Security Considerations
Least Privilege
The multitenant app uses delegated permissions for meeting creation, chat, contacts, and user lookup, meaning it can only act on behalf of the currently signed-in user.| Can Access | Cannot Access |
|---|---|
| Create/read/update/delete online meetings | Read emails or mailboxes |
| Read/send messages in Teams chats | Access OneDrive files or SharePoint |
| Read user profiles and group memberships | Read calendars or calendar events |
| Read the signed-in user’s personal contacts | Delete users or change passwords |
| Modify user roles or directory permissions |
Delegated Permission Model
Because the app uses delegated permissions, meetings are always created as the signed-in user. This ensures that only authenticated users can trigger actions and eliminates the need for Teams Application Access Policies or PowerShell configuration.App Registration Ownership
The multitenant app registration is configured in your tenant under App registrations. Treat app credentials and configuration values (redirect URI, Application ID URI, scopes) as controlled security settings. Limit who can edit them and review changes through your standard change-control process.Revocable Access
You can revoke access at any time by disabling or deleting the app registration under Identity -> Applications -> App registrations in the Entra admin center (based on your organization’s change-control policy).Appendix: Setup Checklist
Quick checklist for the complete setup:- Multitenant app registration created (client ID and tenant ID noted) and redirect URI configured.
- Expose an API configured: Application ID URI set,
access_as_userscope added, and both Microsoft Teams client IDs pre-authorized. - Graph delegated permissions added (admin consent granted in the final step).
- Azure Communication Services (ACS) resource deployed and connection string / endpoint noted.
- Tenant details and ACS credentials provided securely to Altoura.
- Network allowlist updated for
altouraremoteacs.azurewebsites.net(SaaS) or your custom URL (Customer Tenant). - Teams app package (provided by Altoura) uploaded to Teams Admin Center and status is Allowed.
- Teams app Object ID added under Expose an API -> Authorized client applications (alongside the Teams client IDs).
- Admin consent granted and required API permissions show “Granted”.
- Meeting app pinned via Setup Policy (recommended).
- End-to-end validation completed successfully.