Skip to main content

SaaS Deployment Steps

In this model, Altoura hosts the Remote Expert backend and Teams web app at altouraremoteacs.azurewebsites.net.

Step 1: Create the Multitenant App Registration

Create the app in Entra ID -> App registrations (do not use Enterprise applications for creation/configuration):
  1. Open Entra admin center -> Identity -> Applications -> App registrations.
  2. Click New registration.
  3. Set:
    • Name: Altoura Remote Expert (or your naming standard)
    • Supported account types: Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)
  4. Click Register.
  5. Save:
    • Application (client) ID
    • Directory (tenant) ID

Step 2: Configure Authentication Callback

  1. Open your new app registration -> Authentication.
  2. Add the callback/redirect URI provided by Altoura for SaaS deployment.
  3. Enable required token settings if requested by your security policy/app requirements.
  4. Save changes.

Step 3: Configure Expose an API

This is what enables Teams SSO to request a token for your app’s API. If it is missing, Teams sign-in fails with an error that Azure AD “can’t find the resource.” Set the Application ID URI
  1. Open app registration -> Expose an API.
  2. Next to Application ID URI, click Set and use the pattern:
api://altouraremoteacs.azurewebsites.net/<application-client-id>
Replace <application-client-id> with the Application (client) ID from Step 1 (Altoura confirms the exact value for your deployment). Add a scope
  1. Click Add a scope and set:
    • Scope name: access_as_user
    • Who can consent: Admins and users
    • Admin consent display name: Access as user
    • Admin consent description: Allow the Teams app to access this API on behalf of the signed-in user
    • State: Enabled
  2. Click Add scope.
Add the Teams client applications
  1. Click Add a client application and pre-authorize each Microsoft Teams client (add both), checking the access_as_user scope for each:
    • 1fec8e78-bce4-4aaf-ab1b-5451cc387264 (Teams desktop / mobile)
    • 5e3ce6c0-2b1f-4285-8d4b-75ee78787346 (Teams web)
These Teams client IDs are fixed Microsoft values, so this step does not depend on the Teams app package. You add one more client application here — the Teams app’s own Object ID — after the app is uploaded (Step 10).

Step 4: Add Microsoft Graph API Permissions

  1. Open app registration -> API permissions -> Add a permission -> Microsoft Graph -> Delegated permissions.
  2. Add:
PermissionTypePurpose
OnlineMeetings.ReadWriteDelegatedCreate and manage Teams meetings
Chat.ReadWriteDelegatedSend expert notifications in Teams chat
Contacts.ReadDelegatedRead signed-in user’s contacts
User.Read.AllDelegatedResolve user profile details
User.ReadDelegatedRead signed-in user’s basic profile
offline_accessOAuth / OIDCSilent token renewal
Add the permissions now. You grant admin consent at the end of setup (Step 10), after the Teams app is uploaded and its Object ID is added.

Step 5: Deploy an Azure Communication Services (ACS) Resource

  1. Sign in to the Azure Portal.
  2. Click + Create a resource and search for Communication Services.
  3. Select Communication Services and click Create.
  4. Configure the resource:
    • Subscription: Select your Azure subscription
    • Resource group: Choose existing or create new
    • Resource name: For example, altoura-remote-expert-acs
    • Data location: Region closest to users
  5. Click Review + create, then Create.
  6. Open the ACS resource -> Keys, then copy:
    • ACS Connection string
    • ACS Endpoint

Step 6: Provide Details to Altoura

Share these values securely with Altoura. Altoura uses them to generate your tenant-specific Teams app package:
ValueWhere to Find
Application (client) IDApp registration -> Overview
Directory (tenant) IDApp registration -> Overview
Redirect URI(s) configuredApp registration -> Authentication
Application ID URI / scope detailsApp registration -> Expose an API
ACS Connection stringACS resource -> Keys
ACS EndpointACS resource -> Keys

Step 7: Network Configuration

Allow outbound HTTPS access:
URLProtocolPurpose
altouraremoteacs.azurewebsites.netHTTPS (443)Hosted Teams app and backend endpoints

Step 8: Teams App Package (Generated by Altoura)

Using the details you shared in Step 6, Altoura generates a tenant-specific Teams app package (.zip) preconfigured for your environment. You do not author or edit the manifest yourself. For reference, Altoura maps these manifest values from your app registration:
  • webApplicationInfo.id = Application (client) ID
  • webApplicationInfo.resource = Application ID URI from Expose an API
  • Hosted URLs / validDomains = SaaS hosting (altouraremoteacs.azurewebsites.net)

Step 9: Upload the Teams App Package

After Altoura sends your tenant-specific .zip package:
  1. Open Teams Admin Center -> Teams apps -> Manage apps.
  2. Click Upload new app.
  3. Upload the .zip package.
  4. Confirm app status is Allowed.
  1. Go to Teams apps -> Setup policies.
  2. Edit Global policy (or pilot policy).
  3. In Meeting Extensions, add Altoura Remote Expert.
  4. Assign the policy.
Propagation can take up to 24-48 hours. Now that the Teams app is uploaded, finish the app registration and grant consent.
  1. In Teams Admin Center -> Teams apps -> Manage apps, open the Altoura Remote Expert app and copy its Object ID.
  2. Go to Entra admin center -> App registrations -> your multitenant app -> Expose an API -> Authorized client applications.
  3. Click Add a client application, add the Teams app Object ID, check the access_as_user scope, and save. (This is in addition to the two Microsoft Teams client IDs added in Step 3.)
  4. Go to API permissions and click Grant admin consent.
  5. Verify all required permissions show Granted.