Jump to content

Help with setting up Microsoft Teams Integration


Recommended Posts

I am having problems with setting up a 'Cloud Automation' node to allow me to post to a Microsoft Teams channel.

I am filling out the node and when I click the drop down arrow in the 'Team Group ID' field, I get the word "Loading' displayed then this error...

image.thumb.png.920f69dd5c8205f41fe5adb8f68cdbb6.png

I figure that I have to select the 'team Group ID' first to get the integration to connect to MS Teams to then pull back the available Channel IDs for that Team.

I know what the Channel ID & Team Group ID is but I cannot add these to the fields manually and the node be happy with the inputs.

Also, as per the red error message, how do I "check the console for more information"?

The user defined in the Key to access Microsoft Teams has full Admin rights, so can't see that this is a permissions error.

Thanks

Steve.

Link to comment
Share on other sites

Any advice on how to progress here please?  If I can dig deeper into the logs or see console, maybe I can see for myself what is going wrong.  Which of the logs would be good to explore? 

It would be good to also have some clarification on the use of the Teams Integration node.  Am I using it correctly?

Cheers.

Link to comment
Share on other sites

I have just tried again and I looked in the EspServerService log and came up with some pointer as to why the lookup on the Group ID is failing.

2019-08-16 07:35:14Z [ERROR]:[SCRIPT]:[7668] iBridge MethodCall failure: iBridge Method: /Microsoft/DataSources.system/Teams/Get Group List.m Error: InvalidAuthenticationToken: Access token validation failure.
2019-08-16 07:35:14Z [ERROR]:[SYSTEM]:[7668] General exception: iBridge Method: /Microsoft/DataSources.system/Teams/Get Group List.m Error: InvalidAuthenticationToken: Access token validation failure.
	<methodCall service="bpm" method="iBridgeInvoke" trace="admin/com.hornbill.core" csrf_token="****MASKED****">
		<params>
			<connectorId>0</connectorId>
			<methodPath>/Microsoft/DataSources.system/Teams/Get Group List.m</methodPath>
			<requestPayload>{"filter":"","filterOnIdOnly":false}</requestPayload>
			<credential>
				<id>microsoft</id>
				<keyId>6</keyId>
			</credential>
		</params>
	</methodCall>
	
2019-08-16 07:35:14Z [ERROR]:[PROFILE]:[7668] bpm:iBridgeInvoke() Method call results: failure (214208512 B, 1335 ms, -68 kB, 0 ms, 0 kB) Slow API response!!!

One of my concerns is that maybe the credentials that were used were credentials that would in normal circumstances require MFA.  When setting up the Key, MFA was required, so I'm guessing now that MFA will be required every time the Key is used.  Can someone who works with and designs these integrations confirm this please?  Also, what would you recommend?

Thanks in advance.

Link to comment
Share on other sites

Hi @Steven Cotterell,

The "check console" message is referring to the console within your browser - any error messages for this will be listed in there. If you're a Chrome user, the shortcut to get there is Ctrl+Shift+J (or Cmd+Shift+J on Mac).

What you should actually see, if the Keysafe entry has a valid token that has access to retrieve a list of Teams, is:

 image.png

Let me know what is being written to your browser console, and I'll hopefully be able to point you in the right direction.

Cheers,

Steve

  • Like 1
Link to comment
Share on other sites

@Steven Cotterell It appears we posted at the same time :) 

It looks like your access token is invalid, and we've not been able to get a new one using the refresh token. This should all happen automatically in the background -  unless the refresh token had expired between uses... When was this keysafe entry created, and how often is it used?

Thanks,

Steve

Link to comment
Share on other sites

The Key was created as below.  Not used the key as yet as not been able to set-up the Integration node correctly.  Was getting this error when I first set it up, but didn't know if I was doing it correctly.

Only just got back to looking at this due to other work priorities.  Now I have some time I want to get this nailed.

image.thumb.png.26434ac273adf1f4829aa1ee0850f6d5.png

 

Link to comment
Share on other sites

@Steven Cotterell From what I remember, refresh tokens in Office 365 expire after 14 days of inactivity - but that can be set to between 10 minutes and 90 days (depending on your O365 config). So I expect this issue is because the key was created a couple of months ago and the token has not been used...

The fix should be straightforward - if you go back in to the key in keysafe, hit the Revoke Access button, then click Connect and re-log in to the Microsoft account that needs to perform the operation, you should get a working token and refresh token back. Then as long as you use the Teams integration once every 14 days (or more frequently than whatever the O365 refresh token expiry is set to for your organisation), then you should never have to revoke/reconnect your key again as it's all handled in the background.

Cheers,

Steve

  • Like 1
Link to comment
Share on other sites

@Steven Cotterell No worries, let me know how you get on.

Just to note about the Teams integration too - the API we're using to post to a channel is actually still in Beta with Microsoft (we wouldnt usually implement integrations with APIs that are in beta, but we had another customer who really needed to use it...) - so it is liable to change when it moves in to production. So if this actually does stop working at some point, then that will be why and we'll need to update the integration to cater for its status change. As per the notes against the operation:

image.png

I am checking the API status regularly, so you may not even see an outage when it moves in to production, but just one to be aware of...

Cheers,

Steve

  • Like 1
Link to comment
Share on other sites

Aaaargh - Have just revoked access, now on connecting it's popping up the 'prompt for credentials' window which is going to need the credentials of the guy who has the Admin access, along with his MFA approval. 

Going to talk to the Infrastructure guys and see if we can have a different account set-up. 

We had this discussion around admin level account access in this thread and our security guys was trying to get details on how to set-up an account which had 'just' the access permissions that were required, but I believe this is not so straight forward due to the integration using Microsoft Graph API which just needs the Group.ReadWrite.All permission.

 

Link to comment
Share on other sites

@Steven Cotterell Yeah I think that, because the API is in beta, Microsoft have just set the rights to be "something that an admin would have" - as the permission really doesn't make sense here. I expect that when this moves out of beta and in to production it will have a Graph permission all of it's own, so you'll be able to create a limited account just for this... 

  • Like 1
Link to comment
Share on other sites

@Steve G, with our previous ITSM tool on the Teams Channel I configured an 'Incoming Webhook' to allow posting of messages.

Is this a way that we could maybe post to Teams using Hornbill - possibly using IFTTT, as I could not see anything else suitable in the list of available methods in the 'Cloud Automation' node?

Has anyone tried this?

Link to comment
Share on other sites

@Steven Cotterell As long as the webhook doesn't need authentication, or supports basic auth, then you could use one of the HTTP Request operations listed under Utilities > Experimental in the Cloud Automation node to send "stuff" to the webhook... I've not tried it, but there's no reason why it wouldn't work

image.png

Either that, or you could script it with PowerShell when we release Hornbill ITOM  :D 

Cheers,

Steve

  • Like 1
Link to comment
Share on other sites

@Steven Cotterell I've just tested this and it does indeed work. I created a webhook against one of my teams, then posted to it using the HTTP Request operation via a workflow and Service Manager request, and this was the result:

image.png 

The node was configured as so:

image.png

And the content of the body was:

{
    "@type": "MessageCard",
    "@context": "http://schema.org/extensions",
    "themeColor": "0076D7",
    "summary": "Hornbill Request Logged: &[global["inputParams"]["requestId"]]",
    "sections": [{
        "activityTitle": "![TestImage](https://47a92947.ngrok.io/Content/Images/default.png)New &[global["flowcode"]["requestType"]] for &[global["flowcode"]["customer"]]",
        "activitySubtitle": "&[global["flowcode"]["summary"]]",
        "activityImage": "https://teamsnodesample.azurewebsites.net/static/img/image5.png",
        "facts": [
        {
            "name": "Request Reference",
            "value": "&[global["inputParams"]["requestId"]]"
        },
        {
            "name": "Assigned to",
            "value": "&[global["flowcode"]["owner"]]"
        }, {
            "name": "Status",
            "value": "&[global["flowcode"]["status"]]"
        }],
        "markdown": true
    }]
}

Which was based on Microsofts example here: https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/connectors/connectors-using

It uses no authentication, so you just need to make sure you keep the webhook URL private, or anyone could post to it :) 

Cheers,

Steve

  • Thanks 1
Link to comment
Share on other sites

@Steve G, Ok, so got the credentials re-entered into the Key and the dropdown of the list of 'Groups' in the node works, but it seems to be truncating the list of Groups.  My test 'Team' is called "SteveC Test01" and this one is not showing. Can't see any groups that begin with the letter 'F' onwards in the drop-down list.  I have tried both scrolling down the displayed list looking for "SteveC Test01" and also by typing "Ste" into the field to 'filter' the displayed list.

What does this truncate to and how can we get round this?

Link to comment
Share on other sites

@Steven Cotterell Those utility operations should actually not be premium on your instance, they are free to use - I just had this switched on in my development instance from some previous testing... :wacko:

I've just updated the datasource which is used to return the Teams as part of the Post To Channel operation, so that it's now a search box rather than a drop-down select box, and it'll also now not return security groups (which it was doing previously). Give it 5 mins for the content pack to get to your instance, then try searching with the first few letters of the Team group display name... Note - this will only do a "starts with..." search on the display name, as the MS API we're using to return groups doesn't support "contains" as an operator.

Let me know how you get on.

Cheers,

Steve

  • Thanks 1
Link to comment
Share on other sites

24 minutes ago, Steve G said:

@Steven Cotterell Those utility operations should actually not be premium on your instance, they are free to use - I just had this switched on in my development instance from some previous testing... :wacko:

I've just updated the datasource which is used to return the Teams as part of the Post To Channel operation, so that it's now a search box rather than a drop-down select box, and it'll also now not return security groups (which it was doing previously). Give it 5 mins for the content pack to get to your instance, then try searching with the first few letters of the Team group display name... Note - this will only do a "starts with..." search on the display name, as the MS API we're using to return groups doesn't support "contains" as an operator.

Let me know how you get on.

Cheers,

Steve

Works great now - I can get a 'valid' & accepted node in the BPM.  Will get to testing it out to see if I can get parameter driven & meaningful content into the Teams message.

Thanks @Steve G for all the tweaks & help you've given.

Really appreciated.  I hope this helps others to get good use out of the Microsoft Teams integration.

Steve.

  • Like 1
Link to comment
Share on other sites

Hi @Steve G,

Have added a custom button to a Service Request and I'm trying to use the 'HTTP Request'' iBridge integration to post to a Webhook in Teams as per your earlier post.

I have two questions....

Why do I get the 'Credentials' box showing as a mandatory field for the 'HTTP Request integration?

image.thumb.png.780ad2426a88c67f48a8a2bdc32aa299.png

 

Also, why am i getting the following error whenever I click the custom button?

image.thumb.png.0d70ea3bf3319e858632ad74e1802a47.png

 

Thanks in advance.

 

 

Link to comment
Share on other sites

On 8/22/2019 at 6:34 PM, Steven Cotterell said:

Hi @Steve G,

Have added a custom button to a Service Request and I'm trying to use the 'HTTP Request'' iBridge integration to post to a Webhook in Teams as per your earlier post.

I have two questions....

Why do I get the 'Credentials' box showing as a mandatory field for the 'HTTP Request integration?

image.thumb.png.780ad2426a88c67f48a8a2bdc32aa299.png

 

Also, why am i getting the following error whenever I click the custom button?

image.thumb.png.0d70ea3bf3319e858632ad74e1802a47.png

 

Thanks in advance.

 

 

Is there anyone that can answer this question please, specifically the one surrounding why, for the 'HTTP Request' iBridge integration which I believe does not require any credentials to be specified, is there a mandatory 'Credentials' field.  Also, is this what could be generating the error in red (also shown in previous post in the EspServerService.log)?

Link to comment
Share on other sites

Hi @Steven Cotterell,

Apologies for the late response, I've been on holiday for a couple of weeks and am just catching up.

Regarding the Credentials field being mandatory, this shouldn't be the case so I've raised this with the relevant team of developers to be fixed.

Regarding the headers error - this is an issue with the way the field is being presented on the custom button form. The headers field is expecting an array, but the field will only ever give a flat string to the operation, so I've also raised this to be fixed.

Cheers,

Steve

Link to comment
Share on other sites

@Steve G - Hope you had a good & well deserved break.

Superb!!  Thanks for following this up.  Sorry to have created more work for you guys, but hope this helps others out in the future.

I'm determined to get this posting to Teams working.  This has been more work than I/we expected, given how easy it was with our previous ITSM tool.  Still a few more teething troubles to get sorted (see my other post re: Date fields showing as UTC in 'HTTP Request' post to Microsoft Teams ) - we are really keen to get this sorted.

Link to comment
Share on other sites

@Steven Cotterell Thanks :) 

Yeah I've had a read of that thread. So is the issue that you're getting datetime values in UTC, and want to convert them to a specific timezone datetime before adding them to the new Teams post? We do have an API for that in the platform, so we could write an iBridge utility to do that if that's the case...

Cheers,

Steve

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...