IT Admin Setup Guide
This guide walks IT administrators through the Azure configuration required to deploy Iristick.Teams in your organization. You'll register the app in your tenant, grant the required permissions, and optionally restrict access to specific users.
Estimated time: 5–10 minutes.
Before You Start
Make sure you have:
- A Microsoft 365 tenant (not a personal or free account)
- Global Administrator, Application Administrator, or Cloud Application Administrator role
- At least one user with a Microsoft 365 Business Basic (or higher) license for testing
Personal and free M365 accounts won't work
Iristick.Teams requires a Microsoft 365 Business tenant. Personal Microsoft accounts and free-tier M365 accounts do not support the enterprise app registration this setup requires.
How It Works
When a user opens Iristick.Teams and signs in, the app authenticates through Microsoft Entra ID using MSAL (Microsoft Authentication Library). Your tenant needs two things for this to work:
- A service principal — tells Entra ID that Iristick.Teams is a trusted app
- Admin consent — pre-approves the delegated permissions so users aren't blocked
Granting admin consent creates both the Iristick.Teams service principal and the Azure Communication Services service principal in your tenant. It also makes the app's User app role available, which you can use to restrict access to specific users.
Once authenticated, the Iristick backend connects the user to Microsoft Teams calls through Azure Communication Services.
flowchart LR
A[Iristick.Teams App] -->|MSAL sign-in| B[Microsoft Entra ID]
B -->|Checks| C{Service Principal\nexists?}
C -->|No| D[Sign-in blocked]
C -->|Yes| E{Admin consent\ngranted?}
E -->|No| F[Need admin approval]
E -->|Yes| G[Access token issued]
G --> H[Iristick Backend]
H -->|Azure Communication Services| I[Microsoft Teams Call]Permissions requested by Iristick.Teams
Microsoft Graph (requested on first sign-in):
| Permission | Why it's needed |
|---|---|
User.Read |
Access signed-in user info (display name, user ID, tenant ID, email) |
User.ReadBasic.All |
Access contact user info (display name, user ID, tenant ID, email) |
Contacts.Read |
List and search through contacts |
Calendars.Read |
Access calendar for joining existing meetings |
Team.ReadBasic.All |
Access team information for contacts |
OnlineMeetings.ReadWrite |
Create Microsoft Teams meetings |
ChatMessage.Send |
Send chats (take picture command, etc.) |
Chat.Read |
Receive chats (display new messages in UI) |
Chat.ReadWrite |
Receive chats and send messages |
Azure Communication Services (requested on first sign-in):
| Permission | Why it's needed |
|---|---|
Teams.ManageCalls |
Make and manage calls |
All permissions are delegated — the app acts on behalf of the signed-in user, never independently.
Setup Steps
- Grant Admin Consent — Register the app in your tenant and grant the required permissions
- Verify the Setup — Test that users can sign in and join calls, and optionally restrict access
Having issues? See the IT Admin Troubleshooting guide.