ionise
commented
3 years ago I have been able to get this to work with the MicrosoftTeams powershell module version 2.3.2 I have modified the permissions on our PartnerApp manually - I have not yet written code to change this programmatically, but starting baseline is the app created with Create-SecureAppModel.ps1 in this repo. To this app, I add permissions for the "Skype and Teams Tenant Admin API" At the time of writing, this is documented against the Parameters section in the instructions for the MicrosoftTeams Powershell module here: https://docs.microsoft.com/en-us/powershell/module/teams/connect-microsoftteams?view=teams-ps#parameters Quoting from this (do not follow them in this case if you are authorizing an existing partner app) This currently reads: Following steps must be performed by Tenant Admin in the Azure portal when using your own application.
Steps to configure the AAD application.
Go to Azure portal and go to App Registrations.
1. Create or select the existing application.
2. Add the following permission to this Application.
3. Click API permissions.
4. Click Add a permission.
5. Click on the Microsoft MS Graph, and then select Delegated Permission.
6. Add the following permissions: "AppCatalog.ReadWrite.All", "Group.ReadWrite.All", "User.Read.All";
7. Next, we need to add "Skype and Teams Tenant Admin API" resource permission. Click Add a permission.
8. Navigate to "APIs my organization uses"
9. Search for "Skype and Teams Tenant Admin API".
10. Add all the listed permissions.
11. Grant admin consent to both MS Graph and "Skype and Teams Tenant Admin API" name.Based on these instruction I did the following to my existing partnerapp in the Azure AD Portal whilst logged in as a Global Admin.
-
- App Registrations -> (find my partner app)
-
- Go to API Permissions
-
- Hit Add Permissions at the top
-
- Select API's my organization uses and search for 48ac35b8-9aa8-4d74-927d-1f4a14a0b239 which will resolve to "Skype and Teams Tenant Admin API"
-
- Under Delegated permissions select user_impersionation
-
- Under Application permissions select application_access and application_access_custom_sba_appliance
Then you need to Grant admin consent again on behalf of your organisation.
When you are done, the permssions will look like this:
Now you are in good shape to connect to a customer using the Microsoft Teams powershell module using a token which you obtain like this:
$ApplicationID = {your partner applicationid}
$Credential = {your partner applicationid and client secret}
$RefreshToken = {Your long refresh token}
$Customer.TenantId = {GUID for the tenant you want to connect to}
$GraphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $RefreshToken -Scopes 'https://graph.microsoft.com/.default' -ServicePrincipal -Tenant $Customer.TenantId
#This is the part where you get the access token for Microsoft Teams
$TeamsAccessToken = New-PartnerAccessToken -ApplicationId '48ac35b8-9aa8-4d74-927d-1f4a14a0b239' -Credential $credential -RefreshToken $RefreshToken -Scopes '48ac35b8-9aa8-4d74-927d-1f4a14a0b239/user_impersonation offline_access openid profile' -Tenant $Customer.TenantIdNow you can use the Connect-MicrosoftTeams cmdlet
Import-Module -Name MicrosoftTeams -MinimumVersion 2.3.2
$AccountID = 'account@partnerorgdomain.suffix'
$Customer.DefaultDomainName = {can be their onmicrosoft.com domain or probably needs to be one that has been activated for Direct Routing}
Connect-MicrosoftTeams -AccessTokens @($graphtoken.AccessToken, $TeamsAccessToken.AccessToken) -AccountId $AccountID -TenantId $Customer.DefaultDomainName
#To force a remote powershell connection to the target Microsoft Phone System I then run this (This takes a few seconds to spin up):
Get-CsOnlinePSTNGateway
#After this you can use any of the *-Cs* commands and they will be faster.
Get-CsOnlineUser
The Scopes string to obtain the TeamsAccessToken was obtained from this discussion here after searching for the "Skype and Teams Tenant Admin API" GUID '48ac35b8-9aa8-4d74-927d-1f4a14a0b239' https://docs.microsoft.com/en-us/answers/questions/325598/connect-microsoft-teams-with-aadaccesstoken-parame.html
I would like the change in permissions to the partner app and the generaly principle of connecting to another tenant by this method to be peer reviewed to confirm its secure.
Let me know what you think.
This is not an "issue" or a feature request, but I wanted to record this some place for a future enhancement. The newer 2.x.x MicrosoftTeams module will support Applications logging in with tokens, however there is a component of the module that replaces the old SkypeOnlineConnector Module that initiated a remote powershell session using New-CsOnlineSession. In the MicrosoftTeams 2.x.x module, this seems to begin an implied remote session 'just in time' when you run a cmdlet that needs it such as Get-CsOnlinePSTNGateway. However, this fails although you have successfully run Connect-MicrosoftTeams using an application id and token. As far as I can work out, the legacy SkypeOnlineConnector and the new MicrosoftTeams 2.x.x module do not support logging into the Microsoft Phone System as an application ID which is the reason this fails. : Reference
The post in the forum above suggests that one day there will be MicrosoftTeams 3.x.x (We have not ETA we can share with you at this time - perhaps the day before the ultimate fate of the universe) At that time this little snippet may finally become useful to authorize an application to connect a new-pssession to Microsoft Phone system a bit like we can do now for Microsoft Exchange - in fact you can already authorize it, but it still won't allow you to connect a new-pssession to the endpoint and you will get an error.
You would then run this to try and redeem the token but it will fail. $token = New-PartnerAccessToken -ApplicationId '12128f48-ec9e-42f0-b203-ea49fb6af367' -Credential $credential -RefreshToken $TeamsToken -Scopes 'https://adminau1.online.lync.com/OcsPowershellOAuth' -Tenant $CustomerTenantID
You will then see an error.
The endpoint "adminau1" in the snippet is region specific, this one is Australia, but I expect there is a load balancer that would redirect to the appropriate endpoint. In the legacy SkypeOnlineConnector you could run this to return the endpoint for your PSSession (but still log in interactively) these functions are gone or at least private in MicrosoftTeams v2.x.x
$AccessInformation = Get-CsOnlinePowerShellAccessInformation -PowerShellEndpointUri (Get-CsOnlinePowerShellEndpoint -TargetDomain $OverrideAdminDomain).AbsoluteURII'm not sure how to resolve that now, but chances are that once you have it for your region it will likely be the same for all of your customers, or be something predictable like AU,US,EU. etc... A bit of WireShark revealed some DNS lookups to these hosts when running Connect-MicrosoftTeams which may hold some clues.api.interfaces.records.teams.microsoft.com <- this will be the graph endpoint
webdir.online.lync.com <- this is the cname target that you add to your DNS zone
webdirau1.online.lync.com <- this is the region specific target
So in conclusion, your method to connect to Microsoft Teams works as long as you only want to deal with "Teams" and channels etc.. For phone system there needs to be a further PsSession similar to connection to Exchange Online. Currently the PsSession to the Microsoft Phone system does not support Application logins So, I am just parking this research here until the universe reaches the maximum state of entropy, or MicrosoftTeams v3 is released at which point things can resume.