Before you can access Teams Self-service, you must complete a startup guide before the GoLive date. The guide can be completed in collaboration with your project manager with us, but you can also give it a go yourself.
Below is a guide on how to complete it.
First, you must have access to Self-service as the first administrator in your organization. However, this has already happened when you reach this point. It is also a condition that the user you are using, has an email address in Office 365.
Log in to app.sky.tdc.dk and log in with your email address and your Office 365 password.
Click Accept in the window that pops up. Now you are entering the wizard.
Here are five steps:
- Enter the Custom Primary Domain Name and Tenant ID of your tenant
- Create an Azure AD app in your tenant (and enter information about it in the wizard)
- Create an AD user with admin rights (and enter information about it in the wizard)
- Overview and test connection
- Give others access to Self-service
In steps 2 and 3, you must first create something on your tenant and then enter information about what you have created in the wizard. Let us go through the steps one at a time.
Step 1. Enter the Custom Primary Domain Name and Tenant ID of your tenant
You can find this information by logging into https://portal.azure.com.
Custom Primary Domain Name can be found under Azure Active Directory -> Custom domain names. The domain name we are looking for ends with onmicrosoft.com.
So, for example, as here in our case: testandapproval.onmicrosoft.com.
Directory ID (formerly known as Directory ID) can be found under Azure Active Directory -> Properties -> Tenant ID.
When you have them both, enter them in the wizard and click on Next.
Step 2. Create an Azure app in your tenant
Go get yourself a nice cup of coffee. This step is by far the heaviest.
Sign in at https://portal.azure.com with an admin account and go to App Registration by finding it in the search box at the top.
1. Then click on New registration.
2. Under Supported account types, select Accounts in this organizational directory only.
3. Leave Redirect URI blank.
4. Select and enter a name.
It should look something like this:
Clik on Register. The app is now registered.
Save Application (client) ID on a notepad - you will need it later.
Now we need to set the correct permissions.
Under App registration, select your new app.
Go to the API permissions menu and then click on the Microsoft Graph permission category.
Then add the following four Application permissions:
- Directory.Read.All
- Reports.Read.All
- User.Export.All
- User.Read.All
You select the correct permission category at the top. Search for “permission name” and check the box. Finish by clicking Update permissions.
Your browser window should now look something like this.
Some permits may have the Not granted for... mark. This is perfectly normal. Above the list is a button with the text Grant admin consent for <O365 Tenant Name>.
Click it to activate the permissions.
If the current user does not have directory role Privileged role admin, then the button may not be accessible. In that case, you will have to sign in as an admin account user. Otherwise, you will not be able to enable the permissions.
To open your Graph App to API calls, we then need to generate a secret for it. With your app still selected, enter the Certificates & secrets menu item and click New client secret as shown here:
Add a description and choose an expiration date. We strongly advise against creating a secret that does not expire.
Click on Add.
You have now created a secret.
Copy this secret by clicking on the icon. When you leave this page, you will never be able to see the secret again. Also note the expiration date as you will need for the next step.
You can now complete step 2 of the startup wizard by clicking Add.
Then insert the Application (client) ID on the Graph App that you created earlier (in the Client ID field) and then the secret that you linked to it (in the Client Secret field).
Finally, set expiration date in Choose validity start date to be today and fill in Choose validity end date with the expiration date you choose earlier.
Now you add a note to your calendar one week before the secret expires. On this date, you log into the Azure portal and create a new secret - yes, you may have multiple secrets for the same app. Enter the details of this new app in the wizard and delete the old one.
Click Add.
This was step 2. Proceed by clicking Next.
Don't worry ... the others are easier..
Step 3. Create an AD user with admin privileges
You must create a regular user account without licenses on your tenant.
The account must have the following properties:
- Two-factor authentication must not be enabled for the user, as mentioned in the technical prerequisite sheet.
- Must be allowed to sign in.
- Must have an expiration date set.
- Password must be set when created - i.e. not set at first login.
The account must have the following roles:
- Teams Administrator
- Skype for Business Administrator
Click Add.
Fill in the created user's Login email and password and select the validity period.
Click Add.
If the account password is set to expire (which is recommended), the password must be renewed and entered on a regular basis in TDC Erhverv Teams Self-service.
Finally, click Next.
Step 4. Overview and test connection
In this step, you can test if all the entries you made in steps 1 and 2 are okay and gives Teams Self-service the right access.
Click Test connection.
Below the button it says that it can take up to 30 seconds, so be patient. If everything looks fine, you can go to the last step.
Step 5. Give others access to Teams Self-service
In this step you will have access to all the users that you have in your tenant. You can see your GoLive date and you can assign the Administrator role to Teams Self-Service.
If you have many user objects (e.g. more than 200) in your Azure AD, fetching them into Self-service may be a heavy load - especially if only a fraction of the objects is relevant users. Therefore, we recommend that you create a group in your Azure AD where you then place the employees that will be using our Teams solution.
Click Set up AD group filters to set up group filtering.
Now you have completed the startup wizard. Well done.
When we reach the GoLive date, you and the administrators that you added in step 5 will have access to Team Self-service. Until then, you may want to return to the wizard and add other colleagues as administrators.
Comments