Skip to content

2. Deployment

Jump to bottom
Johan Veldhuis edited this page Sep 8, 2022 · 19 revisions

Pre-requisites

Deployment machine

Environment

  • Azure Subscription and account with contributor role (to deploy resources)
  • M365 Subscription (to create the SharePoint site)

Permissions

  • Azure AD admin role to create the Service Account, assign roles and register a new application
  • Azure account with contributor role (to deploy resources)
  • Permissions to create a new SharePoint site

Note: in this deployment, we assume that the same user has the appropriate permissions to deploy the resources on Azure, Power Platform and Azure AD. This is however not mandatory and the deployment can be split across these different roles and responsabilities within the organization.

Licenses/Subscriptions

  • Azure Subscription
  • M365 Subscription (to create the SharePoint site)
  • Azure AD Premium P1 license to enable Azure AD Conditional Access Although this is optional it is strongly recommended to protect the service account
  • Power App license to deploy the application and Power Automate flows
  • Power App Premium license for the Power Automate flows

Step 1: Install the prerequisites

Install PowerShell 7.x

Use the steps below to install PowerShell 7.x on the machine used for the deployment of the app:

  1. Go to https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-windows?view=powershell-7.2#msi
  2. Select the correct platform (x64 or x86)
  3. Once the file has been downloaded install the MSI

Install Azure Az PowerShell module

Use the steps below to install the Azure Az PowerShell module:

  1. In your startmenu search for PowerShell 7, once found click on it to open PowerShell 7
  2. Run the following cmdlet to install the latest version of the Azure Az PowerShell module:
Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force

This will install the Azure Az PowerShell module only for the user which is currently logged in.

Install Microsoft Graph PowerShell module

Use the steps below to install the Microsoft Graph PowerShell module:

  1. If you closed the previous PowerShell window, search in the startmenu for PowerShell 7, once found click on it to open PowerShell 7
  2. Run the following cmdlet to install the latest version of the Microsoft Graph PowerShell module:
Install-Module Microsoft.Graph -Scope CurrentUser -Repository PSGallery -Force

This will install the Microsoft Graph PowerShell module only for the user which is currently logged in.

Install Microsoft PnP PowerShell module

Use the steps below to install the Microsoft Graph PowerShell module:

  1. If you closed the previous PowerShell window, search in the startmenu for PowerShell 7, once found click on it to open PowerShell 7
  2. Run the following cmdlet to install the latest version of the PnP PowerShell module:
Install-Module -Name "PnP.PowerShell" -Scope CurrentUser -Repository PSGallery -Force

This will install the PnP PowerShell module only for the user which is currently logged in.

Step 2: Create a Service Account in Azure AD

Account required:

  • service account or account with the required roles descriped in the role required section

Role required:

  • Azure AD admin
  1. Go to the Azure AD portal to manage users
  2. Add a new user (e.g. "Service Account Teams admin") and save the password

Note: you'll need to reset this password the first time you use this account - Please connect to https://portal.azure.com with the user credentials and provide a new complex password - Store this password in a secured location

  1. Under assigned roles assign the following roles :
  • Directory readers - to read the user profiles
  • Teams communications administration
  • Skype for Business Administrator

Step 3: Deploy the Azure resources

Account required:

  • service account or account with the required roles descriped in the roles required section

Roles required:

  • Azure contributor
  • Azure AD app registration autorized for members of the tenant (or specific Azure AD role assigned for app registration)

During the creation of the resources the following permissions will be automatically configured:

  • Service account: get/list secrets
  • Account which is used to execute this script: get/list secrets
  • Azure Function App will receive the following Graph Permissions
    • Sites.Selected
    • Group.Read.All

To execute this deployment step, you need to download the content of this repository on your local environment and run the PowerShell script under .\Deployment\deploy.ps1

  1. Download the content of this repository
  2. Execute the script deploy.ps1 as follow:
.\deploy.ps1 -displayName <Name of Azure AD registered app> -rgName <Name of the resource group> -resourcePrefix <prefix for Azure resources -location <Azure region> -serviceAccountUPN <UPN of the service account created in step 1> -serviceAccountSecret <Password of the service account created in step 1>` (optional) -subscriptionID <Azure subscription id>

Example

.\deploy.ps1 -displayName "AA and CQ management" -rgName "aacqmgmtrg" -resourcePrefix "AACQmgmt" -location "West Europe" -serviceAccountUPN aacqmgmt-service@contoso.com -serviceAccountSecret Password01

The deployment can take several minutes, including the warm-up time of the Azure Functions - At the end of the deployment, check the outputs that will be required to configure the deployment of the Power App and Azure AD Conditional Access

A successful deployment should look like that (by default, the script runs 3 times)

Deployment script completed.

Here is the information you ll need to deploy and configure the Power Application
FunctionApp       : 'https://AACQmgmt-nnjqs.azurewebsites.net'
FunctionKey      : 'pujmFZfGxwqGXXXdddxLs2xXXXg2cMLhAUUE2Q=='
Tenant        : 'contoso.onmicrosoft.com'
ApplcationId      : 'bad28fb5-XXXX-XXXX-XXXX-665886c2cbad'
KeyVaultName : 'az-vault-6cdgs'
AzFunctionIPs : '104.45.68.78,104.45.69.84,104.45.69.210,104.45.69.232,104.45.66.240,104.45.70.42,20.50.2.80'

Step 4: Modify the Azure Function App to run independently - self-hosted (optional)

As we can imagine that organizations want to control when updates are installed we have listed steps below how to migrate the Azure Function App from running as a package to a solution which does not pull it's package from this repository.

  1. Go to the Azure function
  2. From the left menu select Advanced Tools in the Development Tools section
  3. In the main pane select go
  4. From the top menu select **Debug Console **and select PowerShell
  5. Wait till everything is loaded
  6. In the "explorer" view select site
  7. Click on the 3 dots next to wwwroot and select the option Download to download a zip with all the content
  8. Wait for the download the be completed
  9. Go back to the Azure Function page and selection Configuration in the Settings section
  10. Search for the entry WEBSITE_RUN_FROM_PACKAGE
  11. Delete the entry completely
  12. After a few seconds/minutes go to Functions in the Functions section and you will see everything has been removed
  13. Go back to the Debug Console window
  14. Inside the **wwwroot **put the content from the zip into the directory
  15. Go back to the Azure Function page and validate the functions are visible again

Step 5: Create SPO lists

This steps assumes that you already created the SharePoint Online site which will be used to store both the audio prompts and the SharePoint Online lists.

Run the following cmdlet's to connect to SharePoint Online and import the lists from the XML file.

Connect-PnPOnline -Url https://m365x18873442.sharepoint.com/sites/Teamsvoicemanagement -Interactive
Invoke-PnPSiteTemplate -Path c:\temp\Lists.xml

Once executed go to the SharePoint Online site and validate the SharePoint Lists are created.

SharePoint Online Lists created by script

Step 6: Deploy the Power App and flows

Deploying the Power App and Flows is being performed by importing a solution in the Power Apps environment. It is recommended to import the solution in a separate Power App environment if possible.

To import the solution perform the following steps:

  1. Go to https://make.powerapps.com
  2. In the left menu select Solutions
  3. From the top menu select Import
  4. In the new pane validate the correct environment is selected and press browse
  5. Select the ZIP file named AutoAttendantandCallQueueManagement_1_X_X_X.zip from the Packages/PowerApps folder
  6. Press the Next button to continue
  7. Review the details of the package and press Next
  8. Update the CON - SPO Auto attendant And CallQueue connection by selecting the dropdown menu next to the connection and select the New Connection option, a new tab will be opened (don't close the previous tab)
  9. On the new tab select Connect directly (cloud-services) and press Create
  10. An authentication prompt will be shown, make sure you select the service account created earlier, if not listed select Use another account and specify the credentials from the service account
  11. Close the tab and go back to the original tab and press the **Refresh **button
  12. Select the connection created from the drop down list
  13. Update the CON- O365 User AutoAttendant and connection by selecting the dropdown menu next to the connection and select the New Connection option, a new tab will be opened (don't close the previous tab) 14.On the new tab press the **Create **button
  14. An authentication prompt will be shown, make sure you select the service account created earlier, if not listed select Use another account and specify the credentials from the service account
  15. Close the tab and go back to the original tab and press the **Refresh **button
  16. Select the connection created from the drop down list
  17. Update the CON- Vault connection by selecting the dropdown menu next to the connection and select the New Connection option, a new tab will be opened (don't close the previous tab) 19.On the new tab press the **Create **button
  18. An authentication prompt will be shown, make sure you select the service account created earlier, if not listed select Use another account and specify the credentials from the service account
  19. Close the tab and go back to the original tab and press the **Refresh **button
  20. Select the connection created from the drop down list
  21. Once all 3 connections have been updated press the Next button
  22. Populate the fields with the values provided as output from the Azure deployment script:
  • VAR - FunctionKey: value of the host function key
  • VAR - Tenant: tenantname, for example contoso.onmicrosoft.com
  • VAR - application id: Application (Client) ID of the App registration in Azure AD
  • VAR - FunctionApp: name of the function app
  • VAR - TeamsvoicemanagementSPSite: SharePoint Site name
  1. Once all values are provided continue with importing the solution, this might take several minutes, while importing the following message will be show on the top of the page:

Solution import in progress

  1. Once imported you will see the TACO entry in the list of solutions:

Solution imported

  1. Click on the 3 dots and select Edit
  2. Find the TACO app (Teams AA CQ Orchestrator (TACO)
  3. Click on the 3 dots and select Edit
  4. In the left menu select data (database icon)
  5. Click on the 3 dots next to one of the SharePoint list and select Edit data
  6. Confirm the SharePoint site opens correctly

If the above steps doesn't result in the SharePoint site to open the data connections have not been updated correctly. In this situation there are 2 options:

  • reimport the solution
  • remove and recreate all SharePoint entries (WARNING: this might require you to update all SharePoint blocks in the workflows also)

Step 6a: Recreate the SharePoint connections in the app

Only perform these steps if the SharePoint connections are not updated correctly.

WARNING: this might require you to update all SharePoint blocks in the workflows also

  1. Remove all current SharePoint entries
  2. Click on Add data to readd the SharePoint entries
  3. Select advanced and select the variable VAR- SPO Site AutoAttendant ....
  4. Select:
    • Auto Attendant management
    • Auto Attendant - holidays
    • Call Queue management
    • Holidays
    • User administration
    • Voice management audit log
  5. Confirm all entries are added
  6. Click on the 3 dots next to one of the entries and select Edit data
  7. Confirm a new tab is opened with the SharePoint list
  8. (optionally) repeat this for the other items
  9. Update all workflows

Step 7: Configure Azure AD Conditional Access Policies

You can enable Azure Conditional Access on the Service Account used by your Azure Function app and restrict the trusted IP's to the one used by Azure Function. Azure AD Conditional Access requires a Premium P1 license to be assigned - More info here on license requirements.

  • Go to the Azure AD portal for Conditional Access management
  • Select "Named location" and create a new IP range location
  • Provide a name (e.g. "Azure Function app Teams admin") and mark the location as trusted location
  • Enter all the IP addresses provided in the output of the deployment in step #2 (AzFunctionIPs) - Append a "/32" to each IP address
  • Click on Create
  • Go to Policies and then click on "Create new policy"
  • Provide a name to your policy
  • For the Assignments:
    • Users or workload identities > Include "Select users and groups" > check "User and groups" > search for your Service Account > Select
    • Cloud apps or actions > Include "All cloud apps"
    • Conditions > Locations > Exclude "Selected locations" > "Azure Function app Teams admin" (created earlier)
  • For the Access Controls:
    • Grant > Block access
  • Enable policy
  • Save to confirm and apply the changes

AzureAD Conditional Access Policy setup

Note: please go back to your Power App and check that the application still responds - You can also try to use the Service Principal credential from your local desktop and verity you can't login anymore.

Step 8: Sharing the application

You now have the application deployed in Teams and you need to provide access to "delegated admins" in your organization. To achieve that, we'll use the Office 365 group of the team where the Power Apps has been deployed.

  1. All "delegated admins" needs to be invited in the team to access the Power App
  2. The 1st time your users will access the Power App in Teams, they will need to consent to use the 2 connectors (SharePoint and Office365)

Make sure you also assigned permissions to the SharePoint site which contains the SharePoint lists, failing to do this will result in an empty Power App even if the users have the correct permissions.

Clone this wiki locally