Microsoft Teams: Integration Setup (Login with Microsoft)

1. Requirements

In order to use YAROOMS as a tab under your Microsoft Teams account, settings and configuration must be applied both in Azure Portal and YAROOMS. Until this is done properly, a message containing “Inactive Teams Integration” will be displayed in the Teams tab.

Note: The technical steps below must be performed by a user with Admin privileges, both in Azure Portal and in the YAROOMS web app.

2. Application and Permissions in Azure Portal

In Azure Portal go to Manage Azure Active Directory → App Registrations and create a new Application (+New Registration button).

Under Supported account types, please choose: Multitenant.

Azure App Registration with Multitenant selected

Note: After saving, store the Application (client) ID and Directory (tenant) ID for later use.

API Permissions

In the new App’s edit screen, go to API Permissions, click on "+Add a permission" and then on Microsoft Graph.

Add permission and Microsoft Graph selection

There are 2 types of permissions: Delegated and Application.

Note: Careful to select the correct ones when following the below instructions.

The minimal permissions needed are:

For Delegated Permissions:
- Everything under Openid permissions (email, offline_access, openid, profile)
For Application Permissions:
- Directory.Read.All
- User.Read.All

Note: Make sure you “Grant admin consent” to those permissions!

Grant admin consent button

Certificates and Secrets

Back on the App’s edit screen, go to “Certificates and Secrets.”

Create a New Client Secret. Store the string displayed in the Value column for later use.

Careful! Secret Value, NOT Secret ID!

Note: The value of the newly generated Secret will be available in the clear only during the session during which it was created. In future sessions it will be permanently censored and unusable.

Authentication

In the App’s edit screen, go to “Authentication”.

Click on “+Add Platform” and select Single-page application.

Add platform authentication settings

Redirect URI: https://[domain].yarooms.com/account/login . The domain value is the unique URL used by your company.
Under Implicit grant and hybrid flows: Check both boxes (Access tokens and ID Tokens)
Under Advanced Settings: make sure you have the Allow public client flows set to YES.

Advanced settings with public client flows

Expose an API

Next, go to “Expose an API” in the App’s edit screen.

Expose an API section

Application ID URI, click on “Add”, and enter the following:

Note:

“api://tenant.yarooms.com/application_client_id”

Example: api://CompanyName.yarooms.com/9ff10a06-077d-46a3-ad9d-3a42dfe5f1b1

Application ID URI configuration

+ Add a scope and enter with the following:

Scope name: User.Read
Who can consent? Admins only
Admin consent display name: Read user details
Admin consent description: Read user details
State: Enabled

Add scope configuration

Add a client application

d3590ed6-52b3-4102-aeff-aad2292ab01c AND check Authorized scopes
bc59ab01-8403-45c6-8796-ac3ef710b3e3 AND check Authorized scopes
0ec893e0-5785-4de6-99da-4ed124e5296c AND check Authorized scopes
4765445b-32c6-49b0-83e6-1d93765276ca AND check Authorized scopes
5e3ce6c0-2b1f-4285-8d4b-75ee78787346 AND check Authorized scopes
1fec8e78-bce4-4aaf-ab1b-5451cc387264 AND check Authorized scopes
27922004-5251-4030-b22d-91ecd9a37ea4 AND check Authorized scopes

Explanation of client Ids:

d3590ed6-52b3-4102-aeff-aad2292ab01c → Microsoft 365 mobile application & Outlook desktop application
bc59ab01-8403-45c6-8796-ac3ef710b3e3 → Outlook on the web
0ec893e0-5785-4de6-99da-4ed124e5296c → Microsoft 365 desktop application
4765445b-32c6-49b0-83e6-1d93765276ca → Microsoft 365 web application
5e3ce6c0-2b1f-4285-8d4b-75ee78787346 → Teams web application
1fec8e78-bce4-4aaf-ab1b-5451cc387264 → Teams mobile or desktop application
27922004-5251-4030-b22d-91ecd9a37ea4 → Outlook mobile application

Note: Note: Not all client IDs are required for every YAROOMS registered application. For example, if you’re setting up an application for Microsoft Teams / Login SSO, the Outlook client IDs are not needed, and vice versa.

3. Configure Integration in YAROOMS

In YAROOMS web app, navigate to Settings → Integrations → Login with Microsoft.

Fill out the fields with the correct information found in Chapter 2:

YAROOMS integration configuration fields

Directory (tenant) ID and Application (client) ID: Copy-paste the values you stored earlier.
Client Secret: Paste the Secret VALUE (not ID) when first created.

Once the fields have been filled out with the correct values, make sure that “Integration Active” is set to YES, then click on the Save button.

4. Add YAROOMS in Teams

There are two ways of displaying Yarooms in Teams:

Adding YAROOMS to your Teams left sidebar: dedicated article
Adding YAROOMS windows as individual tabs: Go to Teams and install the App package. When prompted for the URL, type one of the following:

Adding YAROOMS as a Teams tab

https://[domain].yarooms.com/workplace/map
https://[domain].yarooms.com/workplace/timeline

Replace [domain] with the specific personalized section of your company’s Yarooms account URL.

A Teams tab can only display a single view, so, if a user needs to access more than one view at once, they can simply create another tab with a different URL.

5. Single-Sign-On with Teams

When activated, a new login option will be available in your tenant’s login page, allowing users to login to YAROOMS with their Teams identity, without having to enter their email and password.

This does not require additional setup and configuration beyond the steps presented above.

6. User Provisioning

When activated this will allow users who don’t have an account in YAROOMS to have it automatically created with the user details obtained from their Azure AD identity (email, first and last name) and with the Location and Group mapped to the configuration of choice.

When deactivated, only users who already have an account in YAROOMS will be able to login with their Teams identity, by matching their email address from YAROOMS with the one they have in Azure AD.

User provisioning settings

The Static option will create all new users in a single Location and Group.

Note: We don’t recommend using the pre-defined Administrator or Supervisor groups for mapping, as all new users will have extended permissions within your tenant.

The Dynamic option will create new users by matching the values from a Directory field to the names of the locations / groups in YAROOMS.

The Directory field is either a pre-defined or a custom user attribute in Azure AD. This will not be passed as a claim through the relay app built for this integration, but rather accessed separately via Microsoft Graph by using the settings and permissions defined above.

The Auto mapping type will match the value retrieved from the Directory field to the name of a Location/Group in YAROOMS - if an entity with that name does not exist then the user account will not be created.
The Manual mapping type will allow pairing names of Locations / Groups to values that are supposed to be passed in the Directory field.

Note: The values passed in the Directory field are case sensitive.

Example of a “Dynamic - Manual” Group Mapping:

Dynamic manual group mapping example

Notice that the most commonly used value for the directory field is “memberOf”.
From the bottom dropdown (-Add group to the list-), you can select which YAROOMS User group you would like to link to which group you have in Azure.
After adding them, you must specify each of the IDs OR the exact names of the Azure Groups.
If the Azure retrieved value is not paired to an existing group in YAROOMS, then the user account will be created in the Default group.