Introduction to Microsoft UC integration#

Overview#

This section introduces Microsoft Unified Communications (UC) integration with Automate.

Automate provides an interface for managing Microsoft users and services, either as a stand-alone, Microsoft-only implementation, or as part of a multi vendor implementation.

Automate can be used to manage multiple applications within Microsoft’s UC stack, including:

  • Microsoft Entra ID

  • Microsoft Teams

  • Exchange Online

  • On-premise Active Directory

  • Skype for Business Server

  • Exchange Server

The flowchart provides a high level workflow for the Microsoft solution in Automate.

Microsoft Overview Flowchart

@startuml 'Introduction to Microsoft UC Integration Flowchart !include style.iuml start :[[../src/user/microsoft-device-mgt.html Microsoft UC application setup]]; :[[../src/user/config-automate-for-ms-services.html Configure Automate for Microsoft services]]; fork :[[../src/user/sync-ms-users-to-sites.html#sync-to-site-with-flow-through-provisioning Sync to site with flow through]]; fork again :[[../src/user/sync-ms-users-to-sites.html#sync-to-customer-then-to-site Sync to customer then to site]]; end fork :[[../src/user/ms-subscribers.html Manage Microsoft subscribers]]; @enduml

Related topics

Devices for Microsoft UC application setup#

The following devices must be configured for Microsoft UC application setup (authentication, authorization, and PowerShell proxy):

Microsoft Graph API#

Automate communicates with Microsoft Entra using Microsoft Graph API. Registering Automate as an application object in Microsoft Entra provides authentication and authorization for Automate.

Microsoft Graph API offers:

  • Simplicity

  • No requirement for an intervening proxy

  • Lower latency

  • Secure authentication options

  • Granular permissions management

As the Microsoft Graph API matures, Automate can easily be updated to leverage new Graph functionality - new templates can be added, and existing ones can be updated. Template updates can be deployed with no downtime or service impact.

Windows PowerShell and PowerShell proxy servers#

Automate communicates with the Microsoft Teams Portal and Microsoft Exchange Online via PowerShell Proxy, allowing enforcement of authentication and authorization in two places:

  • On the PowerShell proxy

  • In the Microsoft 365 tenant

At least one Windows computer is needed as a PowerShell proxy server.

Automate manages Microsoft Teams and Microsoft Exchange Online via PowerShell proxy servers, which execute remote PowerShell cmdlets.

The table describes how PowerShell proxies may be used to manage on-premise or cloud-based applications:

On-premise apps

Join the PowerShell proxy server to the domain under management. If using Automate to manage multiple on-premises customer domains, add at least one domain-joined PowerShell proxy for each domain.

Cloud-based apps

Use a PowerShell proxy server to manage multiple Microsoft 365 tenants. A PowerShell proxy that manages only cloud-based applications can optionally be configured as a workgroup server.

For Microsoft apps management, Automate uses Windows PowerShell to create separate PowerShell sessions via the PowerShell proxy servers for each application managed for a specific customer tenant or domain.

All PowerShell sessions for a customer can be hosted by the same PowerShell proxy server, or you can configure a separate server for each session. Optionally, these PowerShell proxy servers may be dedicated exclusively for this purpose.

The PowerShell proxy setup script that ships with Automate installs or updates PowerShell to the required version. Refer to Run PowerShell proxy server setup script

Microsoft Teams#

Automate uses the PowerShell proxy server and the Microsoft Teams PowerShell module to manage settings for end users, services, device policies, and telephony in Microsoft Teams.

PowerShell scripts authenticate to Microsoft Teams through an application registration.

Basic authentication and credentials linked to a service account in the tenant are used to provision resource accounts in Microsoft Teams.

You must assign at minimum the following role to the service account used for managing Microsoft Teams:

Role

Description

Teams Administrator

Provides full access to all Microsoft Teams, manages service requests, and monitors service health.

Use cases:

  • List MS Teams users

  • Retrieve Teams user identity, attributes, and assigned policies

  • Update MS Teams user attributes and assigned policies

  • Enable / disable Enterprise Voice for MS Teams users

  • Create, read, update and delete MS Teams policies

  • Create, read, update, and delete MS Teams Enterprise Voice configuration, including Voice Routing Policies, PSTN Usages, Voice Routes, PSTN Gateways, and Tenant Dialplans

  • Create, read, update, and delete MS Teams Call Queues and Teams Auto Attendants

  • Create, read, update, and delete MS Teams endpoints, including Teams Phones, Common Area Phones, Collaboration Bars, and Teams Rooms

Microsoft Exchange Online#

Automates uses the PowerShell proxy server and Microsoft’s Exchange Online PowerShell module to manage user mailboxes, shared mailboxes, room mailboxes, and distribution groups in Microsoft Exchange Online.

Automate employs app-only authentication for Microsoft Exchange Online, requiring a certificate and private key installed on the PowerShell proxy.

For app-only authentication, you will need to create an X.509 certificate with a private key, then install the certificate and private key on the PowerShell proxy server. Automate can create this certificate for the Microsoft tenant setup, upload it to the PowerShell proxy server, install it, and update the thumbprint in the tenant data. The public key is exported from Automate and imported into Microsoft Entra.

The certificate can also be imported from the customer into Automate.

During the registration of the Automate application object with Microsoft Entra, upload the certificate (public key only), assign Exchange Online API permissions, and an appropriate RBAC role to the application:

  • Automate requires the following Microsoft Entra permission: Exchange.ManageAsApp

    This permission allows a registered application to access Exchange Online resources.

  • Automate requires the following role-based access control (RBAC) role: Exchange Administrator

    Users with this role have global permissions within Microsoft Exchange Online and can create and manage all Microsoft 365 groups, manage support tickets, and monitor service health.

    Note

    For custom administrator user roles, ensure the associated access profile (access profile type device/msexchangeonline/*) allows for all operations on all Microsoft Exchange models.

Related topics

PowerShell proxy deployment topologies#

PowerShell proxy server domain membership#

PowerShell proxy servers may be joined to a Microsoft Entra domain.

Domain membership is required if you’re using Automate to manage or extract data from any on-premises component, such as Skype for Business Server, on-premises Microsoft Entra, or on-premises Exchange Server.

Domain membership is optional in all other scenarios.

Redundancy and load-balancing#

Deploying two or more PowerShell proxy servers provides redundancy. PowerShell proxy servers can be scaled and made highly available by interposing a load balancer between Automate and the PowerShell proxy servers.

Load balancer requirements

The load balancer:

  • Must forward incoming HTTP and HTTPS requests on TCP ports 5985 and 5986

  • Must forward incoming SSH/SCP requests on TCP port 22

  • Must be configured in “IP Affinity” mode so that all incoming requests from a specific IP address are preferentially routed to the same PowerShell proxy. This is done to maintain the integrity of HTTP sessions that can consist of multiple HTTP requests.

When deploying Automate as a multi-node cluster and the load balancer is configured in “IP Affinity” mode, each unified node will have all its requests routed to the same PowerShell proxy.

A properly configured load balancer will distribute the overall load from all the unified nodes across the deployed PowerShell proxy servers. When a PowerShell proxy goes out of service the load balancer will route incoming traffic to the surviving servers, bypassing the failed one.

Setting up load balancing for a multi-proxy deployment setup

If leveraging redundant PowerShell proxies behind a load balancer, updates of the app registration authentication certificate or future modules pushed by Automate to the PowerShell proxies, requires additional steps:

  1. In the Microsoft tenant configuration, set the PowerShell proxy address directly to the first PowerShell proxy and select the updated certificate.

  2. Save the configuration.

  3. Confirm the update and connection works via the first proxy with a test connection via the transaction log.

  4. Return to the tenant configuration, set the second proxy address, and save the configuration.

  5. Confirm the update and connection works via the second proxy with a test connection via the transaction log.

  6. Repeat with any additional proxies.

  7. Once all proxies are confirmed as updated and functional, return the PowerShell proxy address to the load balancer’s FQDN, and save the configuration.

  8. Test the connection.

Outbound Internet Proxy#

Some organizations require all traffic outbound to the public Internet (including traffic to Microsoft 365 tenants) to traverse an outbound Internet proxy server for audit logging and, optionally, authentication.

Microsoft Entra#

Automate uses the Microsoft Graph API at https://graph.microsoft.com over TCP port 443 to interact with Microsoft Entra.

Microsoft’s application registration process provides authentication and authorization services for Automate.

You can configure the permissions granted to the Automate application based on the management use cases for which Automate has been designated. For example, you can grant permission to Automate to manage end user license assignments, or you can withhold that permission (in which case Automate will only be able to view existing license assignments, limiting the Automate workflows available to you).