Skip to main content

Microsoft Teams Virtual Meeting Integration

Tony Mirasola

Microsoft Teams Virtual Meeting Integration within SkillSync provides Admins a way of managing all virtual meeting creations, updates, and deletions for Instructor-Led Course (ILC) Sessions from within the LMS, without having to enter or adjust anything within Microsoft Teams. Learners can launch and participate in the virtual ILCs within the LMS or from their calendar invitation, even as guests on the Teams tenant.

Authenticating Admin Advisory

Before authenticating the Microsoft Teams Integration, confirm you have set up a shared/corporate account with the correct permissions. Configuring this integration with a singular or private User account may cause permissions issues as it relates to editing items such as Teams Sessions. This is because all Teams Meetings created via our integration are created on behalf of (and thus owned by) the User who authenticated the integration.

 

Getting Started

You can easily enable the Microsoft Teams Virtual Meeting Integration within your SkillSync LMS Portal by adjusting the Portal Settings.  Once enabled, a Venue can be created and attached to Instructor-Led Course (ILC) Sessions

MT_Integration.gif

 

Step 1 - Setting up Microsoft Teams

You will need to work with your Microsoft Teams Tenant Administrator to register and configure an App in your Azure portal. 

Important Note: 

When setting up your Microsoft Teams integration with Azure, you MUST setup "Redirect URL's".

How to create an app registration in Azure Portal 

  1. Begin by going to your Microsoft Teams' account https://portal.azure.com/#home to add a Registered App via Manager.  Click App registrations. 

    screenshot1.png

  2. Click new registration.

    screenshot2.png
          
  3. Setup the Registration. 
    Picture1.png
  • Set the Name to: SkillSync LMS Integration 
  • Select the supported account types: "Accounts in this organizational directory only" 
  • Add in the Redirect URI 
    • A Redirect URI must be added here for each Route that is setup in the LMS. If you have more than one portal route setup, please reach out to your CSM or SkillSync Support to obtain a list of active routes. 
    • Add one of the Redirect URI’s now in the Redirect URI field in Azure.
      • Select the Web in the dropdown: 

Picture2.png

 

Picture3.png

      •  

If you have any additional Routes setup in the LMS: 

Navigate back to the new App Registration: 

Picture4.png

 

Picture5.png

 

Picture6.png

 

Add all the additional Redirect URI's here (from the LMS Routes table): 

Picture7.png

 

4. Copy application ID and Directory (tenant) ID, which will be used when enabling Microsoft Teams Virtual meeting in the LMS. 
screenshot4.png

5. Click Certificates & Secrets in the sidebar, click add new client secret. Enter a description and default expiry should be fine. 

screenshot5a.png

screenshot5b.png

 

6. Copy the client secret value, this will be required for configuring the LMS. Note Make sure to copy and paste the Client Secret Value (not the ID) and do so before leaving the page.  Once you leave the page, the Value will be hidden.   

screenshot6.png

 

Leave https://portal.azure.com/#home open until you complete Step 2. For more details, visit the Microsoft Documentation Article

 

7. Now that the App Registration is created, select Roles and Administrators on the left hand side. There will likely only be a Cloud Application Administrator Role, so you will need to create a new custom Read Only Role. To create this Role, follow the steps below:

microsoft-teams-integration-roles-and-administrators.png

 

  • Navigate to the Roles page by clicking the link  that appears above the Roles. Once there select New Custom Role and name it Read Only Admin.
    microsoft-teams-integration-roles-and-administrators-new-custom-role.png
  • Navigate to Permissions where you will see permissions in the following format. microsoft.directory/(Permission Set Names)/read (could also be update, delete, ext.) There may also be other values between the Permission Set Names and the endings. What we will be focusing on is selecting any permissions that have the below Permission Set Names and end in read.
    microsoft-teams-integration-navigate-to-permissions.png

  • Select all Permission sets listed here that end in read: Application Policies, Applications, Audit Log, Connector Groups, Connectors, Groups, and Users
  • Select Next at the bottom of the page, then Create which will take you to a full list of roles. Select your new read only role. Now that you're in the Read Only Administrator role, select Add Assignment.
    microsoft-teams-integration-role-assignment.png

    microsoft-teams-read-only-admin-assignment.png

  • Search for the SkillSync LMS Integration, select it and then hit Add at the bottom of the page.microsoft-teams-integration-add-integration.png

8. Now go back to App Registration and select the API Permissions on the left hand side. We will need to set the configured permissions as listed below.
microsoft-teams-integration-add-api-permissions.png

  • First Select Add a permission, then select Microsoft Graph.
    microsoft-teams-integration-api-microsoft-graph.png

  • Select the following permissions: Directory.Read.All, offline_access, OnlineMeetingArtifact.Read.All, OnlineMeetings.ReadWrite.
  • Hit Add permissions at the bottom of the screen. Now while back on the API Permissions page just hit the check mark for Grant Admin Consent.
    microsoft-teams-integration-grant-admin-consent.png

9. Select Overview in the left-hand side menu to return to the App Registration.

 

Step 2 - Setting up the LMS

The Microsoft Teams Integration is available to add to an organization's LMS by accessing the Info Tab of Portal Settings.

If you wish to use the Teams Co-Organizer Functionality, it’s recommended that you enable the following Portal Settings toggle and save the Portal Settings page, prior to enabling the Teams Integration. 



Confirm if you need the Co-Organizer Functionality

The User who enabled the integration will always be the Organizer for the meeting. To have multiple Instructors have Permissions in the Teams meeting, the Co-Organizer Functionality must be enabled.

 

Turning the Enable Microsoft Teams toggle on will display the following options: 

  • App ID: Enter the Application (Client) ID value for this field, which was found in step #4 above. 
  • Tenant ID: Enter the Directory (Tenant) ID value for this field, which was found in step #4 above 
  • Client Secret: Enter the client secret value, which was found in step #6 above. 

Once all the required IDs and values are entered, select Enable and then Save. You may be prompted to accept permissions from Microsoft to complete the setup. 

Important Notes

  • During the Setup process, please ensure a System Admin has logged in to the Portal and proceeds through the integration process. When attempting to log in to the Portal, the System Admin must also not log in via SSO; they must log in manually.
  • SkillSync Client Advocacy/Support cannot enable, disable or authenticate the integration. If a Client Advocacy/Support member attempts to enable it, the Teams Integration will give you an error.
  • To add a new secret value, you must first disable the integration in order to trigger the prompt for a new secret value. The integration can be disabled by going to your Portal Settings and clicking Disable on the Microsoft Teams integration. 
    microsoft-teams-integration-disable-integration.png

 

Step 3 - Create your Venue

  1. Navigate to the Venues administration page by clicking the Courses button from the Admin Menu and choosing Venues from the sub-menu. You will be routed to the Venues administration page.
  2. From the Venues administration page, click the Add Venue button from the right-hand action menu. You will be routed to the Add Venue form. 

    • Name: Enter the Venue's Name. The Name identifies the Venue to Learners and Admins. ◦This is visible in both the Admin and Learner experiences.

    • Description: Enter a description to provide details of the Venue in this field. ◦This is visible in the Admin experience only.

    • Max Class Size: Enter a number to set the maximum class capacity for the facility. ◦This is a required field.

      • The Max Class Size will be the default value when creating an ILC Session but can be adjusted on the ILC Session if needed.

    • Type: Click the Type drop-down menu and select Teams Meeting.

    • Department: If you would like to restrict this Venue to specific Department Admins, click the Select Department button to search and find the Department the Venue belongs to.

      • Adding a Department will restrict the Venue to the Admin(s) who manage the identified Department(s). Administrators of other Departments will not see the Venue as an option when selecting locations for ILC Sessions.

  3. Select Save

Once the Teams Meeting venue is created, Admins and/or Instructors can add it to the Instructor-Led Course Session. When the Admin and/or Instructor select the Teams Meeting venue, a meeting will be created in Microsoft Teams and the URL will auto-populate within the Session upon selecting Publish.

 

Step 4 - Using the Co-Organizer Functionality

Using the Co-Organizer Functionality in the Microsoft Teams Integration ensures that there is more than one person that can manage important settings like the meeting options, breakout rooms, and other capabilities in a meeting.

Enable Co-Organizer

If you wish to use the Teams Co-Organizer Functionality, you may enable this using the following Portal Settings page toggle:

It’s important to note that to use this functionality, you must re-enable your Teams Integration after turning on the toggle above. 

If you’re setting up your integration for the first time, set this toggle before you enable your integration, save your Portal Settings, and then return to enable the Teams Integration.

If you already have a working integration, you will need to disable the Teams Integration, set the Co-Organizer toggle to on, save your Portal Settings, return to the Portal Settings page and then re-enable your Teams Integration following the instructions in Step 2 above.

Using ILC Sessions With Instructors as Co-Organizers

For the system to recognize your Instructor as a Co-Organizer, please ensure that the Instructor’s email address is a registered Email Address within your Teams organization account.  

When configuring your ILC Session, select the Venue and Instructors as above.  So long as the Instructors are within your Teams organization, they will be automatically set as Co-Organizers on the meeting.  There are no process changes required to use this functionality other than the setup mentioned above.

If your Instructors are not present in your Teams organization, you will receive an error message when adding Instructors.

Co-Organizers have the ability to manage some meeting settings, while they can not manage others. The following table compares the differences:

Co-Organizer Can Manage Setting Co-Organizer Can Not Manage Setting
  • Access and change meeting options
  • Manage breakout rooms
  • Bypass the lobby
  • Admit people from the lobby during a meeting
  • Lock the meeting
  • Present content
  • Change another participant’s meeting role
  • End meeting for all
  • Manage the meeting recording
  • Remove or change the meeting organizer’s role

 

 

Attendance and Meeting Policies

When setting up the Teams Integration, it is important to enable the Azure setting to allow organizers access to the attendance records. This allows the autofill function to work in Teams. If this setting is not enabled, organizers may encounter a "No participants are found" error.

To confirm that this setting is enabled, please advise the following:

  1. Navigate the Teams Admin Center.
  2. Select Meetings.
  3. Click Meeting Policies.
  4. Under the Meeting scheduling section, confirm that the Attendance and engagement report option is enabled.
    Teams_Admin_Meeting_Policies.png

You can read more about Teams Meeting policies here.

Updating Policies After Integration Configuration

Please note that if you update the attendance policies after the integration is configured, you will need to uninstall and re-install the integration in order for the policy changes to be applied.

 

Troubleshooting

Troubleshooting the Microsoft Teams Virtual Meeting Integration often requires action by the System Admin whom authenticated the integration at the time of setup.

Re-Authenticating Is Generally Safe

When encountering issues with the Microsoft Teams Integration, sometimes it is worthwhile to re-authenticate the integration. At times resolving a configuration concern, such as switching from a personal email address to a general email address requires re-authenticating. SkillSync LMS should not be affected by re-authentication and it is generally considered a safe troubleshooting practice.

 

Can't Edit Teams Session

This issue may affect another component of the Microsoft Teams Integration beyond just Sessions. The most common cause of an issue where you cannot edit a Teams Session or similar, relates to the System Admin account which authenticated the integration. The account which authenticated the integration has ownership over Sessions.

The System Admin account which is used to authenticate and setup the Microsoft Teams Integration has greater access to the integration than other accounts. Accordingly, it is advisable to authenticate the Microsoft Teams Integration with a group/shared/corporate account instead of a singular or private User account.

This is important because in the background all Teams Meetings created via our integration are created on behalf of (and thus owned by) the User who authenticated the Microsoft Teams Integration.

 

Changing the Authenticating User

If the User who authenticated the Teams Integration is changed, where changed means the integration was disabled and re-enabled using by a different User, existing Sessions will still be valid, but can only be managed by the original organizer. The original organizer refers to the User who had authenticated the integration at the time the Session was created.

 

Domain Name in Azure 

Error

This error can occur while enabling the Microsoft Teams integration in the Client Portal: 

Picture8.png

This error can occur while creating the virtual meeting: 

Picture9.png

Cause 

The most common problem with Teams Integration relates to the domain name:

This exact name must be set up in two locations:

  1. In the list of Routes in the LMS Portal Settings
  2. In Azure

How it works: 

  • The LMS looks at the URL you are using in your browser's address bar. 
  • It then uses that domain name to look up the Route in the LMS's Routes table
  • It then sends this domain name to Microsoft when you are connecting to Teams. 
  • Microsoft then looks it up to see if it has been setup within the list of Redirect URI's. If not, it fails. Quite often  more than one Route is setup in the LMS, ensure you add them all to Azure.  

Solution: Add this domain name to the list in Azure. 

  • See Step 3 in the above setup guide, and return to the App Registration in Azure and add the proper Redirect URI for each LMS route.

Additional causes for this error are as follows:

  • The Client Secret ID has been entered in the integration settings in Portal Settings instead of the Client Secret Value.
  • The integration was inactive for a period of 90 days and the authentication token has expired.
  • The Client Secret has expired in Microsoft Azure and a new Client Secret needs to be generated.

The solution to this issue is re-authorizing the integration. This will correct the authentication error.

This error can also occur if the Instructor on the Venue does not have the correct permissions to host a virtual meeting in Microsoft Azure.

To resolve this issue, update the Instructor's permissions to allow them to host virtual meetings. A re-authorization of the integration should not be required.

 

Service Accounts and Multi-Factor Authentication

Below are Q&A style insights related to Multi-Factor Authentication:

  • Q: How was SkillSync able to utilize the User account to create invites without causing a timeout or triggering Multi-Factor Authentication?
    • A: We use client secrets to authenticate which doesn’t trigger a Multi-Factor Authentication (MFA). MFA is typically used when an interactive authentication is performed by a human via an interface (like a login screen). When systems authenticate without an interface, using a client secret, MFA is not required and doesn't trigger. The client secret securely identifies one system to the other and a User level MFA is not required.
  • Q: Would there be any cautions around Multi-Factor Authentication with the service account - specifically, are there any special configurations we'll need for the service account to prevent any issues?
    • A: The service account must have a sufficient level of permission to add an app registration into your client Azure portal. Azure app registrations are an easy and powerful way to configure authentication and authorization workflows for a variety of different client types. An app registration identifies an app (SkillSync) which allows us to authenticate to the Azure portal, allowing for the creation and edit of meetings for your Teams integration.
    • Because of the scopes we require for the integration, SkillSync will validate hosts against your active Teams Users when an ILC Session is assigned to an Instructor to confirm that the Instructor is a valid Teams User and will have all host capabilities once the meeting begins.
      • EX: Recordings and breakout rooms.

 

Who is the Organizer for a Teams Based ILC?

The User who enabled the integration will always be the Organizer for the meeting.

To have multiple Instructors have permissions in the meeting, the Co-Organizer function must be enabled.

The Portal won't prevent you from adding multiple instructors, but unless the Co-Organizer function is enabled they aren't added as Organizers or Co-Organizers.

 

Government Teams Tenant Support

Q: Can a government Teams Tenant be used rather than a corporate Teams Tenant?

A: We do not support Microsoft Graph for US Government L4 or Microsoft Graph for US Government L5 (DOD). We are unable to test other US government national clouds and cannot confirm that they will be supported. 

 

Roles & Permissions

This Integration requires specific permissions in both SkillSync and Azure. We will outline these below.

 

Azure Permission Guidance

In Azure, clients must configure permissions for both Administrators and the API. These are discussed further in the subsequent sections.

 

Roles and Administrators

In order to effectively utilize the Microsoft Teams Meeting integration, the client Azure tenant will need to have specific permissions configured. Typically, only the Read-Only Administrator role is required. In most cases, you may also see the Cloud Application Administrator role.


microsoft-teams-integration-admin-permissions.png

 

API Permissions

The client will also need to configure API permissions. The API / Permission names for all configured permissions exist in the Microsoft Graph permission set. The Configured/Other permissions may not look exactly the same as below, but each line item should appear (User.Read, Directory.Read.All, offline_access, OnlineMeetingArtifact.Read.All, OnlineMeetings.ReadWrite).

 

microsoft-teams-integration-api-permissions.png

 

  • Directory.Read.All: This is used to access user data to verify that instructors provided are valid hosts. I.e. we do a lookup to ensure a user with the instructorʼs email exists in Microsoft.
  • offline_access: The offline_access permission is a standard OIDC scope that's requested so that the app can get a refresh token. See the Microsoft documentation here for more information.
  • OnlineMeetingArtifact.Read.All: Allows us to read meeting artifacts on the organization's behalf (attendance reports). This is required for the auto attendance marking feature.
  • OnlineMeetings.ReadWrite: Allows us to create, update, delete, and retrieve details of meetings. This lets our core MS teams integration operate.
  • User.Read: is not a required permission.

 

Instructor/Co-Organizer Assignments

Please be aware there must be an exact match between Email (not Username) in SkillSync and Email in Azure user details for Instructor / Co-Organizer assignments to work. If there is no match to the Email in Azure, a secondary check for a match to the UPN will be done.

 

SkillSync Permissions

System Admins are the only Admins who can adjust settings within the Portal Settings. Once the Microsoft Teams Integration options have been toggled on, all other Admins will need the following permissions. 

Required Role Permissions

Keep in mind that you may need to adjust permissions.

Role: Section Access Permission(s) Needed
Courses > Venues View or Modify permission
Courses > Instructor-Led Courses > Sessions Add, View or Modify permission

 

Suggested Role Permissions

Role: Section Access Permission(s) Needed
Users

View or Modify permission

Comments

0 comments

Article is closed for comments.

Powered by Zendesk