Secure Connection using Application Registration
Live Platform supports Application Registration authentication for securing the connection between Live Platform and
| ■ | Seamless Operation: Allows Live Platform to authenticate and access M365 resources without requiring user sign-in. This is especially useful when running the Background Replication process for synchronizing the customer service portal configuration with the customer tenant Microsoft 365 platform, enabling it to run seamlessly without disruption of service due to user session timeouts. |
| ■ | Enhanced Security: The use of client credentials ( Application client ID and secret) provides more secure mechanism than the user token. In cases where more than one service is deployed for each Azure tenant, separate secrets can be created for each service. |
| ■ | Scalability: the Live Platform Multitenant can process a large numbers of requests across multiple tenants without disruption of service due to expired tokens or token refresh. |
Securing connection using Application Registration is only relevant for Hosted Essentials Plus and Hosted Pro customers.
The Application Registration can be created using one of the following methods:
| ■ | Create Application Registration Automatically using Invitation Wizard |
| ■ | Create Application Registration Manually |
Once you create the registration (Run Invitation wizard using Application Registration), you can use the credentials for this new registration to add additional Direct Routing services to your customer (see Securing Connection in Day Two).
The table below describes the Administrator roles required for the Onboarding of the service and for Day Two management. After the creation of the registration, access Microsoft Entra Roles and Administrators and add or remove roles as required.
|
Role |
Purpose |
Deployment Stage |
Validation Conditions |
|---|---|---|---|
|
Application Administrator Prerequisite for Automatic Registration creation only. |
Creates Enterprise app on customer Azure tenant automatically, which is required for automatically creating the Enterprise app on the customer Azure tenant, synchronizing with the M365 tenant and securing the completion of the Onboarding. |
Onboarding Only |
This permission is only required during onboarding and can be removed after onboarding. In addition, the Enterprise application created on the customer M365 tenant can also be removed. |
|
One of the following roles are mandatory for managing the Daily replication process to synchronize Live Platform with the customer tenant M365 platform. |
|||
|
Teams Administrator |
Manages Microsoft Teams service (runs Teams PowerShell) creates voice routes and manages users. This role consolidates both Teams Telephony Administrator and Skype for Business Admin roles. |
Onboarding and Day Two |
Used for daily replication. Mandatory, unless you use Skype for Business Administrator and Teams Telephony Administrator together instead as below. |
|
OR |
|||
|
Teams Telephony Administrator and Skype for Business Admin |
Manages voice and telephony features for the Microsoft Teams service. It allows the administrator to manage all calling and meetings features (SIP trunk, phone numbers, and direct routing features) within Microsoft Teams. This includes the configuration of all calling and meeting policies in Skype for Business Online as well.1 |
Onboarding and Day Two |
Used for daily replication. Optional to use together with Skype for Business Admin. Microsoft Teams was built on Skype for Business, there are still legacy cmdlets that are used in Live Platform that requires that role to properly replicate. Teams still rely on old Skype for Business commands in PowerShell. Live Platform uses PowerShell commands to get and or set the users, groups and group members. |
|
The following roles are required for Automatic DNS provisioning for initial Site Location (SIP Connection) and for adding additional sites. |
|||
|
Domain Name Administrator |
Creates a unique M365 custom sub-domain using the fully Automatic DNS option in the onboarding wizard. 2 |
Onboarding |
This permission is only required during onboarding of the token with Automatic DNS. This permission can be removed after the onboarding, and then added again at a later stage when adding a new site with a unique DNS sub domain. |
|
User Administrator |
Creates user with phone system license (M365 Activation user) while onboarding (requirement of Microsoft).3 |
Onboarding |
This permission is only required during onboarding of the token with Automatic DNS. This permission can be removed after the onboarding, and then added again at a later stage when adding a new site with a unique DNS sub domain. |