Skip to content
PointOfContactAI

Teams app setup

import { Steps } from “@astrojs/starlight/components”;

The Teams app is per-deployment — each customer stack generates its own .zip with a stable manifest id derived from the marketplace subscription. Re-downloading and re-uploading is recognized as an upgrade, not a fresh install.

Prerequisites: the AAD app

The Teams app needs an AAD application in your tenant for Single Sign-On. There are two paths:

Path 1 — Auto-created during install (recommended)

When you ran the deploy wizard, you saw a Microsoft consent prompt that included Microsoft Graph → Application.ReadWrite.OwnedBy. If you accepted, our install flow created the AAD app for you. Its details + the 90-day client secret are visible on the install-completed page (the page you saw right after the wizard kicked off the deploy).

If you saved both values, set them on your customer Function App:

Terminal window
az functionapp config appsettings set \
  --name pocai-fa-{stack-hash} \
  --resource-group mrg-pointofcontactai-{guid} \
  --settings \
    AAD_APP_CLIENT_ID=<clientId> \
    AAD_APP_TENANT_ID=<tenantId> \
    AAD_APP_RESOURCE_URI=<applicationIdUri>

And upsert the secret to your customer Key Vault:

Terminal window
az keyvault secret set \
  --vault-name pocaikv{stack-hash} \
  --name AadAppClientSecret \
  --value <secret>

Path 2 — Manual fallback

If you declined the Graph consent OR the auto-create failed (you’ll see this in the install-completed page), run the fallback script from a checkout of the PointOfContactAI repo:

Terminal window
node scripts/create-aad-app.mjs --stack-name {your-stack-name}

The script uses your existing az login to create the AAD app, generate a secret, and print the values. Set the four values (CLIENT_ID, TENANT_ID, RESOURCE_URI, secret) as above.

Sideload the Teams app

  1. Download the per-deployment .zip.

    In your dashboard, click Teams setup. Step 2 has a Download .zip button. The zip contains:

    • manifest.json — pre-populated with your AAD client id + Function App hostname
    • color.png + outline.png — the Teams app icons

  2. Upload to Teams Admin Center.

    Open Teams Admin Center → Teams apps → Manage apps. Click + Upload new appUpload. Select the .zip.

  3. Set the app to Allowed.

    After upload, the app appears in the list. Set its State to Allowed.

  4. Pin the app for your team.

    Go to Teams apps → Setup policies. Edit your Global policy (or a custom one for the support team). Under Pinned apps, click + Add apps and select PointOfContactAI. Save.

    New Teams sessions will see the tab automatically. Existing sessions pick it up after a few minutes or a Teams restart.

How SSO works

When an agent opens the PointOfContactAI tab, the Teams JavaScript SDK requests an SSO token from the Teams platform. The token’s audience is your AAD app (the one auto-created or manually set up). The tab calls POST /api/agent/me with Authorization: Bearer <token>. The customer-runtime validates the JWT signature against https://login.microsoftonline.com/{your-tenant}/discovery/v2.0/keys, confirms aud matches AAD_APP_CLIENT_ID OR AAD_APP_RESOURCE_URI, and returns the agent’s claims.

No multi-tenant ISV app sits in the middle. Tokens go straight from Teams to your customer Function App.

Manifest ID stability

The Teams manifest’s id field is derived as a deterministic UUIDv5 from your marketplace subscription id, using a fixed namespace UUID. This means:

  • Re-downloading the .zip after rotating keys / re-configuring AAD produces the same manifest id.
  • Teams Admin Center treats it as an upgrade, not a new app.
  • Your agents don’t see two PointOfContactAI tabs side by side.

If you ever need to start fresh (e.g., catastrophic AAD app loss), you’d need to manually remove the old Teams app from Admin Center first.