2. Deployment - OfficeDev/AAandCQManagementApp Wiki

Pre-requisites

Deployment machine

Environment

  • Azure Subscription and account with contributor role (to deploy resources)
  • M365 Subscription (to create the SharePoint site)

Permissions

  • Azure AD admin role to create the Service Account, assign roles and register a new application
  • Azure account with contributor role (to deploy resources)
  • Permissions to create a new SharePoint site

Note: in this deployment, we assume that the same user has the appropriate permissions to deploy the resources on Azure, Power Platform and Azure AD. This is however not mandatory and the deployment can be split across these different roles and responsabilities within the organization.

Licenses/Subscriptions

  • Azure Subscription
  • M365 Subscription (to create the SharePoint site)
  • Azure AD Premium P1 license to enable Azure AD Conditional Access Although this is optional it is strongly recommended to protect the service account
  • Power App license to deploy the application and Power Automate flows
  • Power App Premium license for the Power Automate flows

Step 1: Install the prerequisites

Install PowerShell 7.x

Use the steps below to install PowerShell 7.x on the machine used for the deployment of the app:

  1. Go to https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-windows?view=powershell-7.2#msi
  2. Select the correct platform (x64 or x86)
  3. Once the file has been downloaded install the MSI

Install Azure Az PowerShell module

Use the steps below to install the Azure Az PowerShell module:

  1. In your startmenu search for PowerShell 7, once found click on it to open PowerShell 7
  2. Run the following cmdlet to install the latest version of the Azure Az PowerShell module:
Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force

This will install the Azure Az PowerShell module only for the user which is currently logged in.

Install Microsoft Graph PowerShell module

Use the steps below to install the Microsoft Graph PowerShell module:

  1. If you closed the previous PowerShell window, search in the startmenu for PowerShell 7, once found click on it to open PowerShell 7
  2. Run the following cmdlet to install the latest version of the Microsoft Graph PowerShell module:
Install-Module Microsoft.Graph -Scope CurrentUser -Repository PSGallery -Force

This will install the Microsoft Graph PowerShell module only for the user which is currently logged in.

Install Microsoft PnP PowerShell module

Use the steps below to install the Microsoft Graph PowerShell module:

  1. If you closed the previous PowerShell window, search in the startmenu for PowerShell 7, once found click on it to open PowerShell 7
  2. Run the following cmdlet to install the latest version of the PnP PowerShell module:
Install-Module -Name "PnP.PowerShell" -Scope CurrentUser -Repository PSGallery -Force

This will install the PnP PowerShell module only for the user which is currently logged in.

Step 2: Create a Service Account in Azure AD

Account required:

  • service account or account with the required roles descriped in the role required section

Role required:

  • Azure AD admin
  1. Go to the Azure AD portal to manage users
  2. Add a new user (e.g. "Service Account Teams admin") and save the password

Note: you'll need to reset this password the first time you use this account - Please connect to https://portal.azure.com with the user credentials and provide a new complex password - Store this password in a secured location

  1. Under assigned roles assign the following roles :
  • Directory readers - to read the user profiles
  • Teams communications administration
  • Skype for Business Administrator

Step 3: Deploy the Azure resources

Account required:

  • service account or account with the required roles descriped in the roles required section

Roles required:

  • Azure contributor
  • Azure AD app registration autorized for members of the tenant (or specific Azure AD role assigned for app registration)

During the creation of the resources the following permissions will be automatically configured:

  • Service account: get/list secrets
  • Account which is used to execute this script: get/list secrets
  • Azure Function App will receive the following Graph Permissions
    • Sites.Selected
    • Group.Read.All

To execute this deployment step, you need to download the content of this repository on your local environment and run the PowerShell script under .\Deployment\deploy.ps1

  1. Download the content of this repository
  2. Execute the script deploy.ps1 as follow:
.\deploy.ps1 -displayName <Name of Azure AD registered app> -rgName <Name of the resource group> -resoucePrefix <prefix for Azure resources -location <Azure region> -serviceAccountUPN <UPN of the service account created in step 1> -serviceAccountSecret <Password of the service account created in step 1>` (optional) -subscriptionID <Azure subscription id>

Example

.\deploy.ps1 -displayName "AA and CQ management" -rgName "aacqmgmtrg" -resourcePrefix "AACQmgmt" -location westeurope -serviceAccountUPN [email protected] -serviceAccountSecret Password01

The deployment can take several minutes, including the warm-up time of the Azure Functions - At the end of the deployment, check the outputs that will be required to configure the deployment of the Power App and Azure AD Conditional Access

A successful deployment should look like that (by default, the script runs 3 times)

Deployment script completed.

Here is the information you ll need to deploy and configure the Power Application
FunctionApp       : 'https://AACQmgmt-nnjqs.azurewebsites.net'
FunctionKey      : 'pujmFZfGxwqGXXXdddxLs2xXXXg2cMLhAUUE2Q=='
Tenant        : 'contoso.onmicrosoft.com'
ApplcationId      : 'bad28fb5-XXXX-XXXX-XXXX-665886c2cbad'
KeyVaultName : 'az-vault-6cdgs'
AzFunctionIPs : '104.45.68.78,104.45.69.84,104.45.69.210,104.45.69.232,104.45.66.240,104.45.70.42,20.50.2.80'

Step 4: Create SPO lists

This steps assumes that you already created the SharePoint Online site which will be used to store both the audio prompts and the SharePoint Online lists.

Run the following cmdlet's to connect to SharePoint Online and import the lists from the XML file.

Connect-PnPOnline -Url https://m365x18873442.sharepoint.com/sites/Teamsvoicemanagement -Interactive
Invoke-PnPSiteTemplate -Path c:\temp\Lists.xml

Once executed go to the SharePoint Online site and validate the SharePoint Lists are created.

SharePoint Online Lists created by script

Step 5: Deploy the Power App and flows

Deploying the Power App and Flows is being performed by importing a solution in the Power Apps environment. It is recommended to import the solution in a separate Power App environment if possible.

To import the solution perform the following steps:

  1. Go to https://make.powerapps.com
  2. In the left menu select Solutions
  3. From the top menu select Import
  4. In the new pane validate the correct environment is selected and press browse
  5. Select the ZIP file named AutoAttendantandCallQueueManagement_1_X_X_X.zip from the Packages/PowerApps folder
  6. Press the Next button to continue
  7. Review the details of the package and press Next
  8. Update the CON - SPO Auto attendant And CallQueue connection by selecting the dropdown menu next to the connection and select the New Connection option, a new tab will be opened (don't close the previous tab)
  9. On the new tab select Connect directly (cloud-services) and press Create
  10. An authentication prompt will be shown, make sure you select the service account created earlier, if not listed select Use another account and specify the credentials from the service account
  11. Close the tab and go back to the original tab and press the **Refresh **button
  12. Select the connection created from the drop down list
  13. Update the CON- O365 User AutoAttendant and connection by selecting the dropdown menu next to the connection and select the New Connection option, a new tab will be opened (don't close the previous tab) 14.On the new tab press the **Create **button
  14. An authentication prompt will be shown, make sure you select the service account created earlier, if not listed select Use another account and specify the credentials from the service account
  15. Close the tab and go back to the original tab and press the **Refresh **button
  16. Select the connection created from the drop down list
  17. Update the CON- Vault connection by selecting the dropdown menu next to the connection and select the New Connection option, a new tab will be opened (don't close the previous tab) 19.On the new tab press the **Create **button
  18. An authentication prompt will be shown, make sure you select the service account created earlier, if not listed select Use another account and specify the credentials from the service account
  19. Close the tab and go back to the original tab and press the **Refresh **button
  20. Select the connection created from the drop down list
  21. Once all 3 connections have been updated press the Next button
  22. Populate the fields with the values provided as output from the Azure deployment script:
  • VAR - FunctionKey: value of the host function key
  • VAR - Tenant: tenantname, for example contoso
  • VAR - application id: Application (Client) ID of the App registration in Azure AD
  • VAR - FunctionApp: name of the function app
  • VAR - TeamsvoicemanagementSPSite: SharePoint Site name
  1. Once all values are provided continue with importing the solution, this might take several minutes, while importing the following message will be show on the top of the page:

Solution import in progress

  1. Once imported you will see the Auto Attendant and Call Queue Management entry in the list of solutions:

Solution imported

Step 6: Configure Azure AD Conditional Access Policies

You can enable Azure Conditional Access on the Service Account used by your Azure Function app and restrict the trusted IP's to the one used by Azure Function. Azure AD Conditional Access requires a Premium P1 license to be assigned - More info here on license requirements.

  • Go to the Azure AD portal for Conditional Access management
  • Select "Named location" and create a new IP range location
  • Provide a name (e.g. "Azure Function app Teams admin") and mark the location as trusted location
  • Enter all the IP addresses provided in the output of the deployment in step #2 (AzFunctionIPs) - Append a "/32" to each IP address
  • Click on Create
  • Go to Policies and then click on "Create new policy"
  • Provide a name to your policy
  • For the Assignments:
    • Users or workload identities > Include "Select users and groups" > check "User and groups" > search for your Service Account > Select
    • Cloud apps or actions > Include "All cloud apps"
    • Conditions > Locations > Exclude "Selected locations" > "Azure Function app Teams admin" (created earlier)
  • For the Access Controls:
    • Grant > Block access
  • Enable policy
  • Save to confirm and apply the changes

AzureAD Conditional Access Policy setup

Note: please go back to your Power App and check that the application still responds - You can also try to use the Service Principal credential from your local desktop and verity you can't login anymore.

Step 7: Sharing the application

You now have the application deployed in Teams and you need to provide access to "delegated admins" in your organization. To achieve that, we'll use the Office 365 group of the team where the Power Apps has been deployed.

  1. All "delegated admins" needs to be invited in the team to access the Power App
  2. The 1st time your users will access the Power App in Teams, they will need to consent to use the 2 connectors (SharePoint and Office365)