For Teams creation, CAM requires the creation of a Service Account in M365. The required permission roles for the service account are outlined in the table below. When a Team is created, the owner of the Team (unless specified otherwise) will be the service account.
In order for CAM to integrate with Microsoft Graph notifications, you need to register your app with the Microsoft Identity Platform to support Microsoft accounts and assign the API permissions that are required.
For the creation of a Planner tab, Microsoft requires that the delegated/service account user be a member of the team. However, to build a team, there must be an appointed owner. Because of this requirement, you need an additional service account so that you can switch to it to create a planner. This additional service account should follow the same permission roles as outlined below.
Configure and register CAM using the App registrations experience in the Azure portal where you can integrate the CAM app with the Microsoft identity platform and call Microsoft Graph.
Navigate and Sign in to the Azure portal.
If you have access to your tenant, select your account in the top right corner, and set your portal session to the Azure AD tenant.
In the left-hand navigation pane, select the Azure Active Directory service.
Select App Registrations.
Select New registration. The following screen opens:
Specify a meaningful application name that will be displayed to users of the app
Supported account types
Select the one of the following options:
Single-tenant apps are only available in the tenant they were registered in.
Multi-tenant apps are available to users in both their registered app and other tenants.
Accounts in this organizational directory only (Single Tenant): Maps to Azure AD only single-tenant.
Accounts in any organizational directory(Any Azure AD directory - Multitenant):Maps to an Azure AD only multi-tenant.
Redirect URI (Optional)
Specify the type of app and provide the redirect URI (or reply URL) for your application.
8. Click Register to add your app.
9. To enable your application to identify and authenticate itself when obtaining auth tokens, you can either upload your own certificate or create a new client secret by going to Certificates & Secrets in the Azure portal.
The following screen shows a sample of Certificates & Secrets in the Azure portal.
Configuring MS Teams Access control
The following permissions will need to be enabled in the Azure Portal:
Go to Azure Active Directory.
Select the Registered App.
Click on API permissions in the left sidebar. The following screen opens:
4. To configure new permissions, click on + Add a permission.
5. Under Microsoft APIs, select Microsoft Graph. The following screen opens:
6. Select Delegated and Application Permissions.
7. Click on Add permissions and select Grant admin consent for <global admin user>
For more information on the Application and Delegate permissions, click here.