With great power comes great responsibility: Ensure that Microsoft Teams Owners are digitally literate


Uncle Ben was right — and if we translate this famous quote into our Microsoft 365 universe we know: 

If we give users great tools with great power, we also need to make sure to properly skill them up. We also need a lean process to deal with common asks.

Work from home is the new normal

Perhaps, this image relates at least a little bit to you. I for myself can admit, that — although I was already used to work SOMETIMES from home, this crisis is a game changer.

In my work as a Consultant, I see a lot of companies that weren’t ready for this step — and they now need fast solutions:

  • Solutions to deploy software at scale
  • Skill up their employees
  • Simplify IT processes

So very obviously, it’s the time for Microsoft Teams!

Everyone now wants to work with Teams as it provides us the workplace we need to be able to work from anywhere. And with Teams comes the relatively new concept (at least for an enduser) concept of ownership. Owning a Team gives you some very nice powers, but we need to use them wisely and ensure that users know about that. Users nowadays keep asking for new Teams like that:

But in my daily life as a consultant I see two extremes: On the one hand, there are companies with very restrictive IT departments: They block, sanction and control as most as they can. This leads to users who will become very creative finding a way to get their stuff done. They will use shadow IT solutions which no workers council approved, no data security officer has seen and no one of IT has tested.

On the other side I see Teams Overadoption. Users, who can just click the magic “Create a new team button” without any restriction, approval, training or whatsoever process, will create a lot of teams, which should be channels, they will create channels that should be a chat. In short: they overadopt.

Key therefore is, to balance these extremes. I want the right balance to fulfil both needs of users to just collaborate like it’s intended within Teams and of IT who has the job to ensure not only smooth but also secure operations. Plus, I want to improve the level of digital literacy in the company, which is so important not only on the short term view.

Perhaps you read my last blog post about Unf*cking User Experience and simplifying IT processes with Power Virtual Agent and Power Automate -I want to use this solution and take it to the next level with a few tweaks to make sure, that digital literacy is taken into account as well.

Solution Overview

Instead of trying to take over the world I decided to go with this approach:

User asks in natural language chatbot for a new team, our first flow picks up this information and checks if the user is already in an Azure AD security group called Educated Users. If the owner to be is already a member in this Educated Users security group, a second flow gets manager’s approval and provisions the team. If the user is not a member of this group, user will be invited for training and test.

If user passes test, he /she will be added to the group of Educated Users ( which means that for the next team request, he/she doesn’t need to pass a test again) and the second flow gets manager’s approval and provisions the team.

If user doesn’t pass the test OR if manager doesn’t approve, notifications will be send and the process ends.

To achieve this, I actually thought about Lego — and built it brick by brick:

Let‘s first build The Basics:

  • 2 Security Groups in Azure AD for Educated Users and Uneducated Users
  • Events for training in an Outlook calendar
  • Form for training session invitations in Microsoft Forms
  • Flow to send session invitations
  • Form to test users
  • Flow to log tests in a SharePoint list
  • SharePoint list to calculate the result with a few calculated columns
  • SharePoint list to log all teams requests

2 Security Groups in Azure AD

Just go to portal.azure.com, click on GROUPS and then on NEW GROUP. Give the groups names like “Educated” or “Uneducated”. Assign your users to the groups — If I were you, all users were by default in the Uneducated Group.

Form for training session invitations in Microsoft Forms

Flow to send session invitations

This one is quite easy, just get the response details of the form ad use a simple filter query to get the right event from the calendar, then update the event by adding the user to it.

Form to test users

I thought, this would be a super easy one. Forms is able to do surveys (there are no correct answers) and quizzes (there ARE correct answers). I just assumed that I could use the score of a quiz in a flow to see if a user has passed the test – but it appeared, there is no way to do that – so I created a normal survey and used the SharePoint list to calculate the outcome of the test.

SharePoint list to calculate the result with a few calculated columns

I used the following calculated columns:

Flow to log tests in a SharePoint list

This flow just creates items in our SharePoint list

After we build the basics (and even the first two tiny flows ) lets make our hands dirty! We need

  • a Chat Bot in Power Virtual Agent
  • a flow that‘s called from PVA
  • a 2nd flow to provision a Team based on the information we got out of the first flow
  • to Publish our Bot & add it as an App in Teams

Here we go — I described part of this process — as already mentioned in one of my last blog posts — but as we deal wit evergreen software and there are now dedicated triggers and actions for Power Virtual Agent, I will give it another round.

Create a Bot in Power Virtual Agent

– very obviously! But don‘t fear! I never build a chat bot before and was able to do that and so will you! We will start very easy.

Just go to powerva.Microsoft.com, register or log in — there is a free trial. (I will write later some words about licensing)

Create a new topic and enter some trigger phrases. Don’t try to be too formal, chat bot supports natural language understanding.

Now you can outline the conversation in the Authoring Canvas. It’s a bit like Visio — very visual interface — no coding required. Only thing is, when you want to do loops or add some more logic, it gets a bit chaotic — so try to keep it simple and let the flow do the logic for you.

I just asked all the questions I need to get answered to provision a team like team name, description, owner and visibility. Additionally, I asked questions about the first three members and a channel. I saved all inputs as Variables and gave them easily recognizable names like VarOwner or VarTeamName.

Now e need to create a flow from within the PVA and then call this flow from the bot.

a flow that‘s called from PVA

It’s very easy — just click on the + sign to create the next node after your last question / message in PVA and click on CALL AN ACTION and then CREATE A FLOW

The PVA template will open up in a new browser tab. Save this template with a new name. Now it’s time to understand what this flow needs to do:

New: no JSON code required — just type in what you want the flow to pick up:

Now we need to initialize a ton of variables for all the information the user gives us so we can provision the team like team name, description, privacy, owner, members and first channel. Not everything of that is required for your minimal viable product.

You might have noticed, that I already got the manager of the user as well — I will need the manager later in a notification.

After we took care of all variables we need to check the group membership of our owner.

The CHECK GROUP MEMBERSHIP returns the string of the Group ID if a user is a member of the group and will return NULL if the user isn’t member of that group.

Expression: empty(null)

If he/ she is in the educated group, we can just log the request in the SharePoint list we already prepared.

If the user is still in the Uneducated Group, we need to invite him to a training and test him — (and wait a bit so he / she can complete this).

To invite the user to the training and link him / her to the test, I used an Adaptive Cards. If you never used Adaptive Cards before, just go to https://adaptivecards.io/designer, select MICROSOFT TEAMS as host applications and replace the text of one of the samples with your text in the visual editor. Below, the Designer autogenerates some JSON for you — copy-paste this into a POST YOUR OWN ADAPTIVE CARD AS A FLOW BOT TO A USER action.

This is how our Card look like then:

The clickable buttons link directly to the forms for training sessions (remember, we already built a flow to invite users automatically!) and the quiz (yet again, our flow logs the answers and SharePoint calculates the result for us!)

Now need to know if user passed the test:

If user passes the test, he / she will be added to the Educated Group and we log the request in SharePoint. If user doesn’t pass, we will just send notifications and end the process.

Small hint: If you are testing your flow, do yourself a favor and create an additional flow to undo the actions of group membership 🙂

Now the core of our work:

Create a 2nd flow to provision a Team based on the information we got out of the first flow

Before we are going to create this flow, we need an overview about what this flow will be doing:

So when I first wanted to automate the provisioning of teams with Power Automate, I thought — how hard can this be? But then, I was like, Bummer — there is no “Create a team” action in flow! So what could I do?

Microsoft Graph to the rescue!

So, actually, we can use the Microsoft Graph to create Teams, add members, create channels and a lot more, but we first need to authenticate to make this magic happen.

To do so, we need to

register an app in Azure AD

For everyone, who is not super familiar with that concept, please go to portal.azure.com and click on APP REGISTRATIONS, and click NEW REGISTRATION. Give it a nice name and save the ID of your tenant and the ID of our App (Client) After that, click on API PERMISSIONS (use APPLICATION) and select MICROSOFT GRAPH. We need to add the Group.Read.Write.All permission and grant admin consent for that as well. If you are your own Global Admin — congrats! If not, you need to wait until this is granted by admin.

To make it work, we also need an App Secret. Please, save this little dude when you see it — because you won’t see it anymore again. And funny thing is: It will expire the day you want to demo it! — It’s like when your machine wants to update 10 minutes before your session starts. # BeenThereDoneThat

This is what you need to do in the 2nd flow in Power Automate:

Your trigger is WHEN A NEW ITEM IS CREATED (remember, the PVA flow will end with this action, so basically, the PVA flow kicks off our second flow )

Now we need to initialize the following variables:

  • Tenant ID, App ID, App Secret are strings and we get all these IDs out of the app registration of the previous step
  • Group ID is a string as well but is empty for now
  • I was so tired of typing the Graph URL over and over that i put it into a var as well — this is optional — but bonus points as you are now on the same level of laziness as I am 🙂
  • We will later need the MailNickname to provision the Team.Mailnickname is the Displayname of the Team WITHOUT spaces. So I just used a super simple replace expression: replace(triggerBody()?[‘Title’],’ ’,’’) which just means, replace all spaces with nothing

Manager’s Approval

I’m quite sure you already saw this before, but in case you haven’t, this is how it works as I want again a nice and fancy Adaptive Card in Teams for the Approval:

Depending on the outcome we let the Microsoft Graph create first a group an then update it to a team or we will end the process if manager doesn’t approve. Here is what happens if the Outcome is not Approved:

We update our SharePoint list (status is now rejected) and we post an other Adaptive Card to our user to inform him / her and terminate the process.

If the Outcome of the Approval is Approved, we need to update our List as well and add an HTTP Call to first create a Group:

You can find all required JSON on docs.microsoft.com — Plus it is highly recommended to first test everything in Graph Explorer

As we do not only want an Office 365 Group (Caution, Microsoft is renaming to Microsoft 365 groups!) but also a Team based on that group, we need the Group ID. To get this ID (remember, we initialized an empty var for that already!) , we need the parse JSON action and set our Group ID var to that value:

Now it’s time to use another two HTTP calls for creating the Team and adding the channel:

Please keep in mind to expand the SHOW ADVANCED OPTIONS and enter all authentication information as shown in the Create a group step. Now update your SharePoint list (status is no created) and inform your user with another Adaptive Card in Teams:

Publish our Bot & add it as an App in Teams

To publish your Bot, just click on Publish in PVA and choose Microsoft Teams as Channel. Copy the APP ID and open App Studio in Teams, where you can create apps. Paste in this App ID and fill in Name, Description and some links for your privacy statement and terms of use. As valid Domain use token.botframework.com. Download your app as a package and then install it from Teams App Catalogue — There you go!

This is our result as a Gif:

Coming back to the purpose of solutions like this:

The goal is to enable users and to give them great powers! We now have an easy maintainable solution for IT and a very lean process for the business side of a company to request common asks. We are more efficient as we only need to involve human working time if needed. We don’t need to spend lots of time to make users adopt this system as the interface is easy to understand even for users who are not that tech savvy.

And we have a good chance to narrow the historical gap between business and IT. I mean, by background I am not an IT person myself, so I can really understand users, who feel uncomfortable with smart ass IT people who know everything better. And I can also relate to my IT colleagues, who are just tired of blocking everything instead of being able to enable users. So again, this is really a nice move towards each other. It’s a #BetterTogether story.

Licensing

A few words about Licensing. Both Power Automate and Power Virtual Agents are not free — so I will show you everything I know about licensing: It’s next to godliness.

Microsoft provides somehow a gazillion pages of licensing guide and I hope that at some point, it will be as easy to understand that like it is to use a chat bot

Good thing: there is a free Community plan to learn and share!

Feedback, Questions?

Please clap if you liked this post and give me feedback if you want to add your thoughts on that. Looking forward to connect with you on twitter as well.

Luise

Luise is an independent Microsoft 365 Consultant, Microsoft MVP for Office, Apps & Services, Sketchnotes Artist and Power Platform Advocate based in Germany. Do you need help with your project, want to exchange views or just connect? Feel free to follow me in twitter, LinkedIn or get in touch via contact form.

2 thoughts on “With great power comes great responsibility: Ensure that Microsoft Teams Owners are digitally literate

  1. Tried something similar but on “Manager’s Approval” the “Wait for an approvals” waits and waits and waits. No Idea why. Any suggestions?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.