In this document, you will configure Dynamics 365 (D365) to connect to Microsoft Teams and SharePoint to automatically create Microsoft 365 (M365) Groups, Teams and Channels for TekStack entities. This is accomplished by creating a user in Azure Active Directory that D365 will use to connect to Teams and SharePoint. The user will be added to the groups so it can read and create files and channels in those groups. You will also create an application that will control which Microsoft APIs that D365 is permitted to access.

Note: To do these tasks, you need to be an administrative user for Microsoft Teams, Azure and Dynamics 365.

User Setup

1. In Azure Active Directory, create a new user for the D365/Teams/SharePoint integration.
2. Call the user “D365 Teams Integration” or something similar.
3. Set the user’s password to never expire (see https://docs.microsoft.com/en-us/office365/admin/add-users/set-password-to-never-expire?view=o365-worldwide).
4. In a new browser, navigate to office.com and login as the new user.
5. When prompted, update the user’s password. Keep the password for use in a later step.
6. Under Licenses, add a license for Microsoft Teams with all services.

Optional: If your organization uses multi-factor authentication (MFA), you will need to add D365 IPs to your trusted locations, so the account does not require MFA on sign in.

7. Open Azure Active Directory. In the left navigation, choose “Conditional Access”.

8. In the left navigation, choose “Named Locations” and click “New locations”.

9. Add the IP ranges for your D365 geography available from Microsoft here: https://support.microsoft.com/en-ca/help/2728473/microsoft-dynamics-crm-online-ip-address-ranges.

Application Setup

1. In Azure Active Directory, select “App registrations”.

2. Choose “New Registration”.
3. Choose a name for the new app, for example “D365 Teams SharePoint Integration”.
4. Choose “Accounts in this organizational directory only (organization name only – Single tenant”).
5. Click “Register”.

6. On the overview of the new app, keep the Application (client) ID and Directory (tenant) ID for use in a future step.

7. In the left menu, choose “Certificates & secrets” and click “New client secret”.

8. Add a description and choose “Never” for the expiry.

9. Keep the value of the client secret for use in a future task. Note! This is your only opportunity to see this data.

10. In the left menu, choose “API Permissions” and click “Add a permission”.

11. Choose “Microsoft Graph”, then “Delegated permissions”, and then select:

• Files: “Files.ReadWrite.All”
• Group: “Group.ReadWrite.All”
• Notes: “Notes.ReadWrite.All”
• User: “User.Read”
• User: “User.ReadBasic.All”

12. Click “Add permission”
13. Click “Add a permission” again.
14. Choose “SharePoint”, then “Delegated permissions”, and then select:

• AllSites: “AllSites.Read”
• AllSites: “AllSites.Write”

15. Click the button “Add permissions”
16. Click “Add a permission” again
17. Choose “Dynamics CRM”, then “Delegated permissions”, and then select:

• “user_impersonation”

18. Click “Grant admin consent for organization name”.

19. Your permissions are approved.

20. In the left navigation, choose “Overview” and then click the name of your app under “Managed application in local directory”.

21. In the left navigation, choose “Users and groups”, then click “Add user”.

22. Pick the user you created previously, give it default access and click “Assign”.
23. Ensure the newly created user has the Groups Administrator role in Azure.

Your  new user role, D365 Teams Integration, is now set up.