Create Application Registration in Microsoft Cloud Tenant Portal#

Overview#

This procedure registers VOSS Automate as an application object in Microsoft Entra, adds a client secret and/or a certificate (for authentication with the Microsoft identity platform), configures API permissions, creates, exports, and uploads a self-signed certificate, and adds VOSS Automate to the Exchange administrator role.

The application object describes VOSS Automate to Microsoft Entra, allowing the Microsoft Entra service to issue authentication tokens to the VOSS Automate service.

Note

If you’re integrating with Microsoft Exchange, you must use a certificate for authentication. You can generate the certificate within Automate (see Generate a Certificate for Application Registration), or import an existing certificate and have Automate manage it (see Upload a Certificate to use for App Registration).

The diagram describes the tasks involved in the app registration:

@startuml
'Create application registration in MS Cloud
!include style.iuml
start
:[[../src/user/register-voss-app-in-azure.html#step-1-register-application-with-microsoft-entra Register VOSS Automate as an application with MS Entra]];
:[[../src/user/register-voss-app-in-azure.html#step-2-configure-microsoft-graph-authentication Configure MS Graph authentication method]];
note right
 Two authentication methods (use either, or both):
   * [[../src/user/register-voss-app-in-azure.html#add-certificate-authentication Certificate authentication]]
   * [[../src/user/register-voss-app-in-azure.html#add-client-secret-authentication Client secret authentication]]
end note
:[[../src/user/register-voss-app-in-azure.html#step-3-add-microsoft-graph-api-permissions Add MS Graph API and application permissions]];
:[[../src/user/register-voss-app-in-azure.html#step4-add-teams-admin-role Add Teams Administrator role]];
stop
@enduml

Important

When performing this task, take note of the following values, which you’ll need to set up the tenant connection in VOSS Automate:

  • Directory (tenant) ID (Tenant ID field in VOSS Automate)

  • Application (client) ID (Client ID field in VOSS Automate)

  • Client secret (Secret field in VOSS Automate)

You can retrieve your Tenant and Client IDs from Microsoft Entra at any time. But you’ll need to save your client secret in a secure location because it will be exposed only once. From a security perspective, treat these values as if they were administrative login credentials.

Step 1: Register VOSS Automate as an application with Microsoft Entra#

This step registers your application (VOSS Automate in this case) as an application in Microsoft Entra to all Microsoft Graph to access Microsoft Entra.

  1. Use your Global Administrator credentials to sign into the Microsoft Entra admin center .

  2. Choose the tenant where you want to register the VOSS Automate application.

    Note

    If you have access to multiple tenants, use the Directory + Subscription filter in the toolbar to choose the relevant tenant.

  3. Select Microsoft Entra service.

    Note

    Locate the service via Favorites > Microsoft Entra, or locate it in All services.

  4. Expand Microsoft Entra, then go to Applications > App registrations, and select New registration.

  5. Enter a name for your application, for example “VOSS Automate”.

    Note

    Your application users may see this name. You can change it later.

  6. Select Accounts in this organization only.

    Note

    You can ignore the Redirect URI section.

  7. Click Register.

Next steps

Step 2: Configure Microsoft Graph Authentication#

This step configures Microsoft Graph authentication.

There are two authentication methods available for Microsoft Graph. You can add either of these authentication methods, or use both:

Note

Microsoft’s recommendation is to use certificate authentication for Microsoft Graph. A client secret takes precedence, if used; else, the certificate authentication is used (if available). Only the certificate authentication can be used if you’re integrating with Microsoft Exchange.

Add Client Secret Authentication#

  1. In the Microsoft Entra admin center , at App Registrations, choose the VOSS Automate application created in step 1, then go to Manage > Certificates & secrets and on the Client secrets tab, select New client secret.

  2. On the Add a client secret form, add a description, and choose an expiry option.

  3. Click Add.

    ../../_images/MSFT_4d57ce16a05261c5.png

    Important

    Make a note of the client secret and keep it in a safe location. You won’t be able to retrieve it if you lose it, and you need this value to set up VOSS Automate.

    If you lose the client secret you’ll have to delete it and repeat the steps for creating a new one.

    ../../_images/MSFT_bd385bd6a357b048.png

Next steps

Add a second authentication method (optional), or go to Step 3: Add Microsoft Graph API Permissions

Add Certificate Authentication#

This procedure adds and exports a self-signed certificate public key in VOSS Automate, and uploads the certificate to Microsoft Entra. See also Generate a Certificate for Application Registration

  1. As a customer admin or higher, log in to the VOSS Automate Admin Portal.

  2. Go to (default menus) Administration Tools > Certificate Management.

  3. Click Add; then, fill out certificate details.

    1. On the Base tab:

      • Fill out a name and a description for the certificate.

      • Clear (unset) the Generate Certificate Signing Request checkbox to ensure no certificate signing request is generated. Disabling this option will ensure that the certificate will be self-signed.

      • In Valid To specify a value, in seconds, to define the validity period of the certificate from the time from generation. The default value is 315360000 seconds (10 years).

      • In Serial Number, choose a value or leave the default.

      • In Key Length, input a value of 2048 or greater for Microsoft Entra to accept the certificate for authentication.

    2. On the Certificate Information tab, fill out details for the certificate, including the name of the host being authenticated by the certificate, country code, state, city, organization, and organization unit.

      Note

      All fields are mandatory.

  4. Save the certificate.

  5. Click Action > Export Public Key to export a file containing the public key.

  6. Log in to the Microsoft Entra admin center , then go to Certificates & secrets.

  7. On the Certificates tab, click Upload certificate, then browse to the certificate you exported from the VOSS Automate Admin Portal.

    Note

    When configuring the tenant parameters in Automate and you select the certificate,

    You will need the tenant ID and client ID from Microsoft Entra to configure the Microsoft tenant connection parameters. The thumbprint is auto-populated in the tenant settings once you select the certificate.

Related Topics

Next steps

Step 3: Add Microsoft Graph API Permissions#

  1. In the Microsoft Entra admin center , go to Manage > API permissions > Add a permission.

    ../../_images/MSFT_f24dc7cfff59dc11.png
  2. Select Microsoft Graph.

    ../../_images/MSFT_e6d39996937914ef.png
  3. (Mandatory) Select Application permissions, then select all of the following permissions:

    Why required?

    Permission and description

    Allows Automate to manage Microsoft Entra objects (functionality required by a user).

    • User.Read.All

      List MS Entra users, retrieve user properties (such as Usage Location), and license details.

    • Organization.Read.All

      List Microsoft subscribed SKUs (used and available licenses), and retrieve details (such as service plans).

    For adding, viewing, and managing MS Teams (teams and team members), including assigning users to groups.

    • Team.Create

      Create teams

    • TeamMember.ReadWrite.All

      Create and edit team members.

    • Group.Read.All

      Read all groups.

    • Group.ReadWrite.All

      Required for Automate to be able to delete (remove) Teams.

    • GroupMember.ReadWrite.All

      Add, update, or delete groups and manage memberships.

    For managing Microsoft Teams channels in VOSS Automate.

    • Channel.ReadBasic.All

      Read channel names and descriptions.

    • Channel.Create

      Create channels in any team.

    • Channel.Delete.All

      Delete channels in any team.

    Domain permissions

    • Domain.Read.All

      Read all domain properties.

    Licensing permissions

    • LicenseAssignment.ReadWrite.All

      Assign and manage licenses.


  4. Click Add permissions.

    ../../_images/MSFT_dc4125b9da140c75.png
  5. To grant admin consent for the selected permissions, go to Configured permissions > Grant admin consent for <your tenant>, and click Yes to confirm.

    The status of selected permissions changes from Not granted to Granted.

    ../../_images/MSFT_50379baa9a20837f.png

Next steps

Step 4: Add Roles#

This procedure assigns the Teams Administrator role and the Exchange Administrator role to the application.

Note

You’ll need to assign the Exchange Administrator role only if you’re using Microsoft Exchange.

Pre-requisites:

  • Authorize the app in the relevant Microsoft tenant to add Central App to your tenant: https://login.microsoftonline.com/common/adminconsent?client_id={client_ID}

Note

From Automate 24.1, only Microsoft 365 Global Admins or User Admins will be able to create and manage resource accounts. The following roles will no longer have “user create” permissions on resource accounts:

  • Teams Administrator

  • Teams Communications Administrator

  • Teams Telephony Administrator

Organizations using these Teams roles will require administrators with the “user create” permission, such as Microsoft 365 Global Admin or User Admin, in order to create and manage resource accounts.

Assign the Teams Administrator Role to the App

  1. Go to the Entra ID section of the Microsoft Azure Portal: https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview

  2. Navigate to Roles & Administrators.

    ../../_images/CentralAppRegistration_html_43f36466abbbb69d.png
  3. Search for Teams Administrator.

    ../../_images/CentralAppRegistration_html_a68bfc492999833e.png
  4. Open Teams Administrator, then click Add Assignments.

    ../../_images/CentralAppRegistration_html_706a6147e0a14df0.png
  5. Select No member selected.

    ../../_images/CentralAppRegistration_html_9563d320e64047dc.png
  6. Search for VOSS, then select the checkbox for VOSS Automate App.

    ../../_images/CentralAppRegistration_html_9a6e3ab314819adb.png
  7. Click Next; then, at Enter justification, fill out a reason for the assignment in the text field.

    Note

    You can add any description in this field.

    ../../_images/CentralAppRegistration_html_7a82226406fc258b.png
  8. Click Assign.

    The new role assignment may take a few minutes to complete before it appears in the assignment list (Teams Administrator | Assignments).

Assign the Exchange Administrator Role to the App

Note

You’ll need to assign the Exchange Administrator role only if you’re using Microsoft Exchange.

  1. Go to the Entra ID section of the Microsoft Azure Portal: https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview

  2. Navigate to Roles & Administrators.

    ../../_images/CentralAppRegistration_html_43f36466abbbb69d.png
  3. Search for Exchange Administrator.

  4. Open Exchange Administrator, then click Add Assignments.

  5. Select No member selected.

  6. Search for VOSS, then select the checkbox for VOSS Automate App.

  7. Click Next.

  8. At Enter justification, fill out a reason for the assignment in the text field.

    Note

    You can add any description in this field.

  9. Click Assign.

    The new role assignment may take a few minutes to complete before it appears in the assignment list.