App Registration

Introduction

This topic describes how to set up shared central application (app) registration authentication for Microsoft Graph, Microsoft Teams PowerShell, and Microsoft Exchange PowerShell, for a new Microsoft tenant. This task includes assigning permissions and roles.

Your authentication methods and permissions come from the central app registration. Roles must assigned to the app registration manually.

When adding a new tenant and you wish to use Microsoft Exchange, you must either generate a certificate or import an existing certificate and have Automate manage it. Automate pushes the certificate to the PowerShell proxy.

• To generate a certificate in Automate, see Generate a Certificate for Application Registration

• To use an existing certificate, see Upload a Certificate to use for App Registration

Note

Microsoft requires that you use app registration for authentication. If you wish to use basic authentication with service account credentials, please contact VOSS support for assistance. Until Microsoft implements changes to their resource account infrastructure, basic auth is required to create, update, and delete resource accounts. List (import/sync) of resource accounts is supported with app registration authentication in Automate 24.1.

About Shared Central App Registration

In shared central app registration, either VOSS (for hosted and general customers) or a Service Provider Partner (in a reseller environment), builds and maintains the app registration in their Microsoft Entra ID tenant, and performs organizational and application validation with Microsoft.

Users from multiple tenants/Entra ID organizations are allowed to leverage the application.

VOSS or the Service Provider Partner (SPP) provides the customer with an admin grant link, for example, https://login.microsoftonline.com/common/adminconsent?client_id={client-id}.

The customer clicks on the link and agrees, using their Global Admin user. Then they need to assign the Teams and Exchange Administrator roles to the application, like any other user in Entra ID.

VOSS or the SPP maintains the certificate and/or secrets securely, and ensures that they’re added to VOSS when renewal is required.

Once updated, PowerShell proxies automatically receive the updated certificates from VOSS Automate. These settings are maintained at a global or reseller level in VOSS Automate, with customer/tenant-level overrides, if required.

Configure Shared Central App Registration

This procedure configures Central App Auth and assigns the Teams Administrator role and the Exchange Administrator role (if you’re using MS Exchange) to the app.

1. Authorize the app in the relevant Microsoft tenant to add Central App to your tenant (VOSS hosted app):

   https://login.microsoftonline.com/common/adminconsent?client_id=bbaa714a-a571-4d13-a6e1-4758621b7460

2. Assign the Teams Administrator role and the Exchange Administrator role to the app:

   1. Go to the Entra ID section of the Microsoft Azure Portal:

      https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview

   2. Navigate to Roles & Administrators.

      

   3. Search for Teams Administrator.

      

   4. Open Teams Administrator, then click Add Assignments.

      

   5. Select No member selected.

      

   6. Search for VOSS, then select the checkbox for VOSS Automate App.

      

   7. Click Next.

   8. At Enter justification, fill out a reason for the assignment in the text field.

      Note

      You can add any description in this field.

      

   9. Click Assign.

      The new assignment may take a few minutes to complete before it appears in the assignment list (Teams Administrator | Assignments).

   10. Repeat step 2 from the Teams Administrator | Assignments page, but this time, on Teams Administrator | Assignments, search for the Exchange Administrator role.

3. Install the certificate on the VOSS Automate server.

   Note

   If you’re using VOSS (hosted) Central App, the certificate is already installed.

4. Configure the VOSS Automate Microsoft tenant to use the “customer” Tenant ID you approved for earlier, along with the App ID (Client ID) and certificate as necessary.

   For example, for VOSS Central App customers:

   • App Name: VOSS Automate Central App

   • Client Id: bbaa714a-a571-4d13-a6e1-4758621b7460

   • App Created Date Time: 6/4/2024 3:24:31 PM

   • CertificateThumbprint : 2BF36F11BE9317C9217BE6847BEDXXXXXXXXXXXX