Introduction

When an end-user calls into your helpdesk, one of the options you can use to verify their identity is to send them an end-user verification code or link through Microsoft Teams.

In order to send the verification code or link through Microsoft Teams, you must first customize the MSP Process Teams bot, and then deploy it to your client's Microsoft Teams environment.

Customizing the MSP Process Teams Bot

1. Login to the MSP Process UI (https://app.mspprocess.com)
2. Navigate to the Account Settings -> Teams Bot Configuration page
3. Configure the Bot so that it has your logo, is named appropriately (so that you your customers will understand who the messages are coming from), and has an appropriate description:
   • NOTE: For optimal readability, the logo you upload should be 192 x 192 pixels 
   • 
4. When everything has been configured, click the Get Zip File button

Deploying the Bot for Testing Purposes, to One User

You may wish to test out how the MSP Process Teams bot looks by first making it available in your own MS Teams environment. This can be done for a single user, allowing you (the user) to test things out before deploying it to your customers.

Source: These instructions come from a Microsoft KB article (here)

To upload the app to Teams

1. In the Teams client, select the Apps icon.

2. Select Manage your apps.

3. Select Upload an app.

4. Look for the option to Upload a custom app. If the option is visible, custom app upload is enabled.

   

    Note: Contact your Teams administrator, if you don't find the option to upload a custom app.

5. Select Open to upload the .zip file that you created earlier.

   

6. Click Add.

   

7. Select Open to use the app in personal scope.

   Alternatively, you can either search and select the required scope or select a channel or chat from the list, and move through the dialog to select Go.

   

   Congratulations! You have now deployed your MS Teams bot into your MS Teams environment, and you've made it available for testing purposes.

Deploying the MSP Process Teams Bot to a Client's Microsoft Teams Environment

1. Login to the Microsoft Teams Admin Center, and navigate to Teams Apps -> Manage Apps (Direct Link: https://admin.teams.microsoft.com/policies/manage-apps)
2. Click on Actions -> Upload new app
   • 
3. Click the Upload button to upload the .zip file that you created earlier.
   • 
4. Once the app has been uploaded, navigate to Teams Apps -> Setup Policies
5. Click the Add button to create a new policy
6. Give this app policy an appropriate Name and Description
   • 
7. In the Installed Apps section, click the Add apps button, and choose your MSP Process Teams bot
   • 
8. Click Save
9. Click on the Group policy assignment tab
   • 
10. Click the Add button, and assign your app policy to the appropriate list of end-users (in this example, I'm assigning the app to everyone)
    • 

That's it! You've now deployed your customized version of the MSP Process Teams bot to your client's Microsoft Teams environment.

Sending End-user Verification Codes/Links through Microsoft Teams

Now that you've deployed your customized version of the MSP Process Teams bot to your client's Microsoft Teams environment, you can start sending them end-user verification codes or links. For ConnectWise, HaloPSA, SuperOps.ai, Syncro or Zendesk partners, you'll click on the red shield beside the user's e-mail address:

You'll then be able to send that end-user either a code or a link through Microsoft Teams by clicking the apporpriate button:

For our Autotask partners, you'll see the two new Teams-related options (Teams Code and Teams Link) in the Verification feature, in the drop-down menu:

Requirements:

• An Admin-level account in MSP Process
• A "escalation" phone number you plan on giving to the AI VoiceAssist, so that it can escalate callers to a live agent

Configuring AI VoiceAssist:

1. Login to the MSP Process UI (https://app.mspprocess.com) with an Admin-level account
2. Navigate to Account Settings -> AI Assist
3. Click the Add New button
4. Fill in the required fields; note that the Incoming Phone Number is one that you can choose with an MSP Process team member, so that it's in your area code, or matches a sequence that you prefer. Contact us at help@support.mspprocess.com to get that setup for you.
   • 
5. Click the Create button to save your AI VoiceAssist configuration

What Do Those AI VoiceAssist Options Do?

• The Agent Name and Company Name options let you customize how the AI refers to itself and your company. For example, you can have it say "Hi there, it's James Bond from GoldenEye; how can I assist you today?"
• The Level option lets you choose how much troubleshooting you want the AI to perform:
  • Level 1 doesn't ask any troubleshooting questions
  • Level 2 asks some basic troubleshooting questions, such as "when did this issue start?", "what have you done to try to resolve the issue?" and "how is this impacting your business?"
  • Level 3 (currently in Beta) provides issue-specific troubleshooting steps, and will try to resolve the problem mentioned by the caller
• The Incoming Phone Number is the phone number you'd forward a caller to, so that the AI VoiceAssist picks up the call.
• The Ticket Properties option let you pick a Ticket Default; that Ticket Default controls the properties of the tickets that will be created in your PSA, such as the Board/Queue, Priority, Source, and more! Ticket Defaults are configurable from the Integrations -> PSA Integrations page.

Roles:

There are two Roles in MSP Process - Admin, and Technician. By default, users who are invited to the platform are given the Admin role. Here are the differences between the two Roles:

Permissions:

There are two permissions that can be applied to any User in MSP Process, regardless of what Role (Admin or Technician) they have been assigned:

• The Use MFA option forces that user to setup MFA
• The Allow Access to UI option offers you two choices:
  • If Disabled, the user can only login to the ConnectWise/Halo/Autotask pod, and cannot login to the main https://app.mspprocess.com website
  • If Enabled, the user can login to both the ConnectWise/Halo/Autotask pod and the main https://app.mspprocess.com website

Editing The Roles/Permissions of a User:

To edit a user's Role, or the Permissions assigned to that user, navigate to the Teams -> Users page, and then click the pencil icon for that user:

You'll then be presented with a screen that will allow you to edit that user's Roles and Permissions:

Introduction

The MSP Process platform can sync contacts from a variety of sources, including many common PSA platforms in the MSP market. Some MSPs don't use a supported PSA though - for example, they use an uncommon PSA, or they've built their own, homegrown solution. In other cases, Microsoft 365 is the "source of truth for a Contacts", and the PSA is downstream/synching contacts from Microsoft 365, so it makes sense to directly update those contacts in Microsoft 365, instead of in the PSA.

In those scenarios, MSPs can configure the MSP Process platform to directly sync Contacts with the end-user's Microsoft 365 contacts - allowing the MSP to leverage the End-user Verifcation, Secure Data Send, and Broadcast messaging features that are built into the platform.

Linking MSP Process with Microsoft 365

1. Login to the MSP Process UI
2. Navigate to the Integrations -> PSA Integrations menu
3. Click the Add button
   • 
4. Click on the Microsoft 365 option
   • 
5. Specify a name for the integation, and click the Submit button
   • 
6. Click on the Microsoft 365 card that is now listed on the PSA Integrations page
   • 
7. Take note of the ID at the end of the URL in your web browser; you'll need it later on if you're configuring MSP Process to integrate with a CSP M365 tenant.
   • 

Configuring the M365 Integration on a Tenant-by-Tenant Basis

1. MSP Process provides two way to link into your M365 tenants; either on a tenant-by-tenant basis, or - if you have a CSP M365 tenant, by leveraging GDAP relationships with your connected tenants. This section deals with the Tenant-by-Tenant option; the next section of this KB article will outline what do do in the CPS scenario.
2. Click the Connect to Microsoft 365 button to link MSP Process to a Microsoft 365 tenant
   • 
3. Follow the Microsoft UI flow to deploy the MSP Process app
   • 
4. You're done! Repeat with any other Microsoft 365 tenants that you want to link to the MSP Process platform.

Configuring the Integration for a M365 Cloud Solution Provider (CSP) Environment

1. Login to your Microsoft Azure portal (https://portal.azure.com)
2. Navigate to App Registrations
3. Add a new App Registration, and configure it as follows (note that the URL will change, depending on the ID of your M365 integration):
   • Name: MSP Process GDAP Contact Sync App
   • Supported Account Types: Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)
   • Redirect URI: Web; URI: https://api.mspprocess.com/MicrosoftContactsIntegrations/processGdapOnboarding/
   • 
4. Within the App Registration, go to Manage -> API Permissions, and assign the app the following permissions:
   • 
5. Within the App Registration, navigate to Manage -> Certificates & Secrets, and add a new Client Secret. Copy that Client Secret, as you'll need it in just a moment
   • 
6. In MSP Process, within the M365 integration that you created earlier, click the Connect to Microsoft 365 (GDAP) button
7. In the pop-up window that appears, enter the required information:
   1. The Domain Name of your M365 CSP tenant
   2. The Application ID of the app you just registered; this can be found on the Overview page of the App Registration
   3. The Client Secret from step #5
   4. 
8. Click Submit
9. When prompted, enter your Microsoft credentials
10. Once you're returned to the MSP Process UI, you'll see your GDAP-linked tenants:
    • 
11. Click the Sync Customer button, and then the Sync Users button

Interacting with Microsoft 365 Contacts in the MSP Process UI

Once you've integrated MSP Process with one or more Microsoft 365 tenants, you can view those Contacts from the Contacts menu:

From the Contacts page, you can view the Mobile Number and E-mail address of each contact. From the Actions column, you can open the MSP Process Pod, which will allow you to perform End-user Verification, securely send your customers data, and respond to Technician Verification requests.

Introduction:

By default, any e-mail sent by the MSP Process platform comes from noprely@mspprocess.com. For e-mails that are sent internally to an MSP, such as invites for technicians to join the MSP Process platform, this is a perfectly acceptable thing, but it's not ideal when dealing with e-mails that are sent to end-users, such as Opt-in forms and End-user Verification e-mails.

The MSP Process platform can be configured to send all of it's end-user facing e-mails through a Microsoft 365 shared mailbox - making it easy for any Partner to send our e-mails from a trusted Sender address of their choosing.

Configuring MSP Process to use a Microsoft 365 Shared Mailbox

1. Login to the MSP Process UI with an Admin account
2. Navigate to the Portal Settings -> Outgoing Mail page
3. Click the Start Setup button
   • 
4. Login to the Microsoft 365 tenant that owns the Shared Mailbox you wish to use
5. Approve the deployment of the MSP Process "Outbound Mail Module" application
   • 
6. You're now able to choose which mailbox you wish to use:
   • 
7. Click the Submit button to finish the setup process

Testing the Shared Mailbox Configuration

1. From the Portal Settings -> Outbound Mail page, click the Test button
   • 
2. You'll be brought to the Portal Settings -> Test E-mail page
3. Choose the "Opt-In Letter" as the e-mail to be sent, and specify the recipient's e-mail address
   • 
4. Click the Test button to send out the test e-mail
5. Confirm that the recipient received the e-mail, and that the Sender address is the Shared Mailbox

Deleting a Shared Mailbox Configuration

1. Navigate to the Portal Settings -> Outbound Mail page
2. Click the Delete button

E-mails that are sent through an M365 Shared Mailbox:

• Opt-in forms
• End-user verification - both codes and secure links
• Secure Data Send e-mails
• Invitations to the Client Portal

E-mails that are not sent through an M365 Shared Mailbox:

• Invites to join the MSP Process platform (sent via the Teams -> Invite Users page)
• Password reset e-mails
• E-mails from the "Notifications" feature

Introduction:

Several features in the MSP Process platform can send messages to Microsoft Teams channels:

• When a new text message is send to an SMS number
• When a new Live Chat is created
• When a new Client Portal chat is created

The goal of this KB article is to walk through how to setup a Workflow in Microsoft Teams that can accept the messages from the MSP Process platform, and to configure MSP Process so it knows about the Microsoft Teams channel.

Creating a Workflow in Microsoft Teams:

In the Microsoft Teams app, launch the Workflows feature by clicking on the ... menu item, and searching for "Workflows":

• In the Workflows app, click the button
• Click the button
• Create a workflow that looks like this:

Here's what the Parse JSON action should look like:

And here's the text that goes in the Schema field:

{

    "type": "object",

    "properties": {

        "text": {

            "type": "string"

        }

    }

}

Finally, here's how the "Post message in a chat or channel" action is configured:

Configuring a Microsoft Teams Connection in MSP Process:

1. Login to the MSP Process UI (https://app.mspprocess.com)
2. Navigate to the Portal Settings -> Teams Connections page
3. Click the Add button, and fill in the required fields:
   1. Give the connection a name
   2. In the URL field, paste the URL from the Microsoft Teams workflow
4. Click the Test button to ensure that the connection to your Microsoft Teams workflow is correctly setup
5. Click the Submit button to save the connection

Click the Test button; you should see the message "Hello, World" in the Microsoft Teams channel you specified in the Workflow.

Introduction

Microsoft Entra is a popular external Identity Provider (external IDP) that can be used to authenticate your technicians when they login to the MSP Process platform. The goal of this KB article is to walk through how to setup Single Sign-on (SSO) between the MSP Process platform and Microsoft Entra, to review what's created in your Azure tenant when you configure Microsoft Entra as an external IDP, and to outline some additional settings that you can configure to further secure this capability.

Linking the MSP Process Platform to Microsoft Entra

When you first login to the MSP Process platform, a wizard will prompt you to setup the integration with Microsoft:

The first person to take this step will be asked to install the MSP Process Enterprise Application - this Application is what facilitates an SSO login. You'll want to make sure that the Microsoft identity you use during this first step has sufficient rights to install Enterprise Apps in your M365 tenant.

Once that process has been completed, you'll have an "MSP Process" Enterprise Application in your Microsoft Azure environment:

When your colleagues then login to MSP Process, and they also link their MSP Process account to Microsoft using our Setup Wizard, they will (regardless of their permissions in Microsoft 365) have their account successfully linked to their identity in Microsoft 365. 

Further Securing the MSP Process Enterprise Application by Requiring User Assignment

By default a newly-created Enterprise Application in Microsoft Azure does not have the Assignment Required option enabled. This means that any user in Entra can - if they have the correct credentials - login to the MSP Process application using their Microsoft Entra credentials. By enabling the Assignment Required option, you can limit access to the MSP Process platform to only the users in your organization who require access to it.

1. Sign in to the Microsoft Azure portal.
2. Using the search field at the top of the page, look for Enterprise Applications.
3. Click on the MSP Process application.
4. Navigate to the Manage -> Properties tab
5. Enable the Assignment Required option
6. Click Save to save the change to the Application
7. Navigate to the Manage -> Users and Groups tab
8. Click the Add User/Group button to assign the appropriate users to the MSP Process application

That's it! You've now limited who can login to the MSP Process platform to only those in your organization who should have access to it.

Further Securing the Enterprise Application by Applying a Conditional Access Role

Limiting who can login to the MSP Process platform by requiring them to be explicitly assigned to the Enterprise Application in Azure is an excellent step. There's a further step that can be taken, which is to apply the Require phishing-resistant multifactor authentication for administrators Conditional Access Policy. Applying this policy ensures that only users who have already authenticated to Microsoft Entra using both a password and a phishing-resistant method of MFA - such as Windows Hello for Business, a FIDO2 security key, or Microsoft Entra certificate-based authentication - are able to login to the MSP Process platform. More details on phishing-resistant MFA can be found in this Microsoft KB article.

Instructions from Microsoft on what the Conditional Access Policy does and how it can be configured are available here. The steps specific to the MSP Process platform are:

1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
2. Browse to Protection > Conditional Access.
3. Select Create new policy.
4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
5. Under Target resources > Cloud apps > Include, select the MSP Process Enterprise Application.
6. Under Access controls > Grant, select Grant access, Require authentication strength, select Phishing-resistant MFA, then select Select.
7. Confirm your settings and set Enable policy to Report-only.
8. Select Create to create to enable your policy.

To configure the default settings for the Secure Data Send feature, login to the main MSP Process UI (https://app.mspprocess.com), and navigate to the Portal Settings -> Secure Data Settings page. 

The Secure Data Settings page allows you to configure how sending both text and files will behave. You can also choose to lock down these settings, so they can't be modified by your Technicians. 

Disable technician ability to change link, logs and file settings on secure data page - This locks the settings that a technician sees when sending a customer data or text.

Enable File Sending - This enables the ability to securely send files to your customers. By default, it's enabled.

Single Use Link - This makes it so that the end-user can only access the text/data once.

Time to live for secure text send links - When sending text, this controls how long the link will be active. 

Save Logs to Ticket/Contact - This will save the actions of the tech and the user regarding the link. This includes when the tech sent it, and when the user opened it. 

Save logs to internal note - This will save logs of all actions to the internal note on your PSA instead of public discussion note section. 

Save data to internal note - Whatever password or text is sent to the user would be logged as an internal note. By default this option is disabled.

File save expiration period - Controls how long a file will be available. Default is 1 day.

File save location - Controls which region the file will be stored. By default this will be in the same country that was specified for your tenant with MSP Process. There is storage available in the following regions:

• One in Canada Central (located in Toronto)
• Another in Central US (located in Iowa)
• Another in Europe (located in Frankfurt, Germany)
• Another in Australia East (based in Sydney)
• And one in UK South (based in London)

Page Header Text - This is the header displayed to the user above the link when they receive the message and click the link. 

Message on Reveal Secure Data - This is a message is revealed once the user shows the data from the link. 

SMS Template - Messaging that is sent with the SMS link to the user. You can put text before and/or after the link. Do note remove the ${link} as this will break the functionality. 

Email Template - Same as above, you can add text before and/or after the link. 

Click on Portal Settings -> Settings. Then Select upload new Image.