Upgrading M365 Connection to Application Registration
Live Platform supports Application Registration authentication for securing the Onboarding of Direct Routing and Operator services instead of using Delegated Token authentication. The Application Registration permission provides the following advantages:
| ■ | Seamless Operation: Allows Live Platform to authenticate and access M365 resources without requiring user sign-in. This is especially useful when running the Background Replication process for synchronizing the customer service portal configuration with the customer tenant Microsoft 365 platform, enabling it to run seamlessly without disruption of service due to user session timeouts. |
| ■ | Enhanced Security: The use of client credentials ( Application client ID and secret) provides more secure mechanism than the user token. In cases where more than one service is deployed for each Azure tenant, separate secrets can be created for each service. |
| ■ | Scalability: the Live Platform Multitenant can process a large numbers of requests across multiple tenants without disruption of service due to expired tokens or token refresh. |
Before switching to Application Registration, you must create a new registration on the customer Azure tenant (see Create Application Registration Manually) and extract the Application (Client) ID and client secret. Once created, see Switching to App Registration to upgrade the Token connection for your deployed services from Delegated Token authentication to Application Registration authentication.
If you have customers still using Password authentication, then they must first upgrade to the Token authentication method (see Upgrading M365 Connection to Delegated Token Authentication) and then to the Application Registration method.
Once you create the registration, you can use the credentials for this new registration to add additional Direct Routing services to your customer (see Securing Connection in Day Two).
The table below describes the Administrator roles required for the Onboarding of the service and for Day Two management. After the creation of the registration, access Microsoft Entra Roles and Administrators and add or remove roles as required.
|
Role |
Purpose |
Deployment Stage |
Validation Conditions |
|---|---|---|---|
|
One of the following roles are mandatory for managing the Daily replication process to synchronize Live Platform with the customer tenant M365 platform. |
|||
|
Teams Administrator |
Manages Microsoft Teams service (runs Teams PowerShell) creates voice routes and manages users. This role consolidates both Teams Telephony Administrator and Skype for Business Admin roles. |
Onboarding and Day Two |
Used for daily replication. Mandatory, unless you use Skype for Business Administrator and Teams Telephony Administrator together instead as below. |
|
OR |
|||
|
Teams Telephony Administrator and Skype for Business Admin |
Manages voice and telephony features for the Microsoft Teams service. It allows the administrator to manage all calling and meetings features (SIP trunk, phone numbers, and direct routing features) within Microsoft Teams. This includes the configuration of all calling and meeting policies in Skype for Business Online as well.1 |
Onboarding and Day Two |
Used for daily replication. Optional to use together with Skype for Business Admin. Microsoft Teams was built on Skype for Business, there are still legacy cmdlets that are used in Live Platform that requires that role to properly replicate. Teams still rely on old Skype for Business commands in PowerShell. Live Platform uses PowerShell commands to get and or set the users, groups and group members. |
|
The following roles are required for Automatic DNS provisioning for initial Site Location (SIP Connection) and for adding additional sites. |
|||
|
Domain Name Administrator |
Creates a unique M365 custom sub-domain using the fully Automatic DNS option in the onboarding wizard. 2 |
Onboarding |
This permission is only required during onboarding of the token with Automatic DNS. This permission can be removed after the onboarding, and then added again at a later stage when adding a new site with a unique DNS sub domain. |
|
User Administrator |
Creates user with phone system license (M365 Activation user) while onboarding (requirement of Microsoft).3 |
Onboarding |
This permission is only required during onboarding of the token with Automatic DNS. This permission can be removed after the onboarding, and then added again at a later stage when adding a new site with a unique DNS sub domain. |