(source: Microsoft DEV Center).

The following tasks are only necessary if you have manually created the Azure AD application for OfficeExpert (not using the automatic registration process on the Analytics Settings page).

Log in to your Azure portal , open the Azure AD App for the Appliance  (OE Appliance) and follow these steps:

  1. Select Expose an API under Manage. Select the Set link to generate the Application ID URI in the form of api://{AppID}.
    Insert your fully qualified domain name of the OfficeExpert Appliance (with a forward slash "/" appended to the end) between the double forward slashes and the GUID.
    The entire ID should have the form of: 

  2. Select the Add a scope button. In the panel that opens, enter access_as_user as the Scope name

  3. Set Who can consent? to Admins

  4. Fill in the fields for configuring the admin and user consent prompts with values that are appropriate for the access_as_user scope. Suggestions:
    • Admin consent title: Teams can access the user’s profile
    • Admin consent description: Allows Teams to call the app’s web APIs as the current user

  5. Ensure that State is set to Enabled

  1. Select Add scope

    The domain part of the Scope name displayed just below the text field should automatically match the Application ID URI set in the previous step, with /access_as_user appended to the end. For example:


  1. In the Authorized client applications section, you can identify the applications that you want to authorize to your app’s web application. You need to enter each of the following IDs:
    • 1fec8e78-bce4-4aaf-ab1b-5451cc387264 (Teams mobile/desktop application)
    • 5e3ce6c0-2b1f-4285-8d4b-75ee78787346 (Teams web application)


Please clear all caches to avoid possible issues.

ACE Bot - Azure Deployment - Optional

If you upgrade your panagenda OfficeExpert installation from version 2.x to 3.x or if you are using an on-prem installation,  and you want to get notifications from the OfficeExpert ACE App, you have to manually deploy the ACE Bot according to the following knowledge base article: 
ACE Bot — Azure Deployment.

If you cannot follow the steps described under Azure Deployment in the Basic Setup section of the Setup Guide, you will have to perform the following steps to set up the ACE Bot for OfficeExpert:

 Please ensure that all Network and Firewall - Requirements are met!

  1. Access shell.azure.com and log in as Azure tenant administrator. Alternatively, you can also use Azure CLI.

  2. Clone this repository by executing:
    git clone https://github.com/panagenda/oe-on-az.git; cd oe-on-az

  3. Set the subscription ID accordingly (Azure Subscription you want to use):

    az account set --subscription <subscription id>

    Example: az account set --subscription "12345678-9ABC-DEF1-234-56789ABCDEF1"

  4. OPTIONAL — only required if you run your OfficeExpert appliance on-premises!
    Create resource group in Azure (we recommend to use the default name: "pana-oe-rg")

    az group create --name  <resource-group> --location <location> --subscription <subscription id>

    Example: az group create --name  "pana-oe-rg" --location "westeurope" --subscription "12345678-9ABC-DEF1-234-56789ABCDEF1"

  5. Execute the following command to create the ACE Bot:

    ./create-bot.sh <resource-group> <location> <dns name of the appliance>

    Example: ./create-bot.sh "pana-oe-rg" "westeurope" "officeexpert.at.your-company.com"

  6. Continue with Configure the ACE Bot in Azure Portal (bottom of the page) → Configure ACE Bot in Azure Portal

For Azure deployment: Please add the following rule to the network security group (oe-secgroup):

For on prem deployment: Make sure that inbound TCP port 4443 to https://{officeexpert fqdn}:4443/bot/messages  is allowed