Upgrading to OC Essentials Plus or OC Pro
Upgrading from OC Essentials to OC Essentials + or OC Pro enables you to manage the customer M365 platform including Microsoft Teams phone functionality from Live Platform. Customer consent to access their M365 platform is obtained through an application registration (Enterprise Application) that is created on their Azure portal. After the connection is established, you can onboard Direct Routing and manage their M365 environment—including Teams Phone—from Live Platform.
The App Registration provides the following advantages:
| ■ | Seamless Operation: Allows Live Platform to authenticate and access M365 resources without requiring user sign-in. This is especially useful when running the Background Replication process for synchronizing the customer service portal configuration with the customer tenant Microsoft 365 platform, enabling it to run seamlessly without disruption of service due to user session timeouts. |
| ■ | Enhanced Security: The use of client credentials ( Application client ID and secret) provides more secure mechanism than the user token. In cases where more than one service is deployed for each Azure tenant, separate secrets can be created for each service. |
| ■ | Scalability: the Live Platform Multitenant can process a large numbers of requests across multiple tenants without disruption of service due to expired tokens or token refresh. |
Securing connection using Application Registration is only relevant for Hosted Essentials Plus and Hosted Pro customers.
The table below describes the Administrator roles required for management of the Enterprise application.
|
Role |
Purpose |
Deployment Stage |
Validation Conditions |
|---|---|---|---|
|
Application Administrator Prerequisite for Automatic Registration creation only. |
Creates Enterprise app on customer Azure tenant automatically, which is required for automatically creating the Enterprise app on the customer Azure tenant, synchronizing with the M365 tenant and securing the completion of the Onboarding. |
Onboarding Only |
This permission is only required during onboarding and can be removed after onboarding. In addition, the Enterprise application created on the customer M365 tenant can also be removed. |
|
One of the following roles are mandatory for managing the Daily replication process to synchronize Live Platform with the customer tenant M365 platform. |
|||
|
Teams Administrator |
Manages Microsoft Teams service (runs Teams PowerShell) creates voice routes and manages users. This role consolidates both Teams Telephony Administrator and Skype for Business Admin roles. |
Onboarding and Day Two |
Used for daily replication. Mandatory, unless you use Skype for Business Administrator and Teams Telephony Administrator together instead as below. |
|
OR |
|||
|
Teams Telephony Administrator and Skype for Business Admin |
Manages voice and telephony features for the Microsoft Teams service. It allows the administrator to manage all calling and meetings features (SIP trunk, phone numbers, and direct routing features) within Microsoft Teams. This includes the configuration of all calling and meeting policies in Skype for Business Online as well.1 |
Onboarding and Day Two |
Used for daily replication. Optional to use together with Skype for Business Admin. Microsoft Teams was built on Skype for Business, there are still legacy cmdlets that are used in Live Platform that requires that role to properly replicate. Teams still rely on old Skype for Business commands in PowerShell. Live Platform uses PowerShell commands to get and or set the users, groups and group members. |
|
The following roles are required for Automatic DNS provisioning for initial Site Location (SIP Connection) and for adding additional sites. The permissions shown below are relevant for the Direct Routing service only. |
|||
|
Domain Name Administrator |
Creates a unique M365 custom sub-domain using the fully Automatic DNS option in the onboarding wizard. 2 |
Onboarding |
This permission is only required during onboarding of the token with Automatic DNS. This permission can be removed after the onboarding, and then added again at a later stage when adding a new site with a unique DNS sub domain. |
|
User Administrator |
Creates user with phone system license (M365 Activation user) while onboarding (requirement of Microsoft).3 |
Onboarding |
This permission is only required during onboarding of the token with Automatic DNS. This permission can be removed after the onboarding, and then added again at a later stage when adding a new site with a unique DNS sub domain. |
The following table describes the API permissions that are set for the automatic Application Registration creation or that you must add if you create the registration manually.
| API Permission | Description |
|---|---|
|
AppCatalog.ReadWrite.All |
Read and write to all app catalogs. |
|
Group.Read.All |
Read all groups |
|
Organization.Read.All |
Read organization information |
|
TeamSettings.ReadWrite.All |
Read and change all teams' settings |
|
User.ReadWrite.All |
Read and write all users' full profile |
|
RoleManagement.Read.Directory |
Read all directory RBAC settings4 |
The Application Registration can be created using one of the following methods:
| ■ | Create using the Invitation wizard (Create Application Registration using the Invitation wizard) |
| ■ | Create manually on the customer Azure portal (Create App Registration Manually (Optional)) |
| ➢ | To upgrade: |
| 1. | Do one of the following: |
| ● | In the Tenants page, select the desired lead, click…. and choose Convert License Type. |
| ● | In the Multitenant portal All Services page, search for the service and select Upgrade. |
The Onboarding wizard opens.
| 2. | Click Next. The Onboarding wizard opens. |
| 3. | Select the relevant license type OC Essential Plus or OC Pro. |
| 4. | Select the number of licensed users. A maximum of 500 users can be configured per customer. |
| 5. | Under M365 Authentication, establish the secure connection with the customer M365 tenant platform using one of the following options: |
| ● | Select the Send link to IT administrator for authentication option to automatically create an application registration using an Invitation wizard. Enter the email address of the Channel tenant admin as shown in the figure above. An email including a link to the Invitation wizard is sent to the Channel. See Create Application Registration using the Invitation wizard. |
| ● | Select the Use known App Registration option to enter the credentials of a manually created application registration (Microsoft Tenant ID, Application (Client) ID and Secret) on the customer M365 tenant. See Create App Registration Manually (Optional), and then click Next. |
| 6. | After you enter the registration credentials using one of the above methods, the tenant Application registration credentials are validated and a confirmation message is displayed. Click Next. |
| 7. | The following confirmation screen with 'Success' status indicates that the tenant has been successfully upgraded. Close the screen. |
| 8. | Navigate to the Tenants page and note that the license has been upgraded. |
| 9. | Return to the All Services page and notice that the tenant is deployed. |
| 10. | Open the Live Platform portal Services page and select the check box adjacent to the service. Note the License Type 'Pro' is displayed in the Details pane. |
| 11. | Click the SIP Connections tab to view the details of the new SIP Connection created for the service (see SIP Connections Management). |
| 12. | From the Operator Connect drop-down, choose Edit Service. The Users page of the Service portal opens. |
| 13. | Navigate to the Microsoft 365 Settings page (Configuration > M365 Configuration). |
| 14. | Verify that the tenant has successfully authenticated with the M365 platform. Click Validate Authentication to perform manual authentication. |
| 15. | If you created a QOE application registration for enabling QOE Integration with Microsoft Teams, enter the details of the Application registration (see Add Microsoft Teams Device (Direct Routing). |
| 16. | Open the Azure portal and in the Navigation pane, select App Registrations. |
| 17. | Search for your new Application Registration, and then in the Navigation pane, select Manage > API permissions. View the new permissions created by the automatic script. |
| 18. | In the search box in the Menu bar, type Microsoft Entra Roles and administrators. |
| 19. | Search for the specific roles to add or remove according to the table above. |