microsoftgraph
diff --git a/‎concepts/connecting-external-content-deploy-teams.md
Lines changed: 90 additions & 54 deletions b/‎concepts/connecting-external-content-deploy-teams.md
Lines changed: 90 additions & 54 deletions
diff --git a/‎concepts/images/connectors-images/AADperms-TAC-connectors.png
-8.12 KB b/‎concepts/images/connectors-images/AADperms-TAC-connectors.png
-8.12 KB
diff --git a/‎concepts/images/connectors-images/samplepayload-webhooknotif-TAC.png
-101 KB b/‎concepts/images/connectors-images/samplepayload-webhooknotif-TAC.png
-101 KB
@@ -11,24 +11,26 @@ ms.subservice: search
 
 This article describes how to enable the simplified admin experience for your Microsoft Graph connector in the Teams admin center. When you enable this experience, Teams admins and Global admins can enable or disable your custom Microsoft Graph connector seamlessly in the Teams admin center.
 
-![simplified admin experience in the Teams admin center](images/connectors-images/oneclickadmin-TAC-connectors.png)
+![Simplified admin experience in the Teams admin center](images/connectors-images/oneclickadmin-TAC-connectors.png)
 
 To enable the simplified admin experience in the Teams admin center:
+
 1. Update the Teams app manifest.
-2. Update Microsoft Graph permissions.
-3. Handle Microsoft Graph webhook notifications.
-4. Create or delete Microsoft Graph connections.
-5. Validate the experience by enabling the Microsoft Graph Connector in the Teams admin center.
+1. Update Microsoft Graph permissions.
+1. Handle Microsoft Graph webhook notifications.
+1. Create or delete Microsoft Graph connections.
+1. Validate the experience by enabling the Microsoft Graph Connector in the Teams admin center.
 
 ## Update the Teams app manifest
-In the Teams app manifest, at the root, at the same level as properties like **name**, **description**, and **icons**, add the **graphConnector** property (introduced in [v1.11](https://developer.microsoft.com/en-us/json-schemas/teams/v1.11/MicrosoftTeams.schema.json) of the app manifest) with a **notificationUrl**. This field contains the URL to which Microsoft Graph connector notifications for the application are sent. The app manifest version must be [v1.13](https://developer.microsoft.com/en-us/json-schemas/teams/v1.13/MicrosoftTeams.schema.json) or higher for the simplified admin experience to work.
+
+In the Teams app manifest, at the root, at the same level as properties like **name**, **description**, and **icons**, add the **graphConnector** property (introduced in [v1.11](https://developer.microsoft.com/json-schemas/teams/v1.11/MicrosoftTeams.schema.json) of the app manifest) with a **notificationUrl**. This field contains the URL to which Microsoft Graph connector notifications for the application are sent. The app manifest version must be [v1.13](https://developer.microsoft.com/json-schemas/teams/v1.13/MicrosoftTeams.schema.json) or higher for the simplified admin experience to work.
 
 Ensure that the **webApplicationInfo** property is added to the manifest. After you update the manifest, upload it by sideloading the app or publishing the app to the store.
 
 ```JSON
 {
- "$schema":"https://developer.microsoft.com/json-schemas/teams/v1.11/MicrosoftTeams.schema.json",
-  "manifestVersion": "1.11",
+ "$schema":"https://developer.microsoft.com/json-schemas/teams/v1.13/MicrosoftTeams.schema.json",
+  "manifestVersion": "1.13",
   ...
   "webApplicationInfo": {
     "id": "<AAD_APP_ID>",  // e.g. "7e47846e-4bef-4c42-9817-a14e92287f28"
@@ -42,45 +44,74 @@ Ensure that the **webApplicationInfo** property is added to the manifest. After
 ```
 
 ## Update Microsoft Graph permissions
+
 In the [Microsoft Entra admin center](https://entra.microsoft.com) > expand the **Identity** menu > select **Applications** > **App registrations** > select your app registration > select **API permissions** > select **Add a permission** > select **Microsoft Graph**. Select the `ExternalConnection.ReadWrite.OwnedBy` and `ExternalItem.ReadWrite.OwnedBy` Microsoft Graph permissions as shown in the following example.
-![updated Microsoft Graph permissions](images/connectors-images/AADperms-TAC-connectors.png)
+
+![Updated Microsoft Graph permissions](images/connectors-images/AADperms-TAC-connectors.png)
 
 ## Handle Microsoft Graph webhook notifications
+
 When the admin turns **on** or **off** the Microsoft Graph connector from the Teams admin center, Microsoft Graph sends a change notification to the URL specified in the **notificationUrl** property in the manifest. Your app needs to manage these Microsoft Graph connections accordingly.
 
 ### Change notifications
+
 For details about how to set up change notifications, see [Set up notifications for changes in resource data](/graph/webhooks#change-notifications). The following example shows a payload.
 
-![Payload example for Microsoft Graph webhook notification](images/connectors-images/samplepayload-webhooknotif-TAC.png)
+```json
+{
+  "validationTokens": [
+    "[jwt validation token]"
+  ],
+  "value": [
+    {
+      "changeType": "updated",
+      "clientState": null,
+      "resource": "external",
+      "resourceData": {
+        "@odata.id": "external",
+        "id": "[graph connector id]",
+        "state": "enabled", // or disabled
+        "connectorsTicket": "[An opaque encoded string]",
+        "@odata.type": "#Microsoft.Graph.connector"
+      },
+      "subscriptionExpirationDateTime": "2024-08-30T13:01:48.3441108-07:00",
+      "subscriptionId": "[change notification's subscription id]",
+      "tenantId": "[customer's tenant id]"
+    }
+  ]
+}
+```
 
 To understand how to validate the inbound change notification, see [Validating the authenticity of notifications](/graph/webhooks-with-resource-data#validating-the-authenticity-of-notifications).
 
 Keep the following tips in mind:
-* You can ignore **SubscriptionExpirationDateTime** and **SubscriptionId**.
-* The change notification is for Microsoft Graph connector management only when the @odata.type of the resource data matches the one in the sample payload.
-* The **tenantId** identified is the customer's tenant ID. When calling the Microsoft Graph API to [manage Microsoft Graph connections](/graph/connecting-external-content-manage-connections), you must generate the app token on behalf of this customer's tenant ID.
-* You can call the Microsoft Graph API to get the customer's display name and default domain name. This can help you map the **tenantId** to the unique identifier in your system. To learn more, see [find tenant information by tenant ID](/graph/api/tenantrelationship-findtenantinformationbytenantid).
-* Within **resourceData**, use **state** to determine whether to create or delete connections. You need the **connectorsTicket** to create the connections.
+
+- You can ignore `subscriptionExpirationDateTime` and `subscriptionId`.
+- The change notification is for Microsoft Graph connector management only when the `@odata.type` of the resource data matches the one in the sample payload.
+- The `tenantId` identified is the customer's tenant ID. When calling the Microsoft Graph API to [manage Microsoft Graph connections](connecting-external-content-manage-connections.md), you must generate the app token on behalf of this customer's tenant ID.
+- You can call the Microsoft Graph API to get the customer's display name and default domain name. This can help you map the `tenantId` to the unique identifier in your system. To learn more, see [find tenant information by tenant ID](/graph/api/tenantrelationship-findtenantinformationbytenantid).
+- Within `resourceData`, use `state` to determine whether to create or delete connections. You need the `connectorsTicket` to create the connections.
 
 ### Handling "connector enable" notification
 
 To handle "connector enable" notifications:
 
-* Determine which Microsoft Graph connections to create (how many connections and which schema for each connection) by using the [External connection List API](/graph/api/externalconnectors-externalconnection-list?view=graph-rest-beta&preserve-view=true&tabs=http) to query for all connections. Determine whether to create all connections from scratch, resume creation of connections (in resiliency flow), or no-op (when all desired connections are already in the **ready** state).
-* The [connection](/graph/api/externalconnectors-external-post-connections) is created in a **draft** state. Pass the **connectorsTicket** opaque encoded string to the connection creation API in the `GraphConnectors-Ticket` HTTP header.
-* [Register the schema](/graph/api/externalconnectors-externalconnection-patch-schema?view=graph-rest-beta&preserve-view=true&tabs=http).
-* After a successful schema creation or update, the connection should reach a **ready** state.
+- Determine which Microsoft Graph connections to create (how many connections and which schema for each connection) by using the [External connection List API](/graph/api/externalconnectors-externalconnection-list?view=graph-rest-beta&preserve-view=true&tabs=http) to query for all connections. Determine whether to create all connections from scratch, resume creation of connections (in resiliency flow), or no-op (when all desired connections are already in the **ready** state).
+- The [connection](/graph/api/externalconnectors-external-post-connections) is created in a **draft** state. Pass the `connectorsTicket` opaque encoded string to the connection creation API in the `GraphConnectors-Ticket` HTTP header.
+- [Register the schema](/graph/api/externalconnectors-externalconnection-patch-schema?view=graph-rest-beta&preserve-view=true&tabs=http).
+- After a successful schema creation or update, the connection should reach a **ready** state.
 
 ### Handling "connector disable" notification
 
 To handle "connector disable" notifications:
 
-* Determine which Microsoft Graph connections to delete by using the [External connection List API](/graph/api/externalconnectors-externalconnection-list) to query for all connections.
-* Delete all connections by using the [External connection Delete API](/graph/api/externalconnectors-externalconnection-delete?view=graph-rest-beta&preserve-view=true&tabs=http).
-* We recommend that you build resiliency logic to retry the deleted connection to verify that it's deleted.
+- Determine which Microsoft Graph connections to delete by using the [External connection List API](/graph/api/externalconnectors-externalconnection-list) to query for all connections.
+- Delete all connections by using the [External connection Delete API](/graph/api/externalconnectors-externalconnection-delete?view=graph-rest-beta&preserve-view=true&tabs=http).
+- We recommend that you build resiliency logic to retry the deleted connection to verify that it's deleted.
 
-#### Request
-```
+### Example notification request
+
+```http
 POST https://example.com/notificationEndpoint
 Content-type: application/json
 Content-length: 100
@@ -107,27 +138,27 @@ Content-length: 100
 }
 ```
 
-#### Response
-```
+### 202 Response
+
+```http
 HTTP/1.1 202 Accepted
 Content-type: application/json
 Content-length: 0
 ```
+
 You need to send a `202 - Accepted` status code in your response to Microsoft Graph. If Microsoft Graph doesn't receive a 2xx class code, it tries to publish the change notification a number of times for about four hours. After that, the change notification is dropped and isn't delivered.
 
->[!NOTE]
->Send the `202 - Accepted` status code as soon as you receive the change notification, even before you validate its authenticity. You are acknowledging the receipt of the change notification and preventing unnecessary retries.
->The current timeout is 30 seconds, but it might be reduced in the future to optimize service performance.
->If the notification URL doesn't reply within 30 seconds for more than 10% of the requests from Microsoft Graph over a 10-minute period, all subsequent notifications will be delayed and retried for a period of 4 hours.
->If a notification URL doesn't reply within 30 seconds for more than 20% of the requests from Microsoft Graph over a 10-minute period, all subsequent notifications will be dropped.
+> [!NOTE]
+> Send the `202 - Accepted` status code as soon as you receive the change notification, even before you validate its authenticity. You are acknowledging the receipt of the change notification and preventing unnecessary retries. The current timeout is 30 seconds, but it might be reduced in the future to optimize service performance. If the notification URL doesn't reply within 30 seconds for more than 10% of the requests from Microsoft Graph over a 10-minute period, all subsequent notifications will be delayed and retried for a period of 4 hours. If a notification URL doesn't reply within 30 seconds for more than 20% of the requests from Microsoft Graph over a 10-minute period, all subsequent notifications will be dropped.
+
+To validate the authenticity of `validationToken`:
 
-To validate the authenticity of **validatonToken**:
 - Verify that the token hasn't expired.
 - Verify that the token hasn't been tampered with and was issued by the Microsoft identity platform.
-- Verify that the **azp** claim in the **validationToken** is **0bf30f3b-4a52-48df-9a82-234910c4a086**.
-- Verify the **aud** claim in the **validationToken** is the same as the "{{Teams-appid}}" you specified.
+- Verify that the `azp` claim in the token is **0bf30f3b-4a52-48df-9a82-234910c4a086**.
+- Verify the `aud` claim in the token is the same as the "{{Teams-appid}}" you specified.
 
-For details, see [Validating the authenticity of notification](/graph/webhooks-with-resource-data?tabs=csharp#validating-the-authenticity-of-notifications).
+For details, see [Validating the authenticity of notification](/graph/webhooks-with-resource-data.md#validating-the-authenticity-of-notifications).
 
 The following example shows a validation token.
 
@@ -137,7 +168,7 @@ The following example shows a validation token.
   "alg": "RS256",
   "kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg"
 }.{
-  "aud": "e478830d-8f49-4c26-80c6-58f68e0f064b",
+  "aud": "925bff9f-f6e2-4a69-b858-f71ea2b9b6d0",
   "iss": "https://login.microsoftonline.com/9f4ebab6-520d-49c0-85cc-7b25c78d4a93/v2.0",
   "iat": 1624649764,
   "nbf": 1624649764,
@@ -155,10 +186,12 @@ The following example shows a validation token.
 ```
 
 ## Create or delete Microsoft Graph connections
-You need to send the **connectorTickets** from the payload you received as a `GraphConnectors-Ticket` header when you initiate the creation of the Teams app connection. The following example shows this process.
 
-### Request
-```
+You need to send the `connectorTickets` from the payload you received as a `GraphConnectors-Ticket` header when you initiate the creation of the Teams app connection. The following example shows this process.
+
+### Example create connector request
+
+```http
 POST https://graph.microsoft.com/v1.0/external/connection
 GraphConnectors-Ticket: {{connectorsTicket}}
 Content-type: application/json
@@ -176,30 +209,33 @@ Authorization: bearer {{accessToken}}
 }
 ```
 
->[!NOTE]
->- You must set the {{connectorId}} to the value provided in the notification from Graph Connectors when you create the connection.
->- You should acquire the {{accessToken}} from the [Microsoft identity platform](/azure/active-directory/develop/v2-app-types) for the tenant that is being notified.
+> [!NOTE]
+>
+> - You must set the {{connectorId}} to the value provided in the notification from Graph Connectors when you create the connection.
+> - You should acquire the {{accessToken}} from the [Microsoft identity platform](/azure/active-directory/develop/v2-app-types) for the tenant that is being notified.
 
-### Response
-```
+### Example create connector response
+
+```http
 HTTP/1.1 200 Accepted
 Content-type: application/json
 Content-length: 0
 ```
 
->[!NOTE]
->Various Microsoft 365 experiences can be enabled for the connections created. For details, see [Microsoft Graph connectors overview](/graph/connecting-external-content-connectors-overview).
+> [!NOTE]
+> Various Microsoft 365 experiences can be enabled for the connections created. For details, see [Microsoft Graph connectors overview](connecting-external-content-connectors-overview.md).
 
-To learn how to ingest external items into a working Microsoft Graph connection, see [Create, update, and delete items added by your application via Microsoft Graph connectors](/graph/connecting-external-content-manage-items).
+To learn how to ingest external items into a working Microsoft Graph connection, see [Create, update, and delete items added by your application via Microsoft Graph connectors](connecting-external-content-manage-items.md).
 
 ## Validate the experience by enabling the Microsoft Graph connector in the Teams admin center
 
 To validate the experience:
-* Sign in to the [Teams admin center](https://admin.teams.microsoft.com) as a Teams admin or Global admin of the tenant.
-* Select the **Manage apps** blade in the left rail.
-* Go to your Teams application.
-* On the detail page of the Teams app, you notice a new **Graph Connector** tab that allows an admin to enable or disable the Microsoft Graph connector.
-* Select the toggle button to send the enable or disable notifications to the notification endpoint of the app, as specified by the **graphConnector.notificationUrl** property in the app manifest.
+
+- Sign in to the [Teams admin center](https://admin.teams.microsoft.com) as a Teams admin or Global admin of the tenant.
+- Select the **Manage apps** blade in the left rail.
+- Go to your Teams application.
+- On the detail page of the Teams app, you notice a new **Graph Connector** tab that allows an admin to enable or disable the Microsoft Graph connector.
+- Select the toggle button to send the enable or disable notifications to the notification endpoint of the app, as specified by the `graphConnector.notificationUrl` property in the app manifest.
 
 ## Make your Microsoft Graph connector available for other organizations in the Teams admin center
 
@@ -208,6 +244,7 @@ You can submit your Microsoft Graph connector packaged as a Teams app extended a
 You can use the [step-by-step submission guide](/partner-center/marketplace/add-in-submission-guide) to learn how to submit your app. Make sure that you submit a **Teams app** in the **Microsoft 365 and Copilot** tab in **Marketplace offers**.
 
 You need to submit a PDF in the **Additional certification info** step. Microsoft uses the information you provide in this PDF to make sure that your Microsoft Graph connector performs as expected in Copilot for Microsoft 365. Your PDF must have the following sections:
+
 - Test accounts, license keys, and credentials
 - Custom Vertical Name
 - Semantic Labels
@@ -217,8 +254,7 @@ You need to submit a PDF in the **Additional certification info** step. Microsof
 
 ### Test accounts, license keys, and credentials
 
-Create a user account on your demo tenant that Microsoft can use to validate your Microsoft Graph connector. This can be done in the [Users section](https://admin.microsoft.com/Adminportal/Home?#/users/:/adduser) of the Microsoft 365 Admin Center. 
-Ensure that this new user account has a Copilot for Microsoft 365 license. 
+Create a user account on your demo tenant that Microsoft can use to validate your Microsoft Graph connector. This can be done in the [Users section](https://admin.microsoft.com/Adminportal/Home?#/users/:/adduser) of the Microsoft 365 Admin Center. Ensure that this new user account has a Copilot for Microsoft 365 license.
 
 In this section of the PDF, provide the credentials and any applicable license keys for this new user account. This information is mandatory. To learn more about how to prepare the user account for validation, see [best practices for providing test notes](/microsoftteams/platform/concepts/deploy-and-publish/appsource/prepare/submission-checklist?tabs=desktop#compile-testing-instructions).