Upgrading M365 Connection to Application Registration
Live Platform supports Application Registration authentication for securing the Onboarding of Direct Routing and Operator services instead of using Delegated Token authentication.
You can upgrade your Delegated Token connection from the Microsoft 365 Settings page using option Reinitiate Authentication Flow. In the example below, the service "auto_tok_plus" is initially secured by the Delegated Token method. When the Renititiate Authentication Flow option is selected, an email invitation is sent to the customer and the pending invitation link to the new Invitation wizard is displayed. The customer can then create a new Application registration from the Invitation wizard (see Switching to App Registration ).
You can alternatively first manually create the registration and then run the Reinitiate Authentication Flow entering the credentials of this Application registration (see Create Application Registration Manually (Optional)).
If you have customers still using Password authentication, then they must first upgrade to the Token authentication method (see Upgrading M365 Connection to Delegated Token Authentication) and then to the Application Registration method.
Live Platform supports Application Registration authentication for securing the connection between Live Platform and
| ■ | Seamless Operation: Allows Live Platform to authenticate and access M365 resources without requiring user sign-in. This is especially useful when running the Background Replication process for synchronizing the customer service portal configuration with the customer tenant Microsoft 365 platform, enabling it to run seamlessly without disruption of service due to user session timeouts. |
| ■ | Enhanced Security: The use of client credentials ( Application client ID and secret) provides more secure mechanism than the user token. In cases where more than one service is deployed for each Azure tenant, separate secrets can be created for each service. |
| ■ | Scalability: the Live Platform Multitenant can process a large numbers of requests across multiple tenants without disruption of service due to expired tokens or token refresh. |
Securing connection using Application Registration is only relevant for Hosted Essentials Plus and Hosted Pro customers.
The table below describes the Administrator roles required for the Onboarding of the service and for Day Two management. After the creation of the registration, access Microsoft Entra Roles and Administrators and add or remove roles as required.
|
Role |
Purpose |
Deployment Stage |
Validation Conditions |
|---|---|---|---|
|
Application Administrator Prerequisite for Automatic Registration creation only. |
Creates Enterprise app on customer Azure tenant automatically, which is required for automatically creating the Enterprise app on the customer Azure tenant, synchronizing with the M365 tenant and securing the completion of the Onboarding. |
Onboarding Only |
This permission is only required during onboarding and can be removed after onboarding. In addition, the Enterprise application created on the customer M365 tenant can also be removed. |
|
One of the following roles are mandatory for managing the Daily replication process to synchronize Live Platform with the customer tenant M365 platform. |
|||
|
Teams Administrator |
Manages Microsoft Teams service (runs Teams PowerShell) creates voice routes and manages users. This role consolidates both Teams Telephony Administrator and Skype for Business Admin roles. |
Onboarding and Day Two |
Used for daily replication. Mandatory, unless you use Skype for Business Administrator and Teams Telephony Administrator together instead as below. |
|
OR |
|||
|
Teams Telephony Administrator and Skype for Business Admin |
Manages voice and telephony features for the Microsoft Teams service. It allows the administrator to manage all calling and meetings features (SIP trunk, phone numbers, and direct routing features) within Microsoft Teams. This includes the configuration of all calling and meeting policies in Skype for Business Online as well.1 |
Onboarding and Day Two |
Used for daily replication. Optional to use together with Skype for Business Admin. Microsoft Teams was built on Skype for Business, there are still legacy cmdlets that are used in Live Platform that requires that role to properly replicate. Teams still rely on old Skype for Business commands in PowerShell. Live Platform uses PowerShell commands to get and or set the users, groups and group members. |
|
The following roles are required for Automatic DNS provisioning for initial Site Location (SIP Connection) and for adding additional sites. The permissions shown below are relevant for the Direct Routing service only. |
|||
|
Domain Name Administrator |
Creates a unique M365 custom sub-domain using the fully Automatic DNS option in the onboarding wizard. 2 |
Onboarding |
This permission is only required during onboarding of the token with Automatic DNS. This permission can be removed after the onboarding, and then added again at a later stage when adding a new site with a unique DNS sub domain. |
|
User Administrator |
Creates user with phone system license (M365 Activation user) while onboarding (requirement of Microsoft).3 |
Onboarding |
This permission is only required during onboarding of the token with Automatic DNS. This permission can be removed after the onboarding, and then added again at a later stage when adding a new site with a unique DNS sub domain. |
Once you create the registration, you can use the credentials for this new registration to add additional Direct Routing services to your customer (see Securing Connection in Day Two).