Overview

A safe and secure way to automatically admit VTC rooms into Teams meetings.

Prerequisites

• Azure and Microsoft Teams admin rights
• Service Account with Microsoft Teams User License with Multi-factor Authentication disabled
• Username and Password for the service account

Azure Configuration

1. In Azure navigate to Communication Services
2. Click Create
3. Select your Azure subscription, Resource Group, create Resource Name for this service and select data location. If you do not have a Resource Group, you will need to create a new Resource group by clicking "Create New".
4. A new App Registration is required with following API permissions:
   • Azure Communication Services
     • Teams.ManageCalls
     • Teams.ManageChats
   • Microsoft Graph
     • OnlineMeetings.Read.All (Application Permission)
     • openid (Delegated Permission)
     • User.Read (Present by Default)
     • User.Read.All (Application Permission)
5. Under Authentication section, ensure that "Allow public client flows" is turned on
   
   When referencing "collecting plaintext passwords". This is in reference to the plaintext password being retrievable by permitted and authenticated users in Azure/Entra AD to allow for configuration of apps. The password is then stored as encrypted/hashed and transported with TLS v1.3. No plaintext passwords are stored or passed by the application.
6. Create a new secret for the app registration.
7. Copy Application (client) ID and Directory (tenant) ID. Keep the secret, application ID and directory ID in temporary notepad to be given to your integrator at the end.
8. Navigate to Keys and copy Connection string.
9. Provide the information from steps 8 and 9 to your integrator.
    

Microsoft Teams Policy

In order to apply/grant the policy access you need to add the App Registration to Global policy. To do this, you will need to have the Application (Client) ID or provide it to your Microsoft Teams Admin.

You can find Microsoft guide on installing the Microsoft Teams Module here.

To be able to set/add policies you will need to be able to run commands using MicrosoftTeams module in PowerShell.

1. Import Microsoft Teams Module to be available in PowerShell by running the following command
   Import-Module MicrosoftTeams
    
2. Connect to Microsoft Teams backend using:
   Connect-MicrosoftTeams
    
3. You can double check if there are any pre-existing policy/apps assigned to Global or any other existing Policies by running:
   Get-CsApplicationAccessPolicy
    
4. To add the new app registration for Microsoft Teams Lobby Auto Admit to function there are two options:
   1. If you have any application ID's listed in Global you will need to use an alternative method, as performing Grant-CsApplicationAccessPolicy will replace everything in Global with application ID's from the Policy you have applied to it.
      1. Instead of creating you can add additional app registration to a policy by running the following:
         Set-CsApplicationAccessPolicy -Identity <your_access_policy> -AppIds @{Add="<applicationid>"}
         You can use this to add the new application ID directly to Global if you do not have any other application access policies but have previously granted applications directly to global.
          
      2. Adding the new application ID to an application access policy you will need to grant the application access policy to global by running the following:
         Grant-CsApplicationAccessPolicy -PolicyName <your_access_policy> -Global
          
   2. The following is only to be used when there is no other Application policies in place and need to create a new one.
      1. To create a new policy run the following command.
         New-CsApplicationAccessPolicy -Identity ssky_lobby -AppIds <applicationid>
          
      2. Then you need to grant the new policy at global level by running the following:
         Grant-CsApplicationAccessPolicy -PolicyName ssky_lobby -Global