(source: Microsoft DEV Center).
Log in to your Azure portal , open the Azure AD App for the Appliance (OE Appliance) and follow these steps:
- Select Expose an API under Manage. Select the Set link to generate the Application ID URI in the form of
api://{AppID}.
Insert your fully qualified domain name of the OfficeExpert Appliance (with a forward slash "/" appended to the end) between the double forward slashes and the GUID.
The entire ID should have the form of:api://fully-qualified-domain-name.com/{AppID}ex:
api://subdomain.example.com/c6c1f32b-5e55-4997-881a-753cc1d563b7.Note
If you get an error saying that the domain is already owned but you own it, follow the procedure at Quickstart: Add a custom domain name to Azure Active Directory to register it, and then repeat this step. (This error can also occur if you are not signed in with credentials of an admin in the Office 365 tenancy).
- Select the Add a scope button. In the panel that opens, enter
access_as_useras the Scope name - Set Who can consent? to Admins
- Fill in the fields for configuring the admin and user consent prompts with values that are appropriate for the
access_as_userscope. Suggestions:- Admin consent title: Teams can access the user’s profile
- Admin consent description: Allows Teams to call the app’s web APIs as the current user
- Ensure that State is set to Enabled
Select Add scope
The domain part of the Scope name displayed just below the text field should automatically match the Application ID URI set in the previous step, with/access_as_userappended to the end. For example:
api://subdomain.example.com/c6c1f32b-5e55-4997-881a-753cc1d563b7/access_as_user
- In the Authorized client applications section, you can identify the applications that you want to authorize to your app’s web application. You need to enter each of the following IDs:
1fec8e78-bce4-4aaf-ab1b-5451cc387264(Teams mobile/desktop application)5e3ce6c0-2b1f-4285-8d4b-75ee78787346(Teams web application)
Note
Please clear all caches to avoid possible issues.
ACE Bot - Azure Deployment - Optional
If you upgrade your panagenda OfficeExpert installation from version 2.x to 3.x or if you are using an on-prem installation, and you want to get notifications from the OfficeExpert ACE App, you have to manually deploy the ACE Bot according to the following knowledge base article:
ACE Bot — Azure Deployment.
Please ensure that all Network and Firewall - Requirements are met!
- Access shell.azure.com and log in as Azure tenant administrator. Alternatively, you can also use Azure CLI.
- Clone this repository by executing:
git clone https://github.com/panagenda/oe-on-az.git; cd oe-on-az
Set the subscription ID accordingly (Azure Subscription you want to use):
az account set --subscription <subscription id>
Example: az account set --subscription "12345678-9ABC-DEF1-234-56789ABCDEF1"
OPTIONAL — only required if you run your OfficeExpert appliance on-premises!
Create resource group in Azure (we recommend to use the default name: "pana-oe-rg")az group create --name <resource-group> --location <location> --subscription <subscription id>
Example: az group create --name "pana-oe-rg" --location "westeurope" --subscription "12345678-9ABC-DEF1-234-56789ABCDEF1"
Execute the following command to create the ACE Bot:
./create-bot.sh <resource-group> <location> <dns name of the appliance>
Example: ./create-bot.sh "pana-oe-rg" "westeurope" "officeexpert.at.your-company.com"
- Continue with Configure the ACE Bot in Azure Portal (bottom of the page) → Configure ACE Bot in Azure Portal
For Azure deployment: Please add the following rule to the network security group (oe-secgroup):
For on prem deployment: Make sure that inbound TCP port 4443 to https://{officeexpert fqdn}:4443/bot/messages is allowed