Application Configuration in Azure Portal for OAuth2 Account to use in Teams

Overview

The Snaps in the Microsoft Teams Snap Pack require an OAuth2 account to access the resources in Azure. For the OAuth2 account to authorize successfully, create, and configure an application corresponding to the account as shown in the workflow.

Steps one to three are done in the Azure Portal and the remaining steps are done in the Snap account (SnapLogic Platform).

Prerequisites

An Azure account with a free subscription to create the application.

Key Steps in the Workflow

Create an Application in the Azure Portal

Log in to the Microsoft Azure Portal.
Navigate to Azure services > Microsoft Entra ID.
Navigate to Add > App registration.
On the Register an application page, specify the name for registering the application and click Register. Learn more about creating an application at https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app.

To use an existing application, navigate to Portal Home > Azure Active Directory > App registrations > All applications. In the search box, specify the application name you want to use. Details on registered application is display in the search list.

Define Permissions

The Teams Online Snap Pack supports the following three types of accounts:

The permissions for the registered application are either Delegated or Application permissions based on the account types. Select Delegated permissions for OAuth2 User Accounts and Application permission for OAuth2 Application Accounts.

On the left navigation panel, navigate to Manage, select API permissions > Add a permission.
On the Request API permissions window, select Microsoft Graph > Delegated permissions for the OAuth2 User account and Application permissions for the OAuth2 Application Account.
Select the permissions from Files, Users, and Teams. Choose the minimum API permissions listed under Scopes and Permissions Required for Teams.
Click Add Permissions. View all the permissions added under Configured permissions.
Click Grant admin consent confirmation and select Yes.
Click Overview and select Add a Redirect URI. You will be redirected to the Platform configurations page.
1. Under Platform configurations, click Add a platform.
2. Select Web and specify either of the following Redirect URIs based on the region your server is located:
  https://emea.snaplogic.com/api/1/rest/admin/oauth2callback/teams
  https://elastic.snaplogic.com/api/1/rest/admin/oauth2callback/teams
3. Click Configure. A popup message displays indicating that the application is successfully updated.
On the Platform configurations page, click Save.

Locate the Application Credentials in the Azure Portal

To authorize your account in SnapLogic, you must have the following application credentials:

Application (Client) ID
Directory (Tenant) ID
Client secret value

On the application page, under Essentials, note the Application (client) ID and Directory (tenant) ID needed for the Snap account.
In the left navigation panel, select Manage > Certificates & secrets.
On the Certificates & secrets page, click + New client secret.
In the Add a client secret window, enter the Description, select an option for Expires from the dropdown list, and click Add.
The Client secret value and ID are generated. This value and the ID are required to configure the OAuth2 account.

You can copy the Client secret value only after it is generated. Note that this value is displayed only once, so ensure to copy it securely.

Scopes and Permissions Required for Teams API

Microsoft Teams exposes a few granular permissions that control the access that apps have to resources. When users sign into your app, they are required to consent to these permissions.

Delegated permissions (work or school account only*)
Permission	Display String	Description	Admin Consent Required?
Channel.Create	Create channels	Create channels in any team, on behalf of the signed-in user. You can create up to 37 channels in a team besides the default channel - General.	Yes
ChannelMember.ReadWrite.All	Add and remove members from channels.	Add and remove members from channels, on behalf of the signed-in user. Also allows changing a member's role, for example from owner to non-owner.	Yes
ChannelMessage.Send	Send channel messages	Allows an app to send channel messages in Microsoft Teams, on behalf of the signed-in user. You can send up to a maximum of 3000 messages per app per day, to a given channel.	No
ChannelSettings.ReadWrite.All	Read and write the names, descriptions, and settings of channels.	Read and write the names, descriptions, and settings of all channels, on behalf of the signed-in user.	No
ChannelSettings.ReadWrite.Group	Update the names, descriptions, and settings of this team’s channels.	Update this group's channel names, channel descriptions, and channel settings, without a signed-in user.	No
Directory.AccessAsUser.All	Access directory as the signed-in user	Allows the app to have the same access to information in the directory as the signed-in user.	Yes
Directory.ReadWrite.All	Read and write directory data	Allows the app to read and write data in your organization's directory, such as users, and groups. It does not allow the app to delete users or groups, or reset user passwords.	Yes
Group.ReadWrite.All	Read and write all groups	Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Also allows the app to read and write calendar, conversations, files, and other group content for all groups the signed-in user can access. Additionally allows group owners to manage their groups and allows group members to update group content.	Yes
GroupMember.ReadWrite.All	Read and write group memberships	Allows the app to read and write group memberships.	No
TeamMember.ReadWrite.All	Add and remove members from teams.	Add and remove members from teams, on behalf of the signed-in user. Also allows changing a member's role, for example from owner to non-owner.	Yes
TeamSettings.ReadWrite.All	Read and change teams' settings	Read and change all teams' settings, on behalf of the signed-in user.	Yes
User.Read.All	Read all users' full profiles	Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user.	Yes
Application permissions
Permission	Display String	Description	Admin Consent Required?
Channel.Create	Create channels.	Create channels in any team, without a signed-in user. You can create up to 37 channels in a team besides the default channel - General.	Yes
Channel.Create.Group	Create channels in this team.	Create channels in this group, without a signed-in user.	No
ChannelMember.ReadWrite.All	Add and remove members from all channels.	Add and remove members from all channels, without a signed-in user. Also allows changing a member's role, for example from owner to non-owner.	Yes
Directory.ReadWrite.All	Read and write directory data	Allows the app to read and write data in your organization's directory, such as users, and groups, without a signed-in user. Does not allow user or group deletion.	Yes
Group.ReadWrite.All	Read and write all groups	Allows the app to create groups, read and update group memberships, and delete groups. Also allows the app to read and write calendar, conversations, files, and other group content for all groups. All of these operations can be performed by the app without a signed-in user. Not all group APIs support access using app-only permissions. See known issues for examples.	Yes
GroupMember.ReadWrite.All	Read and write group memberships	Allows the app to list groups, read basic properties, read and update the membership of the groups this app has access to without a signed-in user. Group properties and owners cannot be updated and groups cannot be deleted.	Yes
TeamMember.ReadWrite.All	Add and remove members from all teams.	Add and remove members from all teams, without a signed-in user. Also allows changing a team member's role, for example from owner to non-owner.	Yes
TeamSettings.ReadWrite.All	Read and change teams' settings	Read and change all teams' settings, without a signed-in user.	Yes
TeamSettings.ReadWrite.Group	Update the settings for this team.	Read and write this team's settings, without a signed-in user.	No
Teamwork.Migrate.All	Manage migration to Microsoft Teams	Creating and managing resources for migration to Microsoft Teams	Yes
User.Read.All	Read all users' full profiles	Allows the app to read the full set of profile properties, group membership, reports and managers of other users in your organization, without a signed-in user.	Yes

* Personal Microsoft accounts are not supported.

Specify the Credentials And Validate the Snap account

Navigate to the Snap of your choice and configure the OAuth2 account with the details from the Azure portal's registered application. Refer to Teams Dynamic OAuth2 Account, Teams OAuth2 Application Account, or Teams OAuth2 User Account for further account configuration.
Select the Auto-refresh token checkbox in the account settings and click Apply.
Click Authorize. The Access and Refresh tokens are generated. You will be redirected to the sign-in page of the Azure Portal.
Sign in to Azure Portal with valid credentials to redirect to the Snap Edit account settings dialog. The Access and Refresh tokens are autopopulated but encrypted in the Account settings.
Validate the Snap Account.

If you select the Auto-refresh token checkbox, then you must provide offline_access as the Scope in the Token end point configuration.

Troubleshooting

Common Errors

Reason

Response

Error 401

Token is invalid

Provide a valid token and reauthorize the account.

The redirect URI specified does not match the reply URI configured for the application.

Incorrect redirect URI specified by user.

Add the following redirect_uri:
https://elastic.snaplogic.com/api/1/rest/admin/oauth2callback/teams

URL error when invoking the operation

Ensure the tenant domain name is correct.

Ensure that Directory (tenant) ID noted from the application is in the correct format.

Example: 2060aafa-89d9-423d-9514-eac46338ec05

Frequently Asked Questions

Can we use an existing registered application for adding account to the Snap

Yes, you can register a new application or use an existing application in the Azure portal to create an OAuth account. Refer to the configuration documentation key flow: Create an Application in the Azure Portal. Learn more at Quickstart: Register an app in the Microsoft identity platform - Microsoft Entra

We are trying to get the Account setup in SnapLogic and need examples of how the values of Application ID, Tenant ID, Secret key would look like. Is there any document referring to this information?

In our configuration documentation, the key workflow Locate application credentials in the Azure Portal highlights the values of Application ID, Client ID, and Secret key. For more information, refer to Teams OAuth2 Application Account.

Where do I find more support for account-related information and other issues?

For any support, contact the support team. The help icon in the Snap would provide referential information with the selected Snap from the application.

What type of permission does the registered application need?

The Scopes and Permissions Required for the Teams in this document specify the Delegated and Application permissions details. For any other permissions that are needed for the application, refer to Microsoft Graph permissions reference - Microsoft Graph

How many accounts does an Teams Snap Pack have?

For information on the account and supported account types in Teams Online Snap Pack, refer to Account types for Teams Online Snap Pack.

Related Content