Tuesday, June 11, 2019

Teamify Group with SharePoint Site Designs and Microsoft Flow - Part 1 - The authentication

The Site Design's integration to Microsoft Flow opens doors to new possibilities in the provisioning scope. Customers aren't limited to the built-in functionalities that SharePoint Site Designs offers. They can connect whatever they want via Microsoft Flow to a Site Design, enhancing the capability of a provisioning process.

In March 2019 I wrote about my Wish list for Site Designs. There I described the need for a functionality to teamify a Office 365 group through Site Designs. Microsoft Teams is a central player in Office 365. It is fast, it is user friendly and it integrates different applications from Office 365. Unfortunately, there isn't any built-in support for teamification in Site Designs, but thanks to Microsoft Flow you can quickly set up a logic which converts a Office 365 Group into a Microsoft Team. In this blog post, I'll demonstrate how to achieve this goal.

I've split this blog post in three parts. The first one covers the registration of an Azure App which lays the foundation for authentication. The second one demonstrates the creation of the Microsoft Flow. The last one explains all the steps related to Site Designs and Site Scripts. Below the links:

- Teamify Group with SharePoint Site Designs and Microsoft Flow - Part 1 - The authentication
Teamify Group with SharePoint Site Designs and Microsoft Flow - Part 2 - The Flow
- Teamify Group with SharePoint Site Designs and Microsoft Flow - Part 3 - The Site Design


1. Register an Azure App
2. Create the Microsoft Flow
3. Create the Site Script
4. Create the Site Design
5. Apply the Site Design

1. Register an Azure App

The group's teamification occurs through a request to the Microsoft Graph API which requires Azure Active Directory (Azure AD) OAuth for authentication. In order to be authenticated during HTTP requests from the Flow, we must first register an app with Azure AD. The Microsoft Graph itself supports two kind of permissions:

Permission Description
Delegated Requests occur on behalf of a user. Perhaps the signed in user
Application Requests only occur on behalf of the app. It's comparable to the App-Only context in SharePoint Provider Hosted Apps

Our logic uses application permission since I want the solution to work independent of any user. Follow the steps below in order set up the authentication with Azure AD:

1.1. Add a new app registration

Navigate to the Azure portal. On the left navigation click on Azure Active Directory, then App Registrations (preview). Finally, click on add registration:

The Register an application form appears. Give your app a name "Group Teamifier". Then select "Accounts in this organizational directory only (...)" since the target audience is restricted to the organization only. Finally, click on Register. Here is what my configuration looks like:

1.2. Grant permission

The Flow solution will work with the two Microsoft Graph API endpoints listed below. These APIs require Group.ReadWrite.All permission to work. Therefore, the app must be set up with this permission.

• GET /groups/{id}
• PUT /groups/{id}/team

Within the app just registered, click on API permissions. On the loaded page, remove the User.Read permission since it isn't needed in the Flow. Then add a new permission by clicking on Add new permission > Microsoft Graph > Application permission. Enter in the search box, what is used to select the permissions, Group.ReadWrite.All. Choose it and click on Add permissions. Here is how it looks:

1.3. Grant consent

Before benefiting from the Group.ReadWrite.All permission, we must tell the tenant that we allow the app to work with the requested permission. In the App Permissions's page, click on Grant admin consent for .... Then click on Yes. Here is how it looks:

1.4. Generate a client secret

The client secret will be used to identity our application when requesting an access token in Azure AD. Inside our registered app, click on Certificate & Secrets and then on New Client Secret. The Add a client secret form appears. Give it a description and choose the expire time which is better for you. After clicking on Add, the Client Secrets table shows the newly generated client secret. You must now copy the new client secret value since you won't be able to retrieve it after you leave the client secret's page. Here is how it looks:

Important: Note the Application Client ID and the Application Client Secret since they will be needed in the Flow logic.

You'll find the step about the Flow creation in the second part of this article:

Teamify Group with SharePoint Site Designs and Microsoft Flow - Part 2 - The Flow

To be continued...

No comments:

Post a Comment