive integration into the Microsoft ecosystem.

To learn more about the Microsoft API:

https://docs.microsoft.com/fr-fr/graph/overview

And more specifically on the subject of Microsoft Teams:

https://docs.microsoft.com/en-us/graph/teams-concept-overview

For this part, we need to register a Syfadis application in order to authorize the platform to connect to your company's tenant.

Creating a Syfadis application in the Microsoft Entra ID environment allows you to benefit from all the permissions for connections between Microsoft Teams and Syfadis Xperience.

You must sign in as an administrator to the Microsoft Entra ID portal (formerly Azure Active Directory) in order to set up the app.

The administrator performs the following actions:

• Register an LMS application

• Define callback URIs

• Generate a secret key

• Invalidate the secret key

• Assign access privileges to the Graph API

• Check permissions in the tenant

• Install and set up PowerShell

• Allow Syfadis application access on Entra ID

• Use the connector in simple mode

Register an application

Access the Microsoft Entra ID admin centre through the portal (https://portal.azure.com) to add the Syfadis application.

Access to enterprise applications

A new Syfadis application must be created that allows the creation of identity keys that will establish the connection with the Syfadis Xperience platform.

1. Click Create your own application.

Creating the application in the Microsoft tenant

2. In the pop-in, configure the name and type of application.

Creating the app

• After the app is created, the site redirects to the app page. There you will find some of the information related to the connection between Microsoft Teams and Syfadis Xperience.

• The application (client) and directory (tenant) IDs are visible in this screen. You can keep this information next to it in a file for the duration of the manipulation. This page remains accessible.

Syfadis application page

Define callback URIs

1. Click on Authentication then Add a platform.

2. In the Configure platforms/Web applications section, click Web.

3. Enter the Redirect URI. In our example: https://<YourURI>/Directory/Login/GetAzureAccessToken

• This URI must be entered so that the Microsoft Teams tenant knows the return URI.

Note:

If the Xperience configuration setting Use Azure application mode for scope application is set to True, this step can be skipped.

Important - The URI is case-sensitive.

Depending on your Teams environment (single or multi-tenant), select either:

• Accounts in this organisational directory only (Single tenant)

• Accounts in any organisational directory (Any Microsoft Entra ID tenant – Multi tenant)

4. Click Save.

Generate a secret key

In order to make this application work, in addition to the credentials, you need to generate a secret key for use.

1. In Microsoft Entra ID, go to app registrations.

2. Select the app you created.

3. Generate the connection secret.

You will not be able to retrieve this key afterwards.

4. Keep this key at least for the duration of the manipulation (even if you see it temporarily after the manipulation).

Invalidate the secret key

You can invalidate a secret key and generate new ones if you lose it. In this case, update the key in the training platform (at the configuration level).

For added security, Microsoft recommends that you change the key periodically, and set a validity date for it.

This also allows for control of access to the tenant by third-party applications. You can choose a distant date in the LMS, but keep a reminder to update it if necessary.

Assign access privileges to the Graph API

In order to use the API, the application must be granted certain accesses. These accesses must be granted either at the application level or at the delegated level (necessary for tracking recovery):

1. Add the permissions by clicking on API permissions / Add a permission.

Adding permissions

A pane then opens to the right.

2. Choose the Microsoft Graph API, then use the search bar to find the permissions you want to grant:

Request API permissions

3. Add the necessary permissions at the delegated level and application level, referring to the table below:

As a reminder, there are two types of authorisation that will be used for the configuration of our connector:

• The delegated type: means that the application can act in the name and on behalf of a user regarding the authorization in question.

• The application type: means that the application itself can act for the authorization in question.

Here is the list of permissions needed for the Teams Connector to work, detailing the need. The definitions of each of these authorisations are as follows: https://learn.microsoft.com/fr-fr/graph/permissions-reference.

4. Once the permissions are added, grant admin consent, so that the connector can benefit from these permissions, by clicking the Grant admin consent for [domain] button:

Your app is now set up.

Check permissions in the tenant

Syfadis needs users to be authorized to access the Teams app.

To do this, apply the following 2 settings:

• Assignment required? – this parameter must be set to "No"

• Visible to users?

App properties

Install and set up PowerShell

Once the virtual classes have been completed and in order to:

• use time tracking and,

• synchronize the participants of the virtual classroom,

you need to set up online meeting access to our connector.

To do this, in addition to the app permissions needed for the Microsoft Graph API, tenant admins must configure an app access policy.

Configure Teams app access policy

1. Install Teams PowerShell to connect to Azure from the command line.

2. Check that the Windows PowerShell version is 5.1 or higher.

3. Check that the installed .NET Framework version is greater than or equal to 4.7.2.

4. Install the latest version of PowerShellGet:

Install-Module -Name PowerShellGet -Force -AllowClobber 
Install the module "Teams PowerShell ": 

• More details, see Microsoft's official PowerShell documentation: Install Microsoft Teams PowerShell - Microsoft Teams | Microsoft Learn

5. Connect to Azure with the following command lines (once the previous module is installed):

Import-Module MicrosoftTeams 
Connect-MicrosoftTeams

6. A page will open in the browser. Enter the usernames and password used to sign in to the Microsoft Entra ID portal.

Allow Syfadis application access on Entra ID

1. Once the connection with PowerShell is established, run the following command lines to allow access to our Entra ID app created earlier to use Teams connectors:

New-CsApplicationAccessPolicy -Identity <Policy Name> -AppIds " 
<Azur application ID>" -Description " 
<Policy Description>"

2. Give rights to specific users:

Grant-CsApplicationAccessPolicy -PolicyName <Policy Name> -Identity "<Azure Active Directory user ID>"

3. To grant this right to all users of the application tenant, use the following command:

Grant-CsApplicationAccessPolicy -PolicyName <PolicyName> -Global

For more details, here is the link to the official documentation: Configure an application access policy using the cloud communications API - Microsoft Graph | Microsoft Learn

This change may take some time to take effect (up to 30 minutes according to Microsoft).

Use the connector in "simple" mode

If you prefer to prevent the connector from writing to users' Outlook calendars, Syfadis Xperience can be configured in "Simple" mode.

In this mode, unlike the full configuration, Outlook invitations are managed through a notification configuration in Syfadis Xperience, specifically using the Virtual Classroom Invitation notification type.

The configuration remains largely the same, except that the following permissions are not required:

• Calendars.Read

• Calendars.ReadWrite

This approach simplifies onboarding while maintaining the functionality of sending invitations.

If you opt for this mode of operation, you should inform your Syfadis team coordinator to ensure that the configuration can be applied on your Xperience platform.

Regardless of the mode used (with or without Outlook calendar access), it is necessary that the email addresses defined in Entra ID match the users' email addresses in Xperience.