Upgrading to OC Essentials Plus or OC Pro
Upgrading from OC Essentials to OC Essentials + or OC Pro enables you to manage your M365 users and groups from the Live Platform Service portal (see Customer Portal Operator Connect License Model Menus for details). This requires providing consent to your Service Provider tenant to access your M365 platform for securing the upgrade process and in Day Two for synchronizing updates performed in the Service portal and for updates performed on your M365 platform .
Live Platform  supports Application Registration authentication for securing the connection between Live Platform and 
| ■ | Seamless Operation: Allows Live Platform to authenticate and access M365 resources without requiring user sign-in. This is especially useful when running the Background Replication process for synchronizing the customer service portal configuration with the customer tenant Microsoft 365 platform, enabling it to run seamlessly without disruption of service due to user session timeouts. | 
| ■ | Enhanced Security: The use of client credentials ( Application client ID and secret) provides more secure mechanism than the user token. In cases where more than one service is deployed for each Azure tenant, separate secrets can be created for each service. | 
| ■ | Scalability: the Live Platform Multitenant can process a large numbers of requests across multiple tenants without disruption of service due to expired tokens or token refresh. | 
Securing connection using Application Registration is only relevant for Hosted Essentials Plus and Hosted Pro customers.
The table below describes the Administrator roles required for the Onboarding of the service and for Day Two management. After the creation of the registration, access Microsoft Entra Roles and Administrators and add or remove roles as required.
| Role | Purpose | Deployment Stage | Validation Conditions | 
|---|---|---|---|
| Application Administrator Prerequisite for Automatic Registration creation only. | Creates Enterprise app on customer Azure tenant automatically, which is required for automatically creating the Enterprise app on the customer Azure tenant, synchronizing with the M365 tenant and securing the completion of the Onboarding. | Onboarding Only | This permission is only required during onboarding and can be removed after onboarding. In addition, the Enterprise application created on the customer M365 tenant can also be removed. | 
| One of the following roles are mandatory for managing the Daily replication process to synchronize Live Platform with the customer tenant M365 platform. | |||
| Teams Administrator | Manages Microsoft Teams service (runs Teams PowerShell) creates voice routes and manages users. This role consolidates both Teams Telephony Administrator and Skype for Business Admin roles. | Onboarding and Day Two | Used for daily replication. Mandatory, unless you use Skype for Business Administrator and Teams Telephony Administrator together instead as below. | 
| OR | |||
| Teams Telephony Administrator and Skype for Business Admin | Manages voice and telephony features for the Microsoft Teams service. It allows the administrator to manage all calling and meetings features (SIP trunk, phone numbers, and direct routing features) within Microsoft Teams. This includes the configuration of all calling and meeting policies in Skype for Business Online as well.1 | Onboarding and Day Two | Used for daily replication. Optional to use together with Skype for Business Admin. Microsoft Teams was built on Skype for Business, there are still legacy cmdlets that are used in Live Platform that requires that role to properly replicate. Teams still rely on old Skype for Business commands in PowerShell. Live Platform uses PowerShell commands to get and or set the users, groups and group members. | 
| The following roles are required for Automatic DNS provisioning for initial Site Location (SIP Connection) and for adding additional sites. The permissions shown below are relevant for the Direct Routing service only. | |||
| Domain Name Administrator | Creates a unique M365 custom sub-domain using the fully Automatic DNS option in the onboarding wizard. 2 | Onboarding | This permission is only required during onboarding of the token with Automatic DNS. This permission can be removed after the onboarding, and then added again at a later stage when adding a new site with a unique DNS sub domain. | 
| User Administrator | Creates user with phone system license (M365 Activation user) while onboarding (requirement of Microsoft).3 | Onboarding | This permission is only required during onboarding of the token with Automatic DNS. This permission can be removed after the onboarding, and then added again at a later stage when adding a new site with a unique DNS sub domain. | 
The following table describes the API permissions that are set for the automatic Application Registration creation or that you must add if you create the registration manually.
| API Permission | Description | ||||||
|---|---|---|---|---|---|---|---|
| AppCatalog.ReadWrite.All | Read and write to all app catalogs. | ||||||
| Group.Read.All | Read all groups | ||||||
| Organization.Read.All | Read organization information | ||||||
| TeamSettings.ReadWrite.All | Read and change all teams' settings | ||||||
| User.ReadWrite.All | Read and write all users' full profile | ||||||
| RoleManagement.Read.Directory | Read all directory RBAC settings4 | ||||||
| GroupMember.Read.All | Read all group memberships. Required if your application with Administrative Units uses the following cmdlets:5 
 
 | 
| ➢ | To upgrade: | 
| 1. | In the Tenants page, select the desired lead, click…. and choose Convert to OC Pro. | 
                                                 
                                            
The Onboarding wizard opens.
                                                
                                            
| 2. | Enter Full Name of service – Free Text. | 
| 3. | Enter Short Name of service - Define a unique name for the new service. | 
Note the following rules:
| ● | The string should be 3-15 characters long | 
| ● | The following characters cannot be used: \ / : * ? " < > |audit | 
| ● | Can contain letters (lower/UPPER case), Numbers and special characters are allowed, however cannot contain the dot (.) or blank spaces. | 
| ● | Unique name per Service | 
| 4. | Select the OC Essentials Plus or OC Pro license Type. | 
| 5. | Select the number of licensed users. A maximum of 500 users can be configured per customer. | 
| 6. | Select the check box Send link to IT administrator for authentication, and then enter the email address of the Tenant service Global admin or Service account admin. | 
                                                 
                                            
| 7. | Close the window. An email similar to the following is sent to the customer tenant admin. | 
                                                 
                                            
| 8. | Click Click here to activate your tenant.The Invitation wizard is displayed. | 
If mail has not been received, open the Multitenant interface and navigate to Security > Customer Invitations. Search for the relevant token and verify that the 'Email Sent' field is set to true (see Customer Invitations). You can also initiate the Token Invitation wizard by clicking the AuthURL link (see below), and then copy the URL and paste in Web browser. In addition, check the email settings (see Configuring Email Settings).
                                                     
                                                
                                                 
                                            
| 9. | Do one of the following: | 
| ● | Send link to IT administrator for authentication (see Send Customer Email Link to Invitation Wizard) | 
| ● | Use known App Registration (see Authenticate Directly from Onboarding Wizard) | 
| 10. | Verify that Status is shown as Authentication Complete (see Pending Requests). You can then click Upgrade to resume the Onboarding | 
The Onboarding wizard is displayed.
                                                 
                                            
| 11. | Click Create New App Registration. | 
                                                 
                                            
| 12. | Enter the username of the M365 admin user (Application Administrator role or higher) to create the App Registration for securing the connection. | 
| 13. | Do one of the following: | 
| ● | Copy the code and then click the URL link below it. | 
| ● | Click Copy code and open page in new tab. | 
                                                 
                                            
                                                 
                                            
| 14. | Click Next or enter code if you clicked the ....device/login link above. | 
| 15. | Enter credentials of the Admin account of the M365 tenant. | 
                                                 
                                            
| 16. | Click Continue. | 
                                                 
                                            
| 17. | Close the dialog. A confirmation message is displayed that the connection has been successfully established. | 
                                                 
                                            
| 18. | Enter the name of the Application Registration. The name should comply with the following rules: | 
| ● | The string should be 3-15 characters long | 
| ● | The following characters cannot be used: \ / : * ? " < > |audit | 
| ● | Can contain letters (lower/UPPER case), Numbers and special characters are allowed, however cannot contain the dot (.) or blank spaces. | 
| ● | Unique name per Service (check regarding ) | 
                                                 
                                            
                                                 
                                            
| 19. | Do one of the following: | 
| ● | In the All Services page, search for your tenant and then click Upgrade. | 
                                                 
                                            
| ● | In the Tenants page, search for your tenant and then from the right-click menu, choose Convert to OC Pro. | 
                                                 
                                            
The Onboarding wizard opens displaying the credentials of the newly created registration.
                                                 
                                            
| 20. | Confirm the number of licenses and then click Next. 'Success' status indicates that the tenant has been successfully upgraded. | 
                                                 
                                            
| 21. | Return to the Tenants page and note that the license has been upgraded to OC Pro. | 
                                                 
                                            
| 22. | Return to the All Services page and notice that the tenant is still deploying or is successfully deployed. | 
                                                 
                                            
                                                 
                                            
| 23. | Open the Live Platform portal Services page and select the check box adjacent to the service. Note the License Type 'Pro' is displayed in the Details pane. | 
                                                 
                                            
| 24. | Click the SIP Connections tab to view the details of the new SIP Connection created for the service (see SIP Connections Management). | 
                                                 
                                            
| 25. | From the Operator Connect drop-down, choose Edit Service. | 
                                                 
                                            
The Users page of the Service portal opens.
                                                 
                                            
| 26. | Navigate to the Microsoft 365 Settings page (Configuration > M365 Configuration). Note that the Client Secret Days Until Expire field is displayed (if set for the first time) . | 
                                                 
                                            
| 27. | Click Validate Authentication to validate the credentials of the tenant service with the App Registration. | 
                                                 
                                            
| 28. | Open the Azure portal and in the Navigation pane, select App Registrations. Search for your new Token Application Registration, and then in the Navigation pane, select Manage > API permissions. View the new permissions created by the automatic script. | 
                                                 
                                                
                                            
| 29. | Remove all of the above permissions as they are not required . | 
| 30. | If you wish to create additional service using the same registration, you must generate a separate additional Client secret. In the Navigation pane, select Manage > Certificates & Secrets. | 
                                                 
                                                
                                            
| 31. | Click New client secret. | 
                                                 
                                                
                                            
| 32. | Copy the secret value to notepad. | 
| 33. | In the search box in the Menu bar, type Microsoft Entra Roles and administrators. | 
                                                 
                                                
                                            
                                                 
                                                
                                            
| 34. | Search for the specific roles to add or remove according to the table above. | 
| 35. | Proceed to Getting Started in Day Two (OC Essentials Plus and OC Pro). |