Application Consent During Teams Cloud Voice Onboarding

The information below outlines the permissions requested during the onboarding process for UniVoIP's service management application, called Service Control.

Service Control is a comprehensive service management platform developed by UniVoIP. It is designed to streamline the user experience with a modern and responsive interface. The platform includes several key applets that handle tasks like procuring, activating, and assigning telephone numbers to Teams users. UniVoIP's Service Control also includes a number management tool for efficient onboarding and service management.

UniVoIP's Service Control offers various access levels and permission capabilities to ensure secure and efficient service management. It provides different access levels based on user roles, allowing administrators full access while regular users have limited access. The platform includes granular permission settings, enabling control over viewing, editing, and managing services.

Below are details corresponding to each of the three applications involved in the onboarding workflow:

  • Cloud Voice for Teams Sign In Application

  • Cloud Voice for Teams Management Application

  • Cloud Voice for Teams Onboarding Application

All onboarding and management actions within a customer’s Microsoft tenant are completed using one or more of these applications. All such actions are recorded in the Microsoft tenants Entra audit log. Customer can check these activities anytime within Microsoft Entra's audit log.


Cloud Voice for Teams Sign In Application

The Sign In Application is the first of the three applications installed during the onboarding workflow. This Application is responsible for ensuring that users can sign in to UniVoIP's Service Control seamlessly using their Microsoft credentials. This Application requires read permissions to access user profiles and validate users. Once the consent is provided, the Sign in application facilitates the single sign-on process, making it easier for users to access various services without needing to log in multiple times. The permission requested is presented before consent is provided.

Permissions to be granted:

  • Maintain access to data you have given it access to    <Used to maintain session of logged in user using refresh tokens>

  • Sign in and read user profile                                        <Used to validate user and tenant details for trial landing page. Also used to allow single sign on with tenant users>


Cloud Voice for Teams Management Application

The Management Application is the second of three applications required for the onboarding process. It is responsible for assigning telephone numbers to users and managing other administrative tasks during onboarding and after the onboarding is completed. The Management App is essential for tasks like managing and assigning telephone numbers to Teams resources. It ensures that these tasks are carried out efficiently and securely. The permission requested is presented before consent is provided.

Permissions to be granted:

  • Read and write all applications                                    <Used to remove Onboarding Application when initial integration is completed. No other use>

  • Read all call records                                                     <Used to read call records for all calls and online meetings without a signed-in user>

  • Read organization information                                    <Used to confirm licensing as part of confirmations prior to onboarding, domain setup, and basic tenant troubleshooting when required. This permission is required for the Teams PowerShell Module application access to function>

  • Read and write all users' full profiles                           <Used to read and update outbound calling and dialing policies of user, required for phone number assignment and outbound routing>

  • Sign in and read user profile                                       <Default application permission included by Microsoft>

  • application_access / Grant appId full permission        <Used for application access to the Teams PowerShell module and graph resources>


Cloud Voice for Teams Onboarding Application

The Onboarding Application is the last of three applications required for the onboarding process. It is used during the onboarding phase only and is removed by the Management Application once the initial onboarding page is completed. The Onboarding Application is responsible for creating voice domains, voice paths, temporary user to enable the voice paths, and other necessary configurations specific to Cloud Voice. After the onboarding process, any permissions granted to the Onboarding Application are removed as they will no longer be needed.

Permissions to be granted:

  • Read and write domains                                             <Used to build and validate voice domains within tenant during initial onboarding>

  • Read and write all directory RBAC settings                <Used to grant Management application the ‘Teams Administrator’ role required for Teams PowerShell voice management>

  • Sign in and read user profile                                      <Default Application permission included by Microsoft>


Corporate Policy does not allow for Consent?

If a customer's corporate policy does not allow Service Control to manage the Teams Phone System settings for their users, then UniVoIP can set the customer's account to a limited integration mode.

The customer will still be required to add UniVoIP as an Operator in the Operator Connect section in their Microsoft Teams Admin Center.


Customers provisioned in manual mode will lose these abilities within UniVoIP's Service Control interface:

  • Assign Phone Numbers

  • Unassign Phone Numbers

  • View Assigned Numbers by location

  • Enter default e911 Service Addresses

  • Access Call Record Details (CDRs)

  • View all Users and Resource Accounts that have been Licensed for the Microsoft Teams Phone System

  • Toggle Off/On International Calling for Users