Teammate - Microsoft Teams Direct Routing
      Back to home
      1. Luminate Knowledge Base
      2. ADD ONS
      3. Teammate - Microsoft Teams Direct Routing

      Teammate Connector Permission Details

      This article goes over the technical details regarding microsoft permissions for teammate.

      Basic Connector Permissions

      Upon initial registration, the Global Admin is required to grant a set of permissions to the Teammate Enterprise Provisioning Portal application (the name may be different due to branding settings).   This is the core technology of the platform, and therefore is not optional.   

      Once granted, the Permissions can be viewed by going to the Microsoft Entra > Enterprise Applications  page, selecting the application and then viewing the Permissions page.   It will look like this.

      The two highlighted items -- Directory.ReadWrite.All and Skype and Teams Admin API -- typically generate the most questions from IT and Security administrators.   These are discussed in the following sections.

      The Directory.ReadWrite.All permission

      Here we provide more details what this permits, what is still restricted, and why this access is needed.

      What does this allow?

      Copious documentation on Directory.ReadWrite.All can be found here including what can (and cannot) be done:  Microsoft Graph permissions reference  - Microsoft Graph.  

      In general, as stated in the documentation, this allows access to create/modify user and group info, license assignment, and a variety of other things.   The granularity of the Graph permission regime is such that in order to do all the necessary actions for our service provisioning and operation the permissions we require reduce to the Directory.ReadWrite.All.  

      What is NOT allowed?

      The list of things that are not available (or can’t be done) include:

      1. Credentials.   Directory.ReadWrite.All does not allow resetting passwords. Furthermore, Microsoft Graph does not expose any password info, hashed or otherwise.   We don’t store any Microsoft credentials, ever.
      2. Deleting.   Directory.ReadWrite.All does not allow deleting any resources, including Users and Groups.
      3. Security settings.   Directory.ReadWrite.All does not permit changes regarding security settings or other permissions, nor does it allow granting of any access to anyone/anything else. 

      Why do we need those permissions, and what does TeamMate with them?

      The Directory.ReadWrite.All permission is primarily used during Direct Routing Setup.  All these actions require an active Admin Session (authenticated directly with Microsoft) unless a specific additional grant has been made to allow Application permissions (discussed later).

      These are the basic steps to setting up Direct Routing:

      1. We interrogate the tenant license information via Graph to determine if the necessary licenses are available before attempting the Direct Routing setup.
      2. We create a domain in Teams (the “direct routing domain”) such as cust1234.sbc.connecttoteams.com and validate this via our DNS to Microsoft’s satisfaction.   This is done via Graph.
      3. We create a user named “Direct Routing User” on that domain with UPN donotdelete@cust1234.sbc.connecttoteams.com and assign Phone System and Teams licenses (also via Graph).  This user does not need login capability: it is only needed to “anchor” the DR domain, and the licensing is a quirk required by Microsoft for setting up the rest of the elements.   Once DR setup is complete, the licenses can be reclaimed (but the DR user must remain).
      4. We then configure voice routes, PSTN Usages, Dial Plan/Rules, and voice routing policy in Teams to complete the necessary voice route setup.  These steps are completed with powershell scripts using authorization via the permissions described in the next section.

      Skype and Teams Admin API permission

      The Skype and Teams Admin API permission is used to execute Teams-specific commands with the authority of the logged-in tenant admin.   Essentially all of the calling configuration in Teams is accomplished using this permission, and this requires that the Enterprise Admin (any tenant admin with the necessary roles) be logged in so that the associated authentication can be used to execute commands.

      These are the general areas where these permissions are exercised:

      Direct Routing setup:

      1. We create the Voice Route(s) and associate them to the Direct Routing domain(s)
      2. We create the Voice Routing Policy instances, and associate these to the correct PSTN Usage

      Other Calling configuration setup actions:

      1. We create a Dial Plan (and a normalization rule)
      2. We (optionally) alter the Calling Policy to enable PBX Music-on-Hold

      User Phone Management (ongoing)

      1. We assign the phone number, Voice Routing Policy and Dial Plan Policy to a user via powershell.
      2. We modify the Call answering settings for the user (to enable or disable Teams Voicemail)

      Application-Scoped Permissions

      The permission requirements described above require that a tenant admin be logged into the portal.   The Consent for Service Provider Management feature extends some of those permissions (where supported by Microsoft Graph) so that the reseller/service-provider admin is able to manage the configuration on behalf of the tenant admin.

      The specific Teams permissions that are exercised are visible in finer detail when the Teammate Enterprise Management application is examined in Entra.   Here, the individual permissions must be granted with Application scope so that the app itself is able to modify Teams settings (as directed by the service-provider admin user).   Some permissions, such as App Catalog deployment, are not available with Application scope, so these functions must still be activated by an Enterprise Admin with the appropriate roles.

      Here are the permissions for the Teammate Enterprise Management application.