.. _microsoft-overview: Introduction to Microsoft UC integration ----------------------------------------- .. index:: Flowchart;Microsoft Overview .. _25.4|VOSS-1470: Overview ......... This section introduces Microsoft Unified Communications (UC) integration with Automate. Automate provides an interface for managing Microsoft users and services, either as a stand-alone, Microsoft-only implementation, or as part of a multi vendor implementation. Automate can be used to manage multiple applications within Microsoft's UC stack, including: * Microsoft Entra ID * Microsoft Teams * Exchange Online * On-premise Active Directory The flowchart provides a high level workflow for the Microsoft solution in Automate. .. rubric:: Microsoft Overview Flowchart .. include:: microsoft-overview.uml .. rubric:: Related topics * :ref:`microsoft-quick-start` * :ref:`microsoft-device-mgt` * :ref:`ms-tenant-setup` * :ref:`concepts-ms-licenses` * :ref:`concepts-intro-ms-dialplan-management` * :ref:`ms-tenant-dialplan` * *Introduction to Microsoft Teams policies* in the Core Feature Guide * :ref:`overbuild-msft` * :ref:`model-filter-criteria` * :ref:`flow-through-provisioning` Devices for Microsoft UC application setup ................................................. The following devices must be configured for Microsoft UC application setup (authentication, authorization, and PowerShell ): * :ref:`ms-graph-api` * :ref:`windows-pshell-and-ps-proxy-servers` * :ref:`device-microsoft-teams` * :ref:`device-ms-exchange-online` .. _ms-graph-api: Microsoft Graph API '''''''''''''''''''''' Automate communicates with Microsoft Entra using Microsoft Graph API. Registering Automate as an application object in Microsoft Entra provides authentication and authorization for Automate. Microsoft Graph API offers: * Simplicity * No requirement for an intervening proxy * Lower latency * Secure authentication options * Granular permissions management As the Microsoft Graph API matures, Automate can easily be updated to leverage new Graph functionality - new templates can be added, and existing ones can be updated. Template updates can be deployed with no downtime or service impact. .. _windows-pshell-and-ps-proxy-servers: PowerShell proxy server '''''''''''''''''''''''''''''''''''''''''''''''''''' Automate communicates with the Microsoft Teams Portal and Microsoft Exchange Online via an installed PowerShell service, which is then enabled and that provides a management API for administrative tasks: * Session Management: List, monitor, and terminate PowerShell listener sessions * Certificate Management: List, sync, upload, and verify certificates * User Management: Create, list, update, and delete users * Error Handler Configuration: View and update error handling rules * Log retrieval: Get logs by execution ID or session ID * Persistent config: Memory tuning, concurrency limits (global and per-customer), session settings (idle reaper, max session age), and container memory limit For command line management, refer to the PowerShell topic in the Platform Guide. .. _device-microsoft-teams: Microsoft Teams ''''''''''''''''' Automate uses the PowerShell service and the Microsoft Teams PowerShell module to manage settings for end users, services, device policies, and telephony in Microsoft Teams. PowerShell authenticate to Microsoft Teams through an *application registration*. .. _device-ms-exchange-online: Microsoft Exchange Online '''''''''''''''''''''''''' Automates uses the PowerShell service and Microsoft's Exchange Online PowerShell module to manage user mailboxes, shared mailboxes, room mailboxes, and distribution groups in Microsoft Exchange Online. Automate employs *app-only authentication* for Microsoft Exchange Online, requiring a certificate and private key installed on the PowerShell proxy. For *app-only authentication*, you will need to create an X.509 certificate with a private key, then install the certificate and private key on the PowerShell proxy server. Automate can create this certificate for the Microsoft tenant setup, upload it to the PowerShell proxy server, install it, and update the thumbprint in the tenant data. The public key is exported from Automate and imported into Microsoft Entra. The certificate can also be imported from the customer into Automate. During the registration of the Automate application object with Microsoft Entra, upload the certificate (public key only), assign Exchange Online API permissions, and an appropriate RBAC role to the application: * Automate requires the following Microsoft Entra permission: ``Exchange.ManageAsApp`` This permission allows a registered application to access Exchange Online resources. * Automate requires the following role-based access control (RBAC) role: ``Exchange Administrator`` Users with this role have global permissions within Microsoft Exchange Online and can create and manage all Microsoft 365 groups, manage support tickets, and monitor service health. .. note:: For custom administrator user roles, ensure the associated access profile (access profile type ``device/msexchangeonline/*``) allows for all operations on all Microsoft Exchange models. .. rubric:: Related topics * :ref:`access-profile-operations` * `App-only authentication \| Microsoft Docs `_. Powershell service concurrency and session settings ''''''''''''''''''''''''''''''''''''''''''''''''''''' The command line allows for server settings modification. Refer to the settings details in the PowerShell topic of the Platform Guide. Outbound Internet Proxy '''''''''''''''''''''''''' Some organizations require all traffic outbound to the public Internet (including traffic to Microsoft 365 tenants) to traverse an outbound Internet proxy server for audit logging and, optionally, authentication. Microsoft Entra '''''''''''''''''''''''''' Automate uses the Microsoft Graph API at https://graph.microsoft.com over TCP port 443 to interact with Microsoft Entra. Microsoft's application registration process provides authentication and authorization services for Automate. You can configure the permissions granted to the Automate application based on the management use cases for which Automate has been designated. For example, you can grant permission to Automate to manage end user license assignments, or you can withhold that permission (in which case Automate will only be able to view existing license assignments, limiting the Automate workflows available to you).