OK this one’s not a problem with PSU per se - more a call for help in case someone else (@insomniacc?) has tried this.
I’d like to be able to manage Microsoft Teams from PSU, and I see that Connect-MicrosoftTeams has an -Identity parameter to let it connect using a managed identity.
Our PSU app service has its own managed identity (we use it to connect to AzKeyVault) so I’m assuming it’s possible to use that.
I have this script:
Connect-MicrosoftTeams -Identity
Get-Team
… and it appears to connect, but then throws this when it gets to the Get-Team call:
Hey, Cant say I have unfortunately. My UD instance is still sat on-prem not really doing much at the moment, it was just used as a demo, but we’ve been migrating our automation platform so that took priority and it kinda got put aside + Its taking forever to get anywhere with the networking team so I still dont have access back to on-prem from my webapp. … maybe one day soon.
I know when I played around with a PS function app, there’s something similar in the default profile which uses the identity, I cant remember what it was doing but I think it set the identity to use with other things - bit of a stab in the dark but you could pop up an empty PS function app and have a look at the profile.ps1 to see if that helps.
I havent specifically connected to teams like this though, my teams interaction has mainly just been webhooks and graph data.
This example demonstrates how to sign in using AccessTokens. Admin can reterive Access Tokens. It requires two tokens, MS Graph Access Token and Teams Resource token.
$graphtoken = #Get MSGraph Token for following for resource "https://graph.microsoft.com" and scopes "AppCatalog.ReadWrite.All", "Group.ReadWrite.All", "User.Read.All";
$teamstoken = #Get Teams resource token for resource id "48ac35b8-9aa8-4d74-927d-1f4a14a0b239" and scope "user_impersonation";
Connect-MicrosoftTeams -AccessTokens @($graphtoken, $teamstoken)
Yeah I use -Credential in my current (on-prem) scripts, but in the cloud, since I have an Azure Managed Identity for PSU, I wanted to try that.
The -AccessTokens option might work, but I’m not sure how to fetch the “Teams resource token”. I can get a Graph token with the Az PowerShell module, I think. Any clues?
Sorry, was worth a try. If you don’t mind me asking what are you doing in teams that can not be done via graph? Just wondering incase I hit that wall.
Mike
Ah I just find the MicrosoftTeams module must easier to use. I’m using Graph to interrogate teams elsewhere, so it’s still an issue.
I might be able to use Get-AzAccessToken to fetch a Graph token using my managed identity so I don’t have to store any credentials, too, so I will experiment with that.
… with no stored credentials! So that’s awesome. Shame that Connect-MicrosoftTeams doesn’t work, but this’ll get me going.
To answer your question, @MSchreiber - my use case for this test is a “who’s on leave today” post. We have a daily script that interrogates our HR system to find out who’s on leave today, and then uses an incoming webhook in a set of known Teams to post a message in a channel to say who in the team is on leave today. It’s pretty slick!