| Graph | Powershell Compatibility | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
This repository contains the code used for azure functions allowing a single Rest Post request to generate a new Microsoft Teams team based off of the information provided. This was originally created for use with TDx Web Request features to automate our workflows when creating Microsoft Teams.
- Generate Teams
- Service (User) Account
- Azure App Registration
- Application (client) ID
- Client Secret
- Graph Permissions:
Graph API Permission Type Description Admin Consent Required Directory.ReadWrite.All Application Read and write directory data Yes Group.ReadWrite.All Application Read and write all groups Yes Team.Create Application Create teams Yes Team.ReadBasic.All Application Get a list of all teams Yes TeamSettings.ReadWrite.All Application Read and change all teams' settings Yes
- Azure Resource Group
- Technically optional, used to store and organize all of these resources mentioned.
- Azure App Service
- Azure Storage Account
- Azure Storage Queue
- Azure Storage Table
-
NOTE: Account name and key are not directly used in this script, instead the
function.jsonfiles use the default "AzureWebJobsStorage" connection which provides this information to the functions.
- Generate the Azure App Registration
- Set the proper Graph permissions (listed in the requirement section)
- Make note of the Application (client) ID
- Generate a new client secret (description does not matter)
-
NOTE: Make note of the new client secret, you will not be able to view it later, if lost, a new client secret needs to be generated.
-
NOTE: The name of the App Registration will be visible when the team is created and the requestor is invited, Teams uses the name of the app registration for the notification and invites displayed in Microsoft Teams.
- Create a new Azure Resource Group, this will be used to "store" all of the additional components
- Create an azure storage account
- Create a new Azure Storage Queue and Table
- Make note of both the Queue and Table name, they will be needed later
- Create a new Azure Storage Queue and Table
- Create a new App Service
- The code from this Repo can be cloned down from git or use an SFTP transfer the file to the app service.
-
NOTE: Review the
local.settings.json.template"values" section for a list of attributes that will need to exist in the "application settings and configuration" in the app service (set these using the Azure Portal GUI).
- Review the hardcoded values section below and ensure that those entries are updated to match the current Azure storage.
No external modules are required.
There are a few hardcoded values that are based on the configuration of the Azure Storage, These must match the name of their respective Azure Queue, Table, or Resource Group. Casing is very important for these values.
NewTeam\function.json- QueueName
- TableName
TimedGalChanges\function.json- QueueName
TimedGroupCheck\function.json- TableName
TimedGalChanges\run.ps1- QueueName
- ResourceGroup
| Application | Security Role |
|---|---|
| Chat | ✔ |
| Client Portal | Client + Knowledge Base, Services, Ticket Requests |
| Community | ✔ |
| IT | Technician |
| TDNext | ✔ |
| Name | type | active |
|---|---|---|
| Existing user account Name | TeamDynamix Web API | ✔ |
| Name | Base Service Provider URL | Active |
|---|---|---|
| Azure Teams Creator | https://AzureAppName.azurewebsites.net/api/ | ✔ |
UserPrecheckFunction is triggered via a get request- Returns the queried user account and provides information regarding the user's licence status
NewTeamFunction is triggered via a post request- A new O365 Group is generated and populated with a single member (the owner of the group)
- The group is then used to create a Microsoft Team via Microsoft Graph
-
NOTE: Currently this is best practice, Graph API calls newer 1.* may have a single Graph Request to create a team rather than a two part process.
-
- This function takes a mixture of the Group and Team attributes and posts the results to the azure table for long term logging
- Shortly after the new team is created, the owner (the one and only member) will be granted access to the team and receive a notification if their teams client is running
- A queue message is generated to the storage queue
TimedGALChangesThis function incrementally checks the storage queue to determine if there are any pending queue messages- If there are pending queue messages:
- The function loads exchange, and attempts to set the visibility of the group in the GAL
- If the function succeeds, the queue message is removed from the queue
- If the function does not succeed, the queue message will be checked again the next time the function incrementally checks the queue
- The function loads exchange, and attempts to set the visibility of the group in the GAL
- If there are pending queue messages:
TeamGuestSettingsFunction is triggered via a get or post request- Team guest access is either enabled or disabled, and returns the current setting values
GetAllGuestEnabledTeams- Generates a list of all teams that currently allow guest access
- supplemental function used as needed, is manually triggered
View the readme file within each function's respective folder for more information.
The name is based off of whatever the Azure Function App Service name is:
Host: https://<FUNCTIONAPPNAME>.azurewebsites.net
Port 7071 is currently the default port when using the local azure function apps for testing:
Host: localhost:7071
Additional comments regarding Graph, Powershell, Teams Roadmaps, ect...
- TeamDiscoverySettings within the Graph API is only available within beta
- This includes the "ShowInTeamsSearchAndSuggestions" Graph API setting
- App-only authentication for unattended scripts in the EXO V2 module currently only supports powershell desktop (PS 5.1)
- Once this command is compatible with Powershell Core (6.2+, 7.0+) we should remove custom code to connect to exchange and use this method instead
- Discovery of Private teams within MS Teams
- Feature is deprecated as of Aug 31 2020
- Cannot enable discovery of Private teams
- Cannot disable discovery of Public Teams
- Alternate option to consider using policy:
- Feature is deprecated as of Aug 31 2020
- Options for private teams to allow new members to join directly without approval
- Open the TDx homepage
- Click on the orange grid icon in the top left corner
- Click the admin icon, this will open the TDx Admin interface
- click "Applications"
- Choose "IT"
- Click "workflow web services >"
- Choose "workflow web service logs"
- Look through the list and choose the failed/unsuccessful entry
- This shows the associated ticket, verify that this log matches the ticket number
- Review the contents of the log for the exact error message
- Open the Azure Portal
- Search for "resource groups"
- Open the resource group "Infra-TeamsAutomation"
- Open the "TeamsCreate" function app
- in the left hand pane, click on functions
- Select the function to troubleshoot
- Click "Monitor"
- Review the individual invocations and the logs as needed
Review Microsoft's solution to Change guest access settings using Microsoft PowerShell.