1. Create Azure Application
- Login as Administrator in Azure portal.
- Go /Azure Active Directory/App registration/New registraton
- Press register.
- Copy clientID in User.Authentication.OAuth2.ClientsID mandant parameter(Clients parameters table)
- Add tenant Id to the end of https://login.microsoftonline.com/ and set User.Authentication.Oauth2.Authority mandant parameter
It should be somethin like:
2. Create secret key
- Go Certificates & secrets/New client secrets
Please note that the secret value is accessible only after creation.
copy secret value in User.Authentication.OAuth2.Secret mandant parameter
3. Prevention of the consent dialog by first login
To prevent the following dialog by first login
First Login
the following API permissions must be set
See: https://learn.microsoft.com/en-us/azure/active-directory/develop/application-consent-experience
"The Administrator grants consent through the API permissions page of the application registration in the Azure portal."
4. Expose an API
On the left panel, go to Expose an API.
the Application ID URI should be https://$acd_domain where $acd_domain is the portal domain.
Add a scope: access_as_user.
- Who can consent? Admins and users
- Admin consent display name: Access as a User.
- Admin consent description: Access as a User.
- User consent display name: Access as a User.
- Admin consent description: Access as a User.
- Make sure it is enabled.
In the "Authorized client applications" part. Add the IDs of Teams app (Web and Desktop) by clicking on the plus button "Add a client application"
Here are the IDs:
1fec8e78-bce4-4aaf-ab1b-5451cc387264
5e3ce6c0-2b1f-4285-8d4b-75ee78787346
Go back to API Permission
Add a new permission for the new scope.
- Click "Add a permission".
- Select "My APIs".
- Choose the API application.
- Select "Delegated permissions."
- Check the access_as_user permission.
- Click "Add permissions."
- (Optional) Click "Grant admin consent" if necessary.
5. Login with Microsoft Entra ID configuration
The following client properties must be configured:
Parameter Value User.Authentication.Azure.ClientsID Client ID of the application User.Authentication.Azure.Authority Login URL with tenant ID User.Authentication.Azure.Secret Application secret User.Authentication.Azure.Force Only Azure login is posssible for the client. - Optionaly can be set resorce portal.Login.Azure.Force to enforce using Entra ID only