This article covers connecting Atomicwork with Azure, registering an Atomicwork app in Azure and the permissions the app needs to trigger relevant actions in Atomicwork. These permissions include Azure Resource Manager, user management and workflow actions.
Setup
Phase 1: Registering Atomicwork app
To integrate your Atomicwork account with Azure, you need to first register an app in your Azure tenant so you can retrieve the Client ID and Client Secret.
Log into the Azure Portal. Please make sure to sign in with admin credentials.
Go to Microsoft Entra ID (Azure AD is now Entra ID)
Select App Registration on the left pane.
Select New Registration
Enter a meaningful application name for your users and choose who can use this application based on your environment. Click Register.
Once you've registered the application, click on View API permissions
Select Add a permission > Microsoft Graph > Application permissions and add the appropriate permissions you need from the table below. Once you've added the permissions, make sure to select the Grant admin consent for <Tenant name> button, where <Tenant name> will be the name of your Azure tenant.
To enable the password reset skill, you also have to give Atomicwork the user admin role. Go to Roles and Administrators> Search for User Administrator and click through.
In the Add assignments modal, search for Atomicwork and click on Add to assign the right privilege to the app.
Click Certificates and secrets in the left pane.
Select the New Client Secret button. Provide a description for the client secret, the duration for which the client secret will be valid, and click Add.
Copy the string under the column Value once you add a client secret. You won't be able to retrieve it after you perform another operation or leave this page.
Copy the Client ID from the Overview tab. You can now use the client ID and secret for the duration specified in the expiration field, after which you’ll have to repeat the process.
Phase 2: Connecting Azure AD and Atomicwork
Log into Atomicwork. Go to Settings> App store >Azure
Enter your Tenant ID. You can find the Tenant ID by logging into the Entra Admin center and accessing Identity > Overview > Properties. Scroll down to the Tenant ID section to find your tenant ID in the box. Read more here.
Enter your Client ID and Client Secret.
Click on Connect.
Permissions
To integrate Azure with Atomicwork, you need:
Atomicwork admin access: You need to have org admin access in Atomicwork
Azure admin access: You need to have the User Administrator role assigned to you in Microsoft Entra/Azure. This is required to enable the password reset skill.
Password reset permissions
Currently, there are three ways to automate resetting passwords:
Through skills
by sending a link from Microsoft to your employees to reset their password when they ask for it
by asking them to verify their date of birth and sharing a new password through Microsoft Teams or Slack, as soon as the verification is complete.
Through workflows, by using the Reset password action.
If you plan to automate resolutions to password resets by asking for the date of birth as verification or using the Reset password action in workflows, you will need to ensure that the Atomicwork app on Microsoft has the User administrator Role assigned.
These are the required permissions for the User Administrator role must be subscribed to:
User. Read/User.ReadWrite.All | Read directory data | Workflows: Required for adding and deleting users. For adding or removing licenses, either this permission or Directory.ReadWrite.All is required. |
GroupMember.ReadWrite.All | Read and write all group memberships | Workflows and skills: Required for reading information about groups and adding or deleting users from groups |
Audit log |
| Required for link-based reset password skill and action |
Directory.Read.All / Directory.ReadWrite.All | Read and write directory data | Workflows: Required for creating users, groups through workflow actions. |
Additional permissions for the Assistant
If you are connecting the Assistant to your Microsoft Teams account, you will need to grant admin consent for the following permissions in order to effectively set up and use the Assistant app.
Permission | Description | Usecase |
Directory.Read.All | Read directory data | Workflows and skills: Required for listing users, groups, license, domain in actions. |
Directory.ReadWrite.All | Read and write directory data | Workflows: Required for creating users, groups through workflow actions. |
GroupMember.ReadWrite.All | Read and write all group memberships | Workflows and skills: Required for reading information about available groups and adding or deleting users from groups |
User.Read | Sign in and read user profile | It’s a basic permission granted by Azure by default. |
User.ReadWrite.All | Read and write all users' full profiles | Workflows: Required for deleting users. For adding or removing licenses, either this permission or Directory.ReadWrite.All is required. |
Channel.Create | Create channels | Workflows: Required to create a channel in teams. |
Channel.ReadBasic.All | Read the names and descriptions of all channels | Assistant: Required for reading conversations when Assistant is configured to learn from a channel. Workflows: Either this permission or Directory.Read.All is required for posting to a channel. |
ChannelMember.ReadWrite.All | Add and remove members from all channels | Workflows: Required for adding users to channels in teams. |
ChannelSettings.ReadWrite.All | Read and write the names, descriptions, and settings of all channels, without a signed-in user. | ChannelSettings.ReadWrite.All enables the Assistant to learn from channels and update its knowledge graph |
View users' email address | It’s a basic permission granted by Azure by default. | |
Team.ReadBasic.All | Get a list of all teams | Workflows: Required to list teams in actions |
TeamMember.ReadWrite.All | Add and remove members from all teams | Workflows: Required for adding members to teams. |
TeamsAppInstallation.ReadForChat.All | Read installed Teams apps for all chats | TeamsAppInstallation.ReadForChat.All enables the Assistant to learn from channels and update its knowledge graph |
TeamsAppInstallation.ReadForTeam.All | Read installed Teams apps for all teams | TeamsAppInstallation.ReadForTeam.All enables the Assistant to learn from channels and update its knowledge graph |
TeamSettings.Read.All | Read all teams' settings | Workflows: Required to list teams in actions. |
TeamSettings.ReadWrite.All | Read and change all teams' settings | Workflows: Required to list teams in actions |
Teamwork.Migrate.All | Allows the app to create chat and channel messages, without a signed in user. The app specifies which user appears as the sender, and can backdate the message to appear as if it was sent long ago. The messages can be sent to any chat or channel in the organization. | Optional permission |
User-LifeCycleInfo.Read.All | Read all users' lifecycle information | Optional permission |
User.Read.All | Read all users' full profiles | Workflows and sync: Required for listing and getting user information. Either this or Directory.Read.All is required |
user_impersonation | Create and access protected content for users | Workflows and requests: Required for sending replies as the agent to an employee request and for sending DMs/posting to channels on behalf of any employee |
ChannelMessage.Read.All | Read all channel messages | Enables the Assistant to learn from channels and update its knowledge graph |
Teams.ManageChats | Manage chats in Teams | Workflows: Required ro perform actions such as sending, updating, or deleting messages within Microsoft Teams |
Permissions for Azure Resource Manager
If you plan to sync your Azure Resource Manager assets with Atomicwork, you will need to ensure that the Atomicwork app on Microsoft has the Reader Role assigned.