Deployment guide

Prerequisites

Before you proceed, please ensure you have read the Solution overview to understand the app.

Once you are happy, you will need to have the following to proceed before deployment:

• An Azure Resource group created within an Azure Subscription in the tenant you wish to deploy the app in to
• An Azure AD User account in the tenant the app will be deployed in to, with the following:
  • Global administrator Azure AD role
  • Contributor or Owner Azure role of the Resource group (mentioned above)
• An Azure AD App registration with some delegated permissions granted
• The latest release of the app found here

All the above needs to be in the same Azure tenant and same Azure AD User account, you cannot deploy across tenants or with a mix of users

Azure Resource Group

To deploy this app in to Azure, you will need to have a (preferably empty) Resource group to contain it. This can be done via Azure CLI or the Azure Portal.

Azure CLI

1. Login to Azure CLI on your machine or at https://shell.azure.com
2. Run the following to create the resource group. Specify the Name and Location (region) you wish to use

   az group create --name "<Name>" --location "<Location>"
   

   

Azure Portal

1. Login in to the Azure Portal

2. Go to Resource groups and select Create. Choose the Subscription the app should be billed against, a Name of the Resource group and Region

3. Review then Create the Resource group

4. View the Resource group you created and note down the Subscription ID and Name

   

5. All done

Azure AD App Registration

This grants users access to the app via their existing Teams sign-on. A full explanation of the concept can be found here. This can be done via Azure CLI or the Azure Portal.

Whilst this process could be automated, I have left this manual for a few reasons. 1. The user deploying the app may have permission to do that, but not create the App registration. 2. The app is granted permission to organisational resources (user profile) - I feel a user should be creating the apps and consenting to this rather than part of an automated process

Azure CLI

1. Login to Azure CLI on your machine or at https://shell.azure.com

2. Ensure the shell you are using is set to PowerShell and not Bash

3. Run the following script:

   # Create resource access manifest
   '[
       {
           "resourceAppId": "00000003-0000-0000-c000-000000000000",
           "resourceAccess": [
               {
                   "id": "7427e0e9-2fba-42fe-b0c0-848c9e6a8182",
                   "type": "Scope"
               },
               {
                   "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
                   "type": "Scope"
               },
               {
                   "id": "37f7f235-527c-4136-accd-4a02d197296e",
                   "type": "Scope"
               },
               {
                   "id": "64a6cdd6-aab1-4aaf-94b8-3cc8405e90d0",
                   "type": "Scope"
               },
               {
                   "id": "14dad69e-099b-42c9-810b-d002981feec1",
                   "type": "Scope"
               }
           ]
       }
   ]' | Out-File -Path resourceAccessManifest.json
   # Create app
   $app = (az ad app create --display-name team-request-app-client --required-resource-accesses resourceAccessManifest.json) | ConvertFrom-Json
   # Create OAuth2 manifest
   '[
       {
           "adminConsentDescription": "Teams can call the apps web APIs as the current user",
           "adminConsentDisplayName": "Teams can access the users profile",
           "id": "4724bead-613f-4457-a8c7-dcf29daa6e9c",
           "isEnabled": true,
           "lang": null,
           "origin": "Application",
           "type": "Admin",
           "userConsentDescription": "Teams can call this apps APIs with the same rights as you have",
           "userConsentDisplayName": "Teams can access your profile and make requests on your behalf",
           "value": "access_as_user"
       }
   ]' | Out-File -Path oauth2PermissionsManifest.json
   # Disable existing OAuth 2 permissions
   $disabledOAuth = $app.oauth2Permissions
   $disabledOAuth[0].isEnabled = 'False'
   ConvertTo-Json -InputObject @($disabledOAuth) | Out-File -Path oauth2PermissionsDisabledManifest.json
   az ad app update --id $app.objectId --set oauth2Permissions=@oauth2PermissionsDisabledManifest.json
   # Update app with new OAuth 2 permissions and 
   az ad app update --id $app.objectId --set oauth2Permissions=@oauth2PermissionsManifest.json
   # Create pre authorised applications (Teams)
   az rest --method PATCH --uri "https://graph.microsoft.com/v1.0/applications/$($app.objectId)" --headers "Content-Type=application/json" --body "{api:{preAuthorizedApplications:[{appId:'1fec8e78-bce4-4aaf-ab1b-5451cc387264',delegatedPermissionIds:['4724bead-613f-4457-a8c7-dcf29daa6e9c']},{appId:'5e3ce6c0-2b1f-4285-8d4b-75ee78787346',delegatedPermissionIds:['4724bead-613f-4457-a8c7-dcf29daa6e9c']}]}}"
   
   # Return required details
   $account = (az account show) | ConvertFrom-Json
   
   "Appplication (client) ID: $($app.appId), Directory (tenant) ID: $($account.tenantId)"
   
   

4. At the end of the output there should be a an application and directory ID, copy these

Azure Portal

1. Login in to the Azure Portal of the tenant where your users will reside

2. Under Azure Active Directory > App registrations, select New registration

3. Give the application a name e.g. request-team-app-client and set Who can use this application or access this API? to Single tenant and select Register

   

4. Take a note of the Application (client) ID and Directory (tenant) ID once created

   

5. Under API permissions add the following Microsoft Graph permissions

   Permission	Type
   email	Delegated
   offline_access	Delegated
   openid	Delegated
   profile	Delegated
   User.Read	Delegated

   

6. Next, head to Expose an API and select Add a scope. Accept the pre-defined Application ID URI and then complete scope as:

   • Scope name: access_as_user
   • Who can consent?: Teams can access the user’s profile.
   • Admin consent display name: Admins
   • Admin consent description: Teams can call the app’s web APIs as the current user.
   • User consent display name: Teams can access your profile and make requests on your behalf.
   • User consent description: Teams can call this app’s APIs with the same rights as you have.

   Select Add scope once completed

   

   

   Once the app is deployed in Azure, you will need to come back here to re-configure the Application URI

7. Finally, select Add a client application. Add both of the following Client IDs and check the authorised scope access_as_user you created in the previous step:

   • 5e3ce6c0-2b1f-4285-8d4b-75ee78787346
   • 1fec8e78-bce4-4aaf-ab1b-5451cc387264

   

8. That's it for now

Deployment Script

Deployment is done by using a PowerShell script to deploy and configure the app in Azure. After completing the prerequisites, you should have the following:

• Name of the Resource group
• Subscription ID that the Resource group is part of
• Application (client) ID and Directory (tenant) ID of the Azure AD App registration

1. Ensure you have downloaded the latest release of team-request-app-v*.zip from here

2. Extract the team-request-app-v*.zip to a folder

3. Under the deployment folder, edit deploymentTemplate.parameters.json with the following

   Parameter Name	Value
   appClientId	Application (client) ID of the Azure AD App registration
   appTenantId	Directory (tenant) ID of the Azure AD App registration
   azureResourcePrefix	Naming prefix for each component in Azure. E.g. If configured as team-request-app, Cosmos DB would be called team-request-app-cosmos. It is important to use something unique to your environment as some components require a globally unique name

   

   Once updated, save the file.

4. Open up a PowerShell prompt and navigate to the deployment directory in the extracted directory. Run the following command replacing the SubscriptionId and ResourceGroup values with your own. This script can take 15-20 minutes to run as the Cosmos parts take time to complete (be patient)

   ./deploy.ps1 -SubscriptionId <Subscription ID> -ResourceGroup <Resource Group Name>

   

   This requires the latest version of Az PowerShell module to be installed first. I have only tested this in PowerShell 7 (Core). It may or may not work in Windows PowerShell

   If the deployment has succeeded, you should see a DEPLOYMENT SUCCESSFUL message.

   

After Deployment Script

This is to be done after the script has completed successfully.

Install Teams App

The deployment script should have generated a teamsApp.zip file under the deployment folder. This needs to be uploaded in to Teams. This can be done multiple ways:

• Upload the app in the Teams Admin Centre

  

  It should then appear under apps

  

• Sideload the app from within Teams

  

  

Wrap Up

You should now have completed the full deployment. If you have installed the Teams app, when choosing the app, it should sign you in and you should have a request form

(You may need to reload the app a couple of times on first run for it to appear correctly)