Category Archives: Microsoft Teams

Microsoft Teams – Utilize the AzureADMSGroupLifecyclePolicy command to manage the teams group life cycle

With the Azure active directory powershell commandlets, we could control the lifecycle of office365 groups.Ideally when any office365 group is created for an action of creating a team in the backend it creates the azure ad group.With the Azure commandlets we have options to control the lifecycle of the office365 groups automatically.

Let’s say we ‘ve created Team for a partner project which completes in 1 year time period, we have got an option to expire this team in 1 year time during the team creation.This keeps the access reviews of the Microsoft Teams intact and ensures that only required persons have access to the company corporate data.

The default setting is unlimited days as it should be for most of the scenarios.

Firstly we need to connect to azuread module from the powershell. Since we do not have any group life cycle policy the value remains empty.

Below example creates a a new groupLifecyclePolicy. This policy can be applied to targeted set of office 365 groups.

New-AzureADMSGroupLifecyclePolicy -GroupLifetimeInDays 99 -ManagedGroupTypes "groupid" -AlternateNotificationEmails "sathish@ezcloudinfo.com"

The managed group type parameter provides us the option to choose how we can manage the groups in our environment. Keeping the value “None” will create the policy but will not be applied to any groups. Specifying them “All” will apply this policy to all Office 365 groups. “Selected” will provide us the option to choose specific Office 365 groups.

To test this we can try to apply this policy to single group Teams-Partners. This group was created as an action of creating a team in Microsoft Teams.

In order to apply to a group we have to run the below command by specifying the group ID.

Get-AzureADMSGroupLifecyclePolicy -Id "admsgroupid" | Add-AzureADMSLifecyclePolicyGroup -GroupId "ID"

If we need to apply this to a group of ID’s which were reviewed and require to set expiry we can apply them from a input csv.

$policy = "mentionthepolicyID"
#keep the groupid as the input value in the csv
$365group = import-csv ".\365group.csv" 
Foreach ($group in $groups) {
Add-AzureADMSLifecyclePolicyGroup -Id $policy -groupId $group.objectId}

We can run this on a periodic interval after performing access review on the Office 365 groups.There is also an option to notify the group owner on a particular period of time to review if they still require this group to be in the system. Keeping this option will remind the owner of the group who created the team to decide if they require to provide access to the users and external parties if the guest users are added to them.

We can then verify if it is applied for a group by using the commandlet Get-AzureADMSLifeCyclePolicyGroup by specifying the group id. This will return the output of to which AzureADMSgroup it have been assigned. We do have an option to extend the grouplifetime to our desired interval.

There are few organizations where the Office 365 group and teams group creation is provided as self service to users to increase the Office 365 adoption rate.In those cases the admin can review the groups created once in a month and apply the expiration policy for them.

This option will be better for the admins to create the expiry of the groups as per the company security policy.If we are doing a periodic review we can also use a input CSV for the selected groups and can apply the policy to these selected groups.

Microsoft Teams – Notify security administrator when a new team is created by the end users

Microsoft Teams is being used as a most preferred method of communication platform by many organizations. By default in office 365 the group creation is enabled for end users which will allow them to create public and private groups. Few organizations are having the group creation disabled on the organization level for larger scale companies and have users request for creating the teams using a request form which will run through a automation process in the background with help of azure automation accounts ,Microsoft flow or few other mechanisms.

But few organizations are really interested in allowing the users to create the Office 365 groups once their workloads are migrated to office 365. This is primarily to increase the adoption rate of Office 365 workloads Microsoft Teams and SharePoint online.

We have more options available in Office 365 cloud app security. By leveraging these options we can better secure the Office 365 suite of products which in turn controls the Data loss prevention, security compliance, information governance and threat management for the entire organization.

Through Cloud App Security –

Navigate to Cloud App Security – https://portal.cloudappsecurity.com

Select and create Activity Policy

Do not choose any policy templates – select policy severity – category as per classification – Have selected compliance in below example.

Choose the acton single activity – activity type – equals – Team Created.

There is another alternative to create the policy as below by choosing the teams app. Going with this approach provide us more options like to get notified when teamsettingchanged,cut/copy item. adding a channel, changing a channel settings and when a team is deleted. There are lot of other actions which can be added based on our requirement.

Choose the severity and specify the email notification alert with no action.

The security administrators responsible for viewing this new group creation alerts can be added over here.

Further governance actions can be specified. We have an option to notify user and cc additional user with custom message.

The custom message can be added over here. There is an option to add a hyperlink as well.

When a new team is created by the end user the specified email address is notified.

We get more information on the cloud app security alerts.

We can use cloud app security for other activities in office 365 applications as well to notify the security administrators or the SOC team, so that they will be able to monitor the events which are categorized as non-compliance in Office 365 organization according to their security guidelines.

Thanks & Regards

Sathish Veerapandian

Review and Remove inactive guest users from Microsoft Teams through Identity Governance – Access reviews

When an office 365 group is created, we have options to collaborate with public partner accounts .As a result of this People outside organization can see and have access to office365 public groups contents when they are been invited as guests.

When we have allowed the end users to create the office 365 groups and invite the external partners to collaborate,over a period of time the groups left unattended without the access reviews. There is a high possibility of an user having access to the sensitive documents which they don’t need them anymore.

In order to alleviate these security issues , we can influence the Microsoft Azure Identity Governance – Access reviews

With the access reviews created for office365 groups , we can let the group owners review their office 365 public group guests present on them and take necessary action based on the requirement.

In order to create access review navigate to azure portal – Identity Governance – Access reviews – Click on access review – Select New access review.

Now we can create them with name ,description , start date and frequency of how often the access reviews needs to take place for the office365 groups.

We can set the number of times, end date and the scope to guest users only. And target the external groups which have the guest users added. Probably this part needs to be reviewed periodically and add the new groups in this list.

Furthermore we have the options to customize the reviewers who will be the reviewers of this access review task.

Upon completion we have the action to choose – Remove,Approve or take recommendations.

Finally we have few options which is present in the advanced settings. Once the customization is done as per the requirement we can start the review.

Once the schedule is triggered as per the configuration the reviewers get an email with the timeline.

Once clicked on review the user gets the guest user details and the options to take action based on the business requirement.

The reviewer gets an option to type the comment and take the necessarily action.

We have the review results section where we have an option to download the access review tasks and save them for ISO audit compliance which will help during the ISO Audit Evaluation cycles.

This is usual in most of the organizations when the guest accounts are provided access to the business sensitive content. Ultimately its the group owner’s responsibility to periodically review them and take necessary actions.

There is lot more to get benefited with Identity Governance access reviews. The above method will help us in evaluating and having right access only to the required individuals in Office 365 Groups.

Regards

Sathish Veerapandian

Microsoft Teams – Enable data loss prevention,ATP safe attachments,retention of files and conversations

Security is considered one of the success factor for any implementations.With Office 365 security and compliance there are lot of options to enforce the security across Office 365 suite of products.We can enforce DLP on Microsoft Teams based on our requirement. ATP can be turned on for all file upload activities in Microsoft Teams. The best part is that now we do have option to enable retention as lesser as 1 day in Microsoft teams channel messages and chats.

Microsoft Data Loss Prevention have been protecting sensitive information across all Office365 platforms. The easiest part is that we already have more custom built-in templates which will be easier for us to create,test,evaluate the results and finally create one for the production.

DLP Policy in Teams:

To create a dedicated DLP policy for Teams navigate to security and compliance center – Create a new policy.

In our example we are creating a new policy which will block the sharing of PAN card number via teams channels and chats.

In locations tab ensure that we are selecting teams chat and channel messages if the location is going to be only teams. If we need on all locations then we can keep them all enabled.

Under policy settings we do have lot of prebuilt templates which is super simple for us to just select and apply. In our case we are just selecting Block Indian PAN CARD number not to be shared via teams channels and chat messages.

Now we’ve created the teams data loss prevention policies and its time for us to test the created policy.

Have just logged into my test account and attempted to send a PAN Card to my account. The moment the PAN card is shared it is immediately blocked from the DLP policy.

And from the recipient end received the following message and the message is not delivered since it matches our DLP policy.

With the DLP policy we will be able to secure our sensitive information in Teams Channels and chat conversations.

Enable safe attachments on Teams Channels and chats :

Enabling ATP on Teams is pretty straight forward.

We need to navigate to protection security center – threat management – policy – select safe attachments.

All we need to do is to just select turn on ATP for SharePoint, One Drive and Microsoft Teams.

Once the policy is enabled and when somebody attempts to share an infected file the file is blocked but still present in the library, however no one will have the ability to open them from their side.

Files are scanned asynchronously, through a process that uses sharing and guest activity events along with smart heuristics and threat signals to identify malicious files.

To review the quarantined files we can go to threat management – review – select view quarantined files

Enable Retention in Microsoft Teams channels and chat conversations:

By default teams conversations and files are retained forever. With the new retention policy introduced in Microsoft teams channels and chats now admins have the option to customize the retention and delete the data forever if it is considered as liability according to the company retention policy.

In-order to create retention policies navigate to security center – select information governance – select retention – click create

Have created once dedicated policy for Teams Retention.

Now we choose the retention settings as per our requirement. The good part is that we do have the option now to retain the content lesser to even 1 day time.

Now we need to create a new retention policy for Microsoft Teams. If we try to edit the old retention policy there wouldn’t be an option to include Team Channel Messages and Chats , since these locations were on-boarded recently in the retention policy scopes.

Once selected based on the retention period all the Teams channel messages and chats are retained.

If end users delete their Teams messages, these messages are still preserved and available for search through eDiscovery for particular years based on the retention period set in the policy.

In order to recover a deleted file from channels – navigate to the channels – files tab – select open in sharepoint

Now after clicking on open in SharePoint – navigate to recycle bin and we could see the deleted file present.

We do have the same restore option like what we see in SharePoint sites.

With all the new security enhancement and retention channels enabled in Microsoft Teams it makes more convenient better communication platform for all users in the enterprise environment.

Microsoft Teams – Enforce Multifactor Authentication on guest accounts

Post the ignite sessions last month on Microsoft Teams, we have enhancements on security perspective that can be enabled which adds extra protection in any organization.

Inviting the external guest users to the teams channel have been a welcoming option for all of us which increases the communication between them and surges the productivity. However, there are few security guidelines that needs to be followed to ensure that our data is always secure even when they are shared outside the boundary. For instance, a guest account getting compromised where he is a member of a finance team will become a major security incident in any organization.

This article outlines the steps that can be carried over to enhance the security on Microsoft Teams guest accounts by enforcing the multi factor authentication.

Below are the steps to enforce the MFA on guest accounts:

First create a dynamic distribution group and target the guest account

Login to Azure AD Tenant with Admin privilege’s- Go to Groups – Create new group – make them security – membership type make them dynamic.

Now we need to add a dynamic query where the property is usertype  and the value is guest.

Once done populate the rule syntax and save them.

After some time now, we could see that the populated guest users in our Azure AD tenant will become the members of this group. Since it’s a dynamic query all the new upcoming accounts will be getting occupied automatically.

Create conditional access policy for guest accounts:

Now we need to create a conditional access policy for the Microsoft Teams guest accounts.

Navigate to enterprise applications – click on conditional access.

Now we need to target the dynamic group on this conditional access policy.

In cloud apps select Microsoft Teams , also better to select Sharepoint online which will enforce MFA for these Sharepoint guest users as well.

In conditions we are selecting only the locations. Further it can be manipulated based on the business prerequisite.

In the access control we are selecting only require MFA and the IT policy.

Now we have the MFA enforced on the guest accounts and we will see the action of this configuration from the invited user.

Experience of the guest users enforced with MFA:

In order to simulate this behavior , we are just adding one guest user a teams channel

Post after that the invited user receives  a welcome email and this is usual behavior for any invited Azure AD guest user accounts.

When clicking to login the user will be prompted to register and enroll in MFA.

User will be prompted to enter the mobile number in the invited tenant for MFA and needs to complete the initial authentication process.

If we have enabled the IT policy user will be prompted to read and accept the IT policy.

Finally the user is logged in with the guest account and able to participate on the invited team through a secured way of authentication.

With very nominal steps through the conditional access it creates a overall better security for Microsoft Teams.

Loads of exciting new features announced for Microsoft Teams on ignite 2019

With Microsoft ignite sessions that happened last week there are lots of new end users functionalities, meeting room enhancements and better enhanced administration facilities were announced for Microsoft Teams. Below are the summary of the features .

Watch out more from the Ignite Session videos.

End user functionalities –
1)Ability to create Private Channels – Secure Private channels can be created and shared only with few audiences.This eliminates the need of creating multiple teams for secure communication. We can further restrict the Private Channels creation and visibility from the admin center.
2)Multi window experience between the chats – Ability to chat with multiple people at the same time and switch windows which was much requested feature in the user voice.
3)New Tasks experience in Teams – Helps better tracking of the tasks and have great option to view the stats on charts, schedule, boards and filter.
4)Yammer app in Teams – Allows to jump in yammer communities.Beneficiary especially on larger organizations and useful for employees to join and collaborate in a bigger communities and keep upto date on the new content.
5)Outlook addin for Teams – With the new addin it makes easier for sending the content of the email with all the context body and attachments. Sharing from channels have also been seamless.
6)Background Blur to the next level- We can add customize background blur with our custom images and change the background experience either to show as sitting on a beach or in a hotel etc.,
7)Turn on live captions – It makes easier to follow up on the team meetings. This is a live voice to text translation and helps especially in broadcast meetings as well.

Lot of innovations on Meeting experience –

1)New compact devices – Newly launched Yealink & Polycom Collaboration bars suitable for smaller huddle spaces. It has exciting remote control with which we can join the meeting without the need of Touch Panels and just mounting them on a normal LED TV.

2)Cloud Video Interoperability with Cisco -Cisco webex video devices and cisco SIP conferencing video devices can connect with Microsoft Teams Meeting services. Cisco interop service and will be classified as teams cloud video interop solution.This helps out customers consuming cisco partnership to utilize cisco devices in Teams.

3)Cisco/Zoom Web based interoperability – Interop meeting room devices with direct guest join which enables the user to choose and utilize Teams,Cisco or Zoom from web interfaces however this experience will be seamless to the end users from these devices.

4)Managed Meeting Rooms – Monitor and manage your meeting rooms is a managed service from Microsoft that does room monitoring and advanced insights.

New IT professional capabilities –

1)Easier deployment of Teams Deploying Teams Workload –

Adviser for teams helps easier deployment and customize plans of choosing which one to migrate first whether chats or channel conversations or meeting or conversation.New coexistence modes added to support better coexistence and transition with Skype for Business Enterprise Voice functionalities.

2)ATP is now available in Teams- With ATP enabled Teams does a time of click verification for the links sent in chat conversations and if it finds anything phishy it does block them as we get on email links.

3)Ediscovery Available from Microsoft Teams – We can submit information for ediscovery on Teams contents.

4)Teams Audit logs – With Teams audit logs we can provide information on whether the Message was deleted or edited.

5)Information Barrier – Ability to block the communication between critical users from the admin side.The same capability will be applicable for files sharing between them in Teams.

6)Retention Policies – In Microsoft Teams now we can Setup retention policies that are as low as 1 day.

7)Administration for Microsoft Teams –

8)PowerShell – Bulk update to security group is possible with new commandlets and just now one liner.

9)Hub for Teamwork – Certified app catalog available in the teams admin center and further iteration can be made on this app catalog.

10)Manage Microsoft Teams Rooms – From Teams admin center we have the capability to manage the Microsoft teams meeting rooms devices.We have the capability to restart the devices and troubleshoot them from the admin center.


11)First line workers in Microsoft Teams –
Time Clock in Teams and Shifts in Teams helps managing the first line workers efficiently and tracking them easily.With graph apis we can integrate our workforce management systems.

12)Delegated User Management – First line workers managers have the capacity to reset/block the user accounts.

New Identity and access capabilities for First line workers-
SMS signin
Global sign-out
Off-shift access

Readiness and steps to Configure Direct Routing in Microsoft Teams

Earlier to enable enterprise voice with calling plan on skype for business online we would need to install cloud connector locally on a virtual machines as a separate appliance which requires complex configuration for integrating with the certified session border controllers.

Now Microsoft have made it easier to configure them with direct routing where we do not need to deploy the cloud connector agent locally in the on-premise systems.

When paired with Microsoft Calling plans or direct routing with local ISP calling plan, they provide a full enterprise experience for office 365 users in Teams on a global scale. With Direct Routing we can Connect Existing Telephony Infrastructure to MS teams with the help of  local session border controllers. A SIP connection is created between the cloud call controllers and our local session border controllers.

In this article we will look at the options , readiness and steps  to Enable users for Direct Routing from the Microsoft office 365 perspective.

Readiness for Direct Routing:

Decide on Session Border Controller (Self or hosted SBC):

Session border controller connects Teams call to PSTN next hop or to the configured sip trunk with the local ISP. Here we have two options either to have own session border controllers on premise or to have this functionality hosted to a managed service provider who will host the session border controller for your organization to perform the SIP proxy and the PSTN routing for Microsoft Teams.

Make sure to select the supported session border controllers by Microsoft to configure direct routing in Microsoft Teams.

Figure out licenses based on deployment: Decide on media bypass Configuration

We need to figure out licenses on Microsoft office 365 to utilize the full enterprise functionality of Microsoft Teams.

Option1: Full Microsoft License

In this case no direct routing is required unless there is coexistence required with existing telephony system because we will be having the full calling plan with Microsoft and will utilize the Microsoft call controller, PSTN, Media controllers and Media processor.

Below Licenses are required:

  1. Enable Microsoft Teams.
  2. Office 365 Phone System License
  3. Skype for business online plan2  License
  4. Audio Conferencing
  5. Microsoft Calling plan (Available in selected regions as of now)

The first 4 licenses are available by default in office365 E5 License. For other license types separate SKus needs to be procured along with the calling plan available in the region

Below is the call flow for all in the cloud for Teams:

Option 2 : Full Teams feature plus Local Telcom Calling plan

This option requires to perform direct routing with Microsoft Teams SIP proxy  services to create the SIP trunk between Microsoft Teams in the cloud and local session border controllers to utilize the calling plan from local PSTN provider.

Below Licenses are required:

  1. Microsoft Teams
  2. Phone System
  3. Skype for business online plan2 
  4. Audio Conferencing
  5. Local SIP calling plan with your telecom provider

Phone System with own carrier via Direct Routing:

SBC readiness:

Decide on SBC Host Name:

Microsoft communicates to session border controllers only via FQDN. We need to decide on a hostname for Session border controller which will be public available to configure direct routing. In our case we will be having voicegw.ezcloudinfo.com

Configure the certificate:

The SBC must be configured with a certificate from public certificate authority with the decided host name. We could also use wild card and SAN certs but the CSR needs to be generated from the certified SBC.

Firewall:

Below source and destination ports needs to be opened for communication between Microsoft PSTN hub FQDNs and the session border controllers.

Above Necessary source and destination ports needs to be opened in Firewall for the SIP Signaling, SIP Proxy ,Media Processing and Media Bypass to happen for the STUN, TURN , ICE connectivity and for successful Teams audio/video call .

Direct Routing configuration in Microsoft Teams:

Ensure that the users are fully transformed to Teams Only Mode.

Pair the SBC to the Direct Routing Service of Phone System:

Connect to Skype for Business Online admin center using PowerShell

Verify the online PSTN gateways.

Get-Command *onlinePSTNGateway*

Now add the new online PSTN gateway to add our SBC in the list.

New-CsOnlinePSTNGateway -Fqdn voicegw.ezcloudinfo.com -SipSignallingPort 5067 -MaxConcurrentSessions 50 -Enabled $true

Check the added SBC configuration.

Get-CsOnlinePSTNGateway -Identity sbc.contoso.com

Configure the phone number and enable enterprise voice.

Set-CsUser -Identity “Will Smith” -OnPremLineURI tel:+97155368846 -EnterpriseVoiceEnabled $true -HostedVoiceMail $False

Create the Voice Route to go via SBC.

New-CsOnlineVoiceRoute -Identity “UAE” -NumberPattern “^\+9(71|206)(\d{7})$” -OnlinePstnGatewayList voicegw.ezcloudinfo.com -Priority 1 -OnlinePstnUsages “UAE and India”

IMP Notes:

  1. Flow differs for external and internal media bypass.
  2. Internal media bypass – Flows within the network teams and SBC and traffic is routed to local PSTN provider.
  3. External Media bypass – Flows users will try to connect via certified SBC if now will take the SIP Proxy Route.
  4. Office 365 network is enhanced for teams traffic.
  5. Call Queues and Auto attendant configuration needs to be verified and configured according to the current setup.

Thanks & Regards

Sathish Veerapandian

Microsoft Teams – Side load 3rd party & custom built apps in Microsoft Teams pane

With all the more new improvements in Microsoft Teams,we have more alternatives to modify the end user client choices from the application perspective to get access to the most frequently used applications from Microsoft Teams.

The Custom built in-house applications can be effectively side-stacked in Microsoft Teams which makes the end users to adequately use these applications.

To start utilizing these options login to Office 365 admin portal and verify if the teams side loading options are migrated to Teams admin portal.

Once logged in navigate to settings – services & addins – search for Microsoft Teams – And see if external apps in turned on.

In below case in this tenant these configurations have been migrated to Microsoft Teams admin portal and hence these settings are greyed out. This will be the case for almost every office 365 tenants.

Now we have got app permission policies in Microsoft Teams.

App permissions policies control what applications we need to make accessible to Teams clients in our organization. Now we have got the better flexibility to customize the default policy or create custom policy and assign to only targeted users. The better option is to create a custom policy and assign them to targeted users.

Login to Microsoft Teams Admin portal – Select Teams Apps – and choose permission polices – Click Permission policies – Click Add

Here we have the flexibility to control Microsoft Apps, Third party Apps and Self developed custom inbuilt tenant apps which are published in Microsoft Teams as an App Package.

Once the required applications are selected the created application is ready to be assigned to individual users.

We can create app setup policies which decides the way we want to display the prepinned apps in Microsoft Teams pane.

To create custom one navigate to setup policies and click on Add

We do have further customization of the default apps or remove them and add more custom applications.

In the policy there is option to select the appropriate app permission policies which makes the default policy not affected and apply only for targeted users.

Assigning the App Permission policies and Setup Policies to end users.

Having the policy created now it is easier to assign the custom policy to targeted users.

Navigate to users tab – select policies tab – Now we have option to assign custom app permission and app setup policy.

End user Experience –

Once the policy is assigned we have the custom apps side-loaded in Microsoft Teams.

With these above options Application arrangement strategies can be improved and modified dependent on the business prerequisites, integrated with Microsoft Teams and rolled out to the end users.

Thanks & Regards

Sathish Veerapandian

Microsoft Teams – Manage External and Guest Access communication for users

Microsoft Teams becoming an unrivaled communication platform its been adopted by most of the corporate organizations right from small, medium and large scale businesses.

Teams adoption rate have been thriving a lot and there are organizations managing their daily operations and projects completely via better organized Teams and channels.

In this article we will have an overview and the options available to expose Microsoft Teams for communication to the external network and other office 365 organizations.

As an initial prerequisite we must ensure that all the Office 365 URL and IP Ranges are allowed.

Login to Microsoft Teams Admin center portal here we have 2 options.

  1. External Access
  2. Guest Access

For external access the screenshot is pretty much explanatory. The best way is to add only the allowed domains which would block the other external organizations.

We do have an option to toggle the second feature where the Skype for Business online users have the ability to communicate with the Skype Users. But then if all the users are switched to Teams only mode then enabling the latter functionality will not be working.

External access lets our Teams users communicate with allowed domains.
Only the allowed domains in the list can communicate with each other.
They cannot be a member of a Teams or any Channels, however they can initiate peer to peer chats, audio , video calls and can join the meeting initiated from Outlook.

As of now below are the features that will be working between external access domains.

With Guest Access anyone with a business or consumer email account, such as Outlook, Gmail, or others, can participate as a guest in Teams. We can grant them access to our existing teams and channels.

Guest access can be further manipulated based on our business requirements with the below options.

Meeting and messaging choices can be further controlled in guest access.

Once the guest access is enabled the end users can go ahead and add external ids like gmail in their channels like below.

The external guest account will receive a descriptive invite which will provide information about Microsoft Teams.

Note: For all the invited external users a corresponding azure AD account will be created in our Tenant with the user type of Guest.

Few users reported challenge in communicating with allowed federated domains.

While most of the users were able to communicate across federated domains and there were few users experiencing the below error.

On further analysis found that there are two federation policies.

And the affected users were assigned to disabled federation access policies.

After moving them to federation only policy the issue got resolved.

Grant-CsExternalAccessPolicy -Identity “S Hameed” -PolicyName FederationOnly

Thanks & Regards

Sathish Veerapandian

Create Customized App Package for Azure Bot and publish them in Microsoft Teams

In the previous article , we had an overview and example of how to start creating Microsoft Azure Bots and integrate with Teams. Furthermore once the bots are integrated with teams ,we would need to create application package for our Azure Bot, so that we can provide better end user experience.

To interpret further once the azure bot is available to the end users via teams it will not be showing to them as an application (example shown below). Providing them as vanilla format will not be more intriguing to the consumers.

In Microsoft Teams there is an option to create a customized app package for our azure bots. Once we create and publish them, it will be available for end users in the app section. From Microsoft Teams users can search and install them on their Teams Client.

With app studio package admins can create their own customized apps for Microsoft Teams and publish them to individual users, teams and globally to the whole organization. Search and install app studio package from app section in Microsoft Teams.

Once after it is installed , open App Studio and use the Manifest Editor to create the App Package.

Here there are two options:

Create a new app – Used to create our own customized app.

Import an existing app – We can import our own customized existing app.

In this section create a new app is selected since the scope is to create an app for an existing azure bot service.

In the app section provide the information as requested.

App ID is crucial here and it must be the value of the Azure Bots from the setting page of the Azure Bots that we are creating the APP Package. Rest all information is descriptive and can be added easily.

There is an option for customized branding to insert the iconic image of our app which will be shown to the end users while interacting and also the terms of use can be added over here.

Capabilities tab is a vital section as this determines the functionality of the bot. Select only the bot section , add the required information and leave the others with default configuration .In above example existing bot must be selected because the app package is been created for an active bot. Provide them a name and use the option select from one of my existing bots.

The other options have to be chosen very carefully based on your bot functionality. For instance choosing My Bot is a one-way functional only for a bidirectional bot will not provide the message input window to the end users during the interaction.

It is important to note that for a 1:1 bot it needs to be selected only in personal scope. Choosing the other options for a 1:1 bot will create a malfunctioning of the app to the end users.

On a security perspective there are few options to restrict, provide SSO and Device permissions.

Provide the below information for the SSO.

And we have the option to control the device permission which is really great.

Having done all these settings above there is an option to test and distribute the created app package.

The easiest way is to install in our own client before distributing them by choosing the first option install your app in teams for testing.

After installation the app is ready to be launched.

Now on a user experience it provides us a prime look to our Azure Bot and looks appealing.

Its better to change the bot profile icon as well to show the same icon in the chat conversation.

Having tested this app from individual level client , now it is time to publish them to all users. Download them as json file and upload it from a teams client with global admin privilege.

The application must be downloaded from the teams client that was used to create this manifest file. Once after its been downloaded we can see it would have been downloaded them as json file along with the associated PNG files.

This zip file needs to be uploaded from the teams client using the option upload a custom app.

Once logged in with Global Admin Credentials – Navigate to store and use the option – upload a custom app.


There is  2 options to upload for me or my teams and upload for the whole tenant which will make the app be available for all users.

Once after its uploaded , successfully this new app for the azure bot will be available for end users and they can search in the store and install them.

Finally the App can be updated to next version with ease of operations or deleted with the below settings from the Teams client with Global Admin Credentials.

There are much more ways to control this app visibility and user experience on teams client like side loading the apps for easier communication , restricting them only via 3rd party apps etc. We will discuss about these configurations in the next upcoming blog.

Thanks & Regards

Sathish Veerapandian

%d bloggers like this: