Azure Registration Process

Background

Nectar provides diagnostics and analytics of your organization’s voice and video sessions in Microsoft Teams. In order for Nectar to receive telemetry from your Microsoft Office 365 tenant, our application must be authorized by your organization in Azure. This document will guide you through the steps to obtain authorization information that you will then need to provide to Nectar. This step-by-step guide will assist with accessing your Azure account, registering the Nectar app, requesting API permissions, creating your Client Secret or certificate and, finally, explicitly granting Nectar’s application permission to receive data from Microsoft’s Graph API.

There are two ways to accomplish these steps:

• Automatically, using a PowerShell script
• Manually, via the Azure Portal

Script-Based Configuration

Download the below PowerShell script to a computer with PowerShell installed (Windows or Linux-based). 

Open a PowerShell prompt and run the following:

.\NectarAzureAppRegistration.ps1

By default, the script will run with the following settings:

• Application Display Name: Nectar DXP Cloud Connector
• App Secret Validity Period: 10 years

If you want to change the defaults, run the script with the following parameters:

• AppName - The display name to use for the application
• SecretDuration - The length of time in years that the secret should be valid

.\NectarAzureAppRegistration.ps1 -AppName 'Nectar Application' -SecretDuration 2

This example will create the Azure App with the name Nectar Application with a secret duration of 2 year.

Manual Configuration

Access Azure Account

1. Enter the following URL into your browser: https://portal.azure.com/
2. Search for “App registrations” and select App registrations.

Register App

1. Select New registration
2. Enter the user-facing display name you wish to use for the Nectar application. For support purposes, it is suggested to use 'Nectar Cloud Connector', as it will assist support personnel in identifying the correct application during troubleshooting.
3. Select the appropriate Supported account type for your organization. For most customers, Accounts in this organizational directory only is the appropriate selection.
4. Select the Register button.
5. Make note of the Application (client) ID and the Directory (tenant) ID. You will need to send this information to Nectar.

Request API Permissions

1. Select View API permissions.
2. Select Add a permission.
3. Select Microsoft Graph.
4. Select Application permissions.
5. Expand the CallRecords selection.
6. Click the CallRecords.Read.All checkbox.
7. Scroll down and expand the GroupMember selection.
8. Click the GroupMember.Read.All checkbox.
9. Scroll down and expand the User selection.
10. Click the User.Read.All checkbox. Alternatively, select the User.ReadBasic.All checkbox. This provides access to a limited subset of user information without adversely affecting the usability of Nectar DXP.
    A special note regarding Entra ID user information gathering

    Nectar DXP gathers Entra ID (formerly Azure AD) user information mainly to enrich the UI by showing the user name, work address, email address, phone number and user photo in calls/conferences. This can be helpful when support personnel have to contact a user while troubleshooting an issue. Most of these attributes are available via the User.ReadBasic.All permission (with the exception of work address and phone number). Additional attributes available via User.Read.All are useful for organizations who want access to the full set of user attributes without having to use other tools.
    
    We also use Entra ID information such as the email address to make it possible to synchronize user objects between different platforms. For instance, if a customer has both Teams and Zoom, we link the user accounts using a common email address. This allows Nectar DXP to show both Teams and Zoom calls for a given user at the same time.
    
    We gather Entra ID group information (via GroupMember.Read.All) for some reports that can focus on a specific group of users. Without group information, Nectar DXP will be unable to provide such functionality. The reports themselves will still work but filtering by group will not be available.
    
    Nectar DXP can function without access to Entra ID user information. Without it, multi-platform user syncing will not function and viewing individual user will show much less information about the user. We will still get the user display name from the Teams call record, which means that searching for an individual user will still work. 
11. OPTIONAL - Scroll up and expand the TeamworkDevice selection.
12. Click the TeamworkDevice.Read.All checkbox
13. Select Add Permissions.
14. Select Grant admin consent for Nectar Cloud Connector.
15. When the pop-up window appears asking if you wish to grant consent, click Yes.

You should now see a green check in your status column as depicted below. If you opted to grant access for Teamwork Devices, you should see this as well (but isn't shown in the below example).

Add the Client Secret or Certificate

You have the option of using a Client Secret or a certificate for securing access to the application. The client secret option is faster and simpler, but the certificate option is more secure. 

Option A - Add a Client Secret

1. Select the Certificates & secrets option in the left-hand pane, click on Client secrets, then click on New client secret.
2. Select the proper expiration option for your client secret and click the Add button. Nectar suggests selecting '12 months' or '24 months' to avoid call record retrieval interruption upon secret expiration. It is your responsibility to keep track and renew the secret and notify Nectar of the change.
3. When your Client Secret value populates, click on Copy to clipboard.
4. Make note of the appID, Directory/TenantID and Client Secret and send to Nectar.

Option B - Add a Certificate

Using a certificate is more secure than a client secret, because it requires that both sides of the communication (Azure and Nectar DXP) have access to the appropriate private and public portions of a unique certificate. In an Azure application, the Azure side stores the certificate, while Nectar DXP stores the private key. Communications are only possible when both sides match. 

1. When you are ready, contact your Nectar representative to obtain the certificate to be used in the application. It will be provided in a .PEM format. 
2. Select the Certificates & secrets option in the left-hand pane, click on Certificates then click on Upload Certificate.
3. Upload the certificate and click Add.
4. Verify the certificate details, make note of the appID and Directory/TenantID and send to Nectar.