1. Solution overview
- Users can access the application directly from Microsoft Teams - The Team owner in which the application is added can grant permissions to make sure users can access the App. However to perform changes in auto attendants and call queues individual users will need to be added in the App itself seperately.
- The user-interface is provided by a Power Apps. The Power Apps is only accessbile to the members of the O365 Group however per user permissions can be set in the App itself for example to only allow a user to update the greeting of an auto attendant.
- Auto Attendant, Call Queue and User Management settings are stored in SharePoint Lists - Before an Auto Attendant and/or Call Queue can be managed it first needs to be added to the respective SharePoint List.
- Actions validated on the Power Apps trigger a Power Automate flow - The role of the flows is to secure and log all queries sent to the Teams Admin Center API's.
- Azure KeyVault is used to securely store the secret and credentials required by the solution. With this design, secrets & credentials management of the "service account" and of the "service principal" can be delegated to a third party that is not an admin of the Team Telephony solution.
- Power Automate calls the Azure Function API providing the appropriate credentials.
- The Azure Function get the "service account" credential that has the "Teams Communications Administrator" role and execute the PowerShell scripts
- Azure AD conditional access checks the permissions and location of the request.