IT Admin & Security Hub
This page is the single reference for IT administrators and security reviewers. Share this URL with your IT team — everything they need to assess, install, and troubleshoot Iristick.Teams is linked from here.
What Iristick.Teams Is
Iristick.Teams is an Android and iOS companion app that connects Iristick smart glasses to Microsoft Teams. The user signs in with their existing Microsoft 365 account, and the glasses act as a wearable camera and headset for Teams video calls. Authentication runs through Microsoft Entra ID (MSAL); call audio and video flow through Azure Communication Services.
In the out-of-the-box (OOTB) deployment Iristick hosts the backend that mediates sign-in, license validation, and call setup. In the self-hosted deployment everything runs inside your own Azure tenant — see OOTB vs Self-Hosted.
Quick Links
| Topic | Page |
|---|---|
| Permissions, data stored vs. displayed, encryption, authentication | Permissions, Data & Security |
| Install Iristick.Teams in your Microsoft tenant | Install in Your Tenant |
| Test the setup and restrict access to specific users | Verify & Restrict Access |
| Error-specific fixes | Troubleshooting |
| Run the app entirely in your own Azure tenant | Self-Hosted Enterprise Setup |
| Send to IT as a single document | Printable IT Brief |
At a Glance
Authentication. Microsoft Entra ID via MSAL. Iristick never sees or stores user credentials. Sign-in redirects to a Microsoft-owned login page; Microsoft issues short-lived access tokens scoped to the permissions you granted.
Data stored by Iristick (OOTB only). Display name, user ID, tenant ID, email, and call summary metadata (initiator, duration, headset). No call content, audio, or video. Encrypted at rest with AES-256.
Data displayed but not stored. Recent Teams chats, contacts, today's meetings — fetched live via Microsoft Graph, never persisted on Iristick servers.
Encryption in transit. TLS 1.2+ on all connections (app ↔ Graph, app ↔ ACS, app ↔ Iristick backend).
Permissions. Delegated only. The app acts on behalf of the signed-in user, never independently. See the full list.
Service principals provisioned. Two: Iristick.Teams (9e29744b-7398-4b14-8ba9-4b341b36c0b4) and Azure Communication Services (1fd5118e-2576-4263-8130-9503064c837a).
App role for access control. The Iristick.Teams app registration declares one Microsoft Entra ID app role — User (Iristick.Teams-User). By default any licensed user in your tenant can sign in; setting Assignment required = Yes on the enterprise application restricts sign-in to users or groups explicitly assigned to this role. Full detail: Access Control with App Roles.
Why ACS? Iristick.Teams is a third-party app, so it uses Microsoft's Azure Communication Services to join Teams meetings — the official Teams client uses internal Microsoft endpoints not exposed to third parties. The ACS resource is a key issuer, not a data pipe: it mints short-lived tokens and provides a routing endpoint. Call media flows peer-to-peer through Microsoft-operated relays, never through the ACS resource owner's infrastructure. Full detail: Why an ACS resource is required.
Both service principals must exist before users can call
Granting admin consent should create both, but in some tenants ACS does not auto-provision. If users can sign in but cannot join calls, see Troubleshooting → ACS service principal missing.
How Sign-In Works
flowchart LR
A[Iristick.Teams App] -->|MSAL sign-in| B[Microsoft Entra ID]
B -->|Checks| C{Service Principal\nexists?}
C -->|No| D[Sign-in blocked]
C -->|Yes| E{Admin consent\ngranted?}
E -->|No| F[Need admin approval]
E -->|Yes| G[Access token issued]
G --> H[Iristick Backend]
H -->|Azure Communication Services| I[Microsoft Teams Call]Before You Install
You need:
- A Microsoft 365 tenant (not a personal or free account)
- A Global Administrator, Application Administrator, or Cloud Application Administrator role
- At least one user with a Microsoft 365 Business Basic (or higher) license for testing
Personal and free M365 accounts won't work
Iristick.Teams requires a Microsoft 365 Business tenant. Personal Microsoft accounts and free-tier M365 accounts do not support the enterprise app registration this setup requires.
Install in Three Steps
- Install in Your Tenant — grant admin consent via URL (one click) and verify both service principals exist
- Verify & Restrict Access — sign in on a test device, optionally limit access to specific users or groups
- Troubleshooting — if anything fails, look up the error here
Estimated time: 5–10 minutes for OOTB. Self-hosted deployments take longer — see Enterprise Setup.
Contact
Questions or a security review request? Reach us at support@iristick.com.