Skip to content

Commit e406b2b

Browse files
authored
Merge pull request #269806 from rcdun/1366176_1343456_clarify_enterprise_application_update_user_roles
1366176 1343456 Clarify enterprise application and update user roles
2 parents 58cf5b8 + 040ef1a commit e406b2b

File tree

4 files changed

+73
-50
lines changed

4 files changed

+73
-50
lines changed

articles/communications-gateway/connect-operator-connect.md

Lines changed: 52 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ author: rcdun
55
ms.author: rdunstan
66
ms.service: communications-gateway
77
ms.topic: integration
8-
ms.date: 02/16/2024
8+
ms.date: 03/22/2024
99
ms.custom:
1010
- template-how-to-pattern
1111
- has-azure-ad-ps-ref
@@ -62,7 +62,7 @@ If you want to set up Teams Phone Mobile and you didn't select it when you deplo
6262
Before starting this step, check that the **Provisioning Status** field for your resource is "Complete".
6363

6464
> [!NOTE]
65-
>This step and the next step ([Assign an Admin user to the Project Synergy application](#assign-an-admin-user-to-the-project-synergy-application)) set you up as an Operator in the Teams Phone Mobile (TPM) and Operator Connect (OC) environments. If you've already gone through onboarding, go to [Find the Object ID and Application ID for your Azure Communication Gateway resource](#find-the-object-id-and-application-id-for-your-azure-communication-gateway-resource).
65+
>This step and the next step ([Assign an Admin user to the Project Synergy application](#assign-an-admin-user-to-the-project-synergy-application)) set you up as an Operator in the Teams Phone Mobile (TPM) and Operator Connect (OC) environments. If you've already gone through onboarding, go to [Find the Application ID for your Azure Communication Gateway resource](#find-the-application-id-for-your-azure-communication-gateway-resource).
6666
6767
The Operator Connect and Teams Phone Mobile programs require your Microsoft Entra tenant to contain a Microsoft application called Project Synergy. Operator Connect and Teams Phone Mobile inherit permissions and identities from your Microsoft Entra tenant through the Project Synergy application. The Project Synergy application also allows configuration of Operator Connect or Teams Phone Mobile and assigning users and groups to specific roles.
6868

@@ -71,14 +71,14 @@ To add the Project Synergy application:
7171
1. Check whether the Microsoft Entra ID (`AzureAD`) module is installed in PowerShell. Install it if necessary.
7272
1. Open PowerShell.
7373
1. Run the following command and check whether `AzureAD` appears in the output.
74-
```azurepowershell
74+
```powershell
7575
Get-Module -ListAvailable
7676
```
7777
1. If `AzureAD` doesn't appear in the output, install the module.
7878
1. Close your current PowerShell window.
7979
1. Open PowerShell as an admin.
8080
1. Run the following command.
81-
```azurepowershell
81+
```powershell
8282
Install-Module AzureAD
8383
```
8484
1. Close your PowerShell admin window.
@@ -88,7 +88,7 @@ To add the Project Synergy application:
8888
1. Scroll down to the Tenant ID field. Your tenant ID is in the box. Make a note of your tenant ID.
8989
1. Open PowerShell.
9090
1. Run the following cmdlet, replacing *`<TenantID>`* with the tenant ID you noted down in step 5.
91-
```azurepowershell
91+
```powershell
9292
Connect-AzureAD -TenantId "<TenantID>"
9393
New-AzureADServicePrincipal -AppId eb63d611-525e-4a31-abd7-0cb33f679599 -DisplayName "Operator Connect"
9494
```
@@ -97,7 +97,7 @@ To add the Project Synergy application:
9797
9898
The user who sets up Azure Communications Gateway needs to have the Admin user role in the Project Synergy application. Assign them this role in the Azure portal.
9999
100-
1. In the Azure portal, navigate to **Enterprise applications** using the left-hand side menu. Alternatively, you can search for it in the search bar; it's under the **Services** subheading.
100+
1. In the Azure portal, go to **Microsoft Entra ID** and then **Enterprise applications** using the left-hand side menu. Alternatively, you can search for **Enterprise applications** in the search bar; it's under the **Services** subheading.
101101
1. Set the **Application type** filter to **All applications** using the drop-down menu.
102102
1. Select **Apply**.
103103
1. Search for **Project Synergy** using the search bar. The application should appear.
@@ -108,42 +108,40 @@ The user who sets up Azure Communications Gateway needs to have the Admin user r
108108
109109
[!INCLUDE [communications-gateway-oc-configuration-ownership](includes/communications-gateway-oc-configuration-ownership.md)]
110110
111-
## Find the Object ID and Application ID for your Azure Communication Gateway resource
111+
## Find the Application ID for your Azure Communication Gateway resource
112112
113-
Each Azure Communications Gateway resource automatically receives a [system-assigned managed identity](../active-directory/managed-identities-azure-resources/overview.md), which Azure Communications Gateway uses to connect to the Operator Connect environment. You need to find the Object ID and Application ID of the managed identity, so that you can connect Azure Communications Gateway to the Operator Connect or Teams Phone Mobile environment in [Set up application roles for Azure Communications Gateway](#set-up-application-roles-for-azure-communications-gateway) and [Add the Application IDs for Azure Communications Gateway to Operator Connect](#add-the-application-ids-for-azure-communications-gateway-to-operator-connect).
113+
Each Azure Communications Gateway resource automatically receives a [system-assigned managed identity](../active-directory/managed-identities-azure-resources/overview.md), which Azure Communications Gateway uses to connect to the Operator Connect API. You need to find the Application ID of the managed identity, so that you can connect Azure Communications Gateway to the Operator Connect API in [Set up application roles for Azure Communications Gateway](#set-up-application-roles-for-azure-communications-gateway) and [Add the Application IDs for Azure Communications Gateway to Operator Connect](#add-the-application-ids-for-azure-communications-gateway-to-operator-connect).
114114
115115
1. Sign in to the [Azure portal](https://azure.microsoft.com/).
116-
1. In the search bar at the top of the page, search for your Communications Gateway resource.
117-
1. Select your Communications Gateway resource.
118-
1. Select **Identity**.
119-
1. In **System assigned**, copy the **Object (principal) ID**.
120-
1. Search for the value of **Object (principal) ID** with the search bar. You should see an enterprise application with that value under the **Microsoft Entra ID** subheading. You might need to select **Continue searching in Microsoft Entra ID** to find it.
121-
1. Make a note of the **Object (principal) ID**.
116+
1. If you don't already know the name of your Communications Gateway resource, search for **Communications Gateways** and note the name of the resource.
117+
1. Search for the name of your Communications Resource. You should see an enterprise application with that value under the **Microsoft Entra ID** subheading. You might need to select **Continue searching in Microsoft Entra ID** to find it.
122118
1. Select the enterprise application.
123-
1. Check that the **Object ID** matches the **Object (principal) ID** value that you copied.
119+
1. Check that the **Name** matches the name of your Communications Gateway resource.
124120
1. Make a note of the **Application ID**.
125121
126122
## Set up application roles for Azure Communications Gateway
127123
128124
Azure Communications Gateway contains services that need to access the Operator Connect API on your behalf. To enable this access, you must grant specific application roles to the system-assigned managed identity for Azure Communications Gateway under the Project Synergy Enterprise Application. You created the Project Synergy Enterprise Application in [Add the Project Synergy application to your Azure tenant](#add-the-project-synergy-application-to-your-azure-tenant).
129125
126+
You must carry out this step once for each Azure Communications Gateway resource that you want to use for Operator Connect or Teams Phone Mobile.
127+
130128
> [!IMPORTANT]
131129
> Granting permissions has two parts: configuring the system-assigned managed identity for Azure Communications Gateway with the appropriate roles (this step) and adding the application ID of the managed identity to the Operator Connect or Teams Phone Mobile environment. You'll add the application ID to the Operator Connect or Teams Phone Mobile environment later, in [Add the Application IDs for Azure Communications Gateway to Operator Connect](#add-the-application-ids-for-azure-communications-gateway-to-operator-connect).
132130
133131
Do the following steps in the tenant that contains your Project Synergy application.
134132
135-
1. Check whether the Microsoft Entra ID (`AzureAD`) module is installed in PowerShell. Install it if necessary.
133+
1. Check whether the Microsoft Graph (`Microsoft.Graph`) module is installed in PowerShell. Install it if necessary.
136134
1. Open PowerShell.
137-
1. Run the following command and check whether `AzureAD` appears in the output.
138-
```azurepowershell
135+
1. Run the following command and check whether `Microsoft.Graph` appears in the output.
136+
```powershell
139137
Get-Module -ListAvailable
140138
```
141-
1. If `AzureAD` doesn't appear in the output, install the module.
139+
1. If `Microsoft.Graph` doesn't appear in the output, install the module.
142140
1. Close your current PowerShell window.
143141
1. Open PowerShell as an admin.
144142
1. Run the following command.
145-
```azurepowershell
146-
Install-Module AzureAD
143+
```powershell
144+
Install-Module -Name Microsoft.Graph -Scope CurrentUser
147145
```
148146
1. Close your PowerShell admin window.
149147
1. Sign in to the [Azure portal](https://ms.portal.azure.com/) as a Microsoft Entra Global Administrator.
@@ -152,19 +150,19 @@ Do the following steps in the tenant that contains your Project Synergy applicat
152150
1. Scroll down to the Tenant ID field. Your tenant ID is in the box. Make a note of your tenant ID.
153151
1. Open PowerShell.
154152
1. Run the following cmdlet, replacing *`<TenantID>`* with the tenant ID you noted down in step 5.
155-
```azurepowershell
156-
Connect-AzureAD -TenantId "<TenantID>"
153+
```powershell
154+
Connect-MgGraph -Scopes "Application.Read.All", "AppRoleAssignment.ReadWrite.All" -TenantId "<TenantID>"
157155
```
158-
1. Run the following cmdlet, replacing *`<CommunicationsGatewayObjectID>`* with the Object ID you noted down in [Find the Object ID and Application ID for your Azure Communication Gateway resource](#find-the-object-id-and-application-id-for-your-azure-communication-gateway-resource).
159-
```azurepowershell
160-
$commGwayObjectId = "<CommunicationsGatewayObjectID>"
156+
If you're prompted to grant permissions for Microsoft Graph Command Line Tools, select **Accept** to grant permissions.
157+
1. Run the following cmdlet, replacing *`<CommunicationsGatewayName>`* with the name of your Azure Communications Gateway resource.
158+
```powershell
159+
$acgName = "<CommunicationsGatewayName>"
161160
```
162161
1. Run the following PowerShell commands. These commands add the following roles for Azure Communications Gateway: `TrunkManagement.Read`, `TrunkManagement.Write`, `partnerSettings.Read`, `NumberManagement.Read`, `NumberManagement.Write`, `Data.Read`, `Data.Write`.
163-
```azurepowershell
162+
```powershell
164163
# Get the Service Principal ID for Project Synergy (Operator Connect)
165164
$projectSynergyApplicationId = "eb63d611-525e-4a31-abd7-0cb33f679599"
166-
$projectSynergyEnterpriseApplication = Get-AzureADServicePrincipal -Filter "AppId eq '$projectSynergyApplicationId'"
167-
$projectSynergyObjectId = $projectSynergyEnterpriseApplication.ObjectId
165+
$projectSynergyEnterpriseApplication = Get-MgServicePrincipal -Filter "AppId eq '$projectSynergyApplicationId'" # "Application.Read.All"
168166
169167
# Required Operator Connect - Project Synergy Roles
170168
$trunkManagementRead = "72129ccd-8886-42db-a63c-2647b61635c1"
@@ -174,14 +172,31 @@ Do the following steps in the tenant that contains your Project Synergy applicat
174172
$numberManagementWrite = "752b4e79-4b85-4e33-a6ef-5949f0d7d553"
175173
$dataRead = "eb63d611-525e-4a31-abd7-0cb33f679599"
176174
$dataWrite = "98d32f93-eaa7-4657-b443-090c23e69f27"
177-
178175
$requiredRoles = $trunkManagementRead, $trunkManagementWrite, $partnerSettingsRead, $numberManagementRead, $numberManagementWrite, $dataRead, $dataWrite
179-
180-
foreach ($role in $requiredRoles) {
181-
# Assign the relevant Role to the managed identity for the Azure Communications Gateway resource
182-
New-AzureADServiceAppRoleAssignment -ObjectId $commGwayObjectId -PrincipalId $commGwayObjectId -ResourceId $projectSynergyObjectId -Id $role
176+
177+
# Locate the Azure Communications Gateway resource by name
178+
$acgServicePrincipal = Get-MgServicePrincipal -Filter ("displayName eq '$acgName'")
179+
180+
# Assign the required roles to the managed identity of the Azure Communications Gateway resource
181+
$currentAssignments = Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $acgServicePrincipal.Id
182+
foreach ($appRoleId in $requiredRoles) {
183+
$assigned = $currentAssignments | Where-Object { $_.AppRoleId -eq $AppRoleId }
184+
if (-not $assigned) {
185+
$params = @{
186+
principalId = $acgServicePrincipal.Id
187+
resourceId = $projectSynergyEnterpriseApplication.Id
188+
appRoleId = $appRoleId
189+
}
190+
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $acgServicePrincipal.Id -BodyParameter $params
191+
}
183192
}
184-
193+
194+
# Check the assigned roles
195+
Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $acgServicePrincipal.Id
196+
```
197+
1. To end your current session, disconnect from Microsoft Graph.
198+
```powershell
199+
Disconnect-MgGraph
185200
```
186201
187202
## Provide additional information to your onboarding team
@@ -207,8 +222,8 @@ Go to the [Operator Connect homepage](https://operatorconnect.microsoft.com/) an
207222
## Add the Application IDs for Azure Communications Gateway to Operator Connect
208223
209224
You must enable Azure Communications Gateway within the Operator Connect or Teams Phone Mobile environment. This process requires configuring your environment with two Application IDs:
210-
- The Application ID of the system-assigned managed identity that you found in [Find the Object ID and Application ID for your Azure Communication Gateway resource](#find-the-object-id-and-application-id-for-your-azure-communication-gateway-resource). This Application ID allows Azure Communications Gateway to use the roles that you set up in [Set up application roles for Azure Communications Gateway](#set-up-application-roles-for-azure-communications-gateway).
211-
- A standard Application ID for Azure Communications Gateway. This ID always has the value `8502a0ec-c76d-412f-836c-398018e2312b`.
225+
- The Application ID of the system-assigned managed identity that you found in [Find the Application ID for your Azure Communication Gateway resource](#find-the-application-id-for-your-azure-communication-gateway-resource). This Application ID allows Azure Communications Gateway to use the roles that you set up in [Set up application roles for Azure Communications Gateway](#set-up-application-roles-for-azure-communications-gateway).
226+
- A standard Application ID for an automatically created AzureCommunicationsGateway enterprise application. This ID is always `8502a0ec-c76d-412f-836c-398018e2312b`.
212227
213228
To add the Application IDs:
214229

articles/communications-gateway/manage-enterprise-operator-connect.md

Lines changed: 14 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,13 @@ Azure Communications Gateway's Number Management Portal (preview) enables you to
1616
> [!IMPORTANT]
1717
> The Operator Connect and Teams Phone Mobile programs require that full API integration to your BSS is completed prior to launch in the Teams Admin Center. This can either be directly to the Operator Connect API or through the Azure Communications Gateway's Provisioning API (preview).
1818
19+
You can:
20+
21+
* Manage your agreement with an enterprise customer.
22+
* Manage numbers for the enterprise.
23+
* View civic addresses for an enterprise.
24+
* Configure a custom header for a number.
25+
1926
## Prerequisites
2027

2128
Confirm that you have **Reader** access to the Azure Communications Gateway resource and appropriate permissions for the AzureCommunicationsGateway enterprise application:
@@ -28,6 +35,9 @@ Confirm that you have **Reader** access to the Azure Communications Gateway reso
2835

2936
If you don't have these permissions, ask your administrator to set them up by following [Set up user roles for Azure Communications Gateway](provision-user-roles.md).
3037

38+
> [!IMPORTANT]
39+
> Ensure you have permissions on the AzureCommunicationsGateway enterprise application (not the Project Synergy enterprise application). The AzureCommunicationsGateway enterprise application was created automatically as part of deploying Azure Communications Gateway.
40+
3141
If you're uploading new numbers for an enterprise customer:
3242

3343
* You must complete any internal procedures for assigning numbers.
@@ -47,7 +57,7 @@ If you're uploading new numbers for an enterprise customer:
4757
|Country | The country for the number. Only required if you're uploading a North American Toll-Free number, otherwise optional.|
4858
|Ticket number (optional) |The ID of any ticket or other request that you want to associate with this number. Up to 64 characters. |
4959

50-
Each number is automatically assigned to the Operator Connect or Teams Phone Mobile calling profile associated with the Azure Communications Gateway which is being provisioned.
60+
Each number is automatically assigned to the Operator Connect or Teams Phone Mobile calling profile associated with the Azure Communications Gateway that is being provisioned.
5161

5262
## Go to your Communications Gateway resource
5363

@@ -57,22 +67,16 @@ Each number is automatically assigned to the Operator Connect or Teams Phone Mob
5767

5868
## Manage your agreement with an enterprise customer
5969

60-
When an enterprise customer uses the Teams Admin Center to request service, the Operator Connect APIs create a *consent*. The consent represents the relationship between you and the enterprise.
61-
62-
The Number Management Portal displays a consent as a *Request for Information* and allows you to update the status. Finding the Request for Information for an enterprise is also the easiest way to manage numbers for an enterprise.
70+
When an enterprise customer uses the Teams Admin Center to request service, the Operator Connect APIs create a *consent*. The consent represents the relationship between you and the enterprise. The Number Management Portal displays a consent as a *Request for Information* and allows you to update the status.
6371

6472
1. From the overview page for your Communications Gateway resource, find the **Number Management (Preview)** section in the sidebar.
6573
1. Select **Requests for Information**.
6674
1. Find the enterprise that you want to manage. You can use the **Add filter** options to search for the enterprise.
6775
1. If you need to change the status of the relationship, select the enterprise **Tenant ID** then select **Update relationship status**. Use the drop-down to select the new status. For example, if you're agreeing to provide service to a customer, set the status to **Agreement signed**. If you set the status to **Consent declined** or **Contract terminated**, you must provide a reason.
6876

69-
## Create an Account for the enterprise
70-
71-
You must create an *Account* for each enterprise that you manage with the Number Management Portal.
77+
If you're providing service to an enterprise for the first time, you must also create an *Account* for the enterprise.
7278

73-
1. From the overview page for your Communications Gateway resource, find the **Number Management (Preview)** section in the sidebar.
74-
1. Select **Accounts**.
75-
1. Select **Create account**.
79+
1. Select the enterprise, then select **Create account**.
7680
1. Fill in the enterprise **Account name**.
7781
1. Select the checkboxes for the services you want to enable for the enterprise.
7882
1. Fill in any additional information requested under the **Communications Services Settings** heading.

0 commit comments

Comments
 (0)