Sigue estos pasos para crear una aplicación de Microsoft Azure en el portal de Azure. Si usas el método avanzado de importación de datos para copiar datos de Microsoft Teams a tus cuentas de Google Workspace, necesitas la aplicación de Azure para garantizar una importación de datos segura. Puedes elegir uno de los siguientes 2 métodos:
- Usa una secuencia de comandos de PowerShell para configurar una conexión automática
- Cómo usar Azure Active Directory para configurar una conexión manual
Usa una secuencia de comandos de PowerShell para configurar una conexión automática
Debes ser administrador con un rol global o privilegiado para completar estos pasos.
Opción 1: Usa Azure Cloud Shell
- Como administrador, accede al portal de Azure.
- Haz clic en Cloud Shell
PowerShell. - Si se te solicita, crea una cuenta de almacenamiento y acepta la configuración predeterminada.
- Para crear la aplicación, ingresa el siguiente comando y, luego, haz clic en Intro:
Install-Module Microsoft.Graph -Scope CurrentUser
- Si ves un mensaje para instalar desde un repositorio no confiable, ingresa Y y, luego, haz clic en Intro.
- Copia el siguiente bloque de código, pégalo en PowerShell y haz clic en Intro.
<# .SYNOPSIS Automates the creation of a Single-Tenant Entra ID App for Workspace Migration. Strictly forces account selection and verifies specific Admin roles. #> # Check if the module is missing if (-not (Get-Module -ListAvailable -Name Microsoft.Graph.Authentication)) { Write-Host "Microsoft Graph module is NOT installed." -ForegroundColor Yellow $UserResponse = Read-Host "Would you like to try installing Microsoft Graph? (Y/N)" if ($UserResponse -ieq "Y") { try { # Use only native cmdlets, no .NET property setting Install-Module -Name Microsoft.Graph -Scope CurrentUser -Force -AllowClobber Write-Host "Installation complete!" -ForegroundColor Green } catch { Write-Error "Policy is blocking installation. Please contact IT to install Microsoft.Graph module." Read-Host "Press Enter to exit"; exit } } else { exit } } else { Write-Host "Microsoft Graph modules detected. Proceeding..." -ForegroundColor Green } # --- STEP 0: THE "DEEP" LOGOUT --- Write-Host "Forcing session cleanup..." -ForegroundColor Gray Disconnect-MgGraph -ErrorAction SilentlyContinue # Force clear the local token cache folder if it exists $CachePath = "$env:USERPROFILE\.mg" if (Test-Path $CachePath) { try { Remove-Item $CachePath -Recurse -Force -ErrorAction SilentlyContinue } catch {} } Write-Host "Opening Microsoft Login... (Please select the correct account)" -ForegroundColor Cyan $RequiredScopes = @( "Application.ReadWrite.All", "AppRoleAssignment.ReadWrite.All", "Directory.Read.All", "RoleManagement.Read.Directory" ) try { # In v2, -ContextScope Process is the most reliable way to force account selection # and prevent the session from saving to the machine permanently. Connect-MgGraph -Scopes $RequiredScopes -ContextScope Process $Context = Get-MgContext if ($null -eq $Context) { throw "Login was cancelled or failed." } $UserPrincipal = $Context.Account Write-Host "Logged in as: $UserPrincipal" -ForegroundColor Green # --- ROLE VALIDATION --- Write-Host "Verifying Directory Roles..." -ForegroundColor Gray $UserRoles = Get-MgUserMemberOf -UserId $Context.Account -All | Where-Object { $_.AdditionalProperties.displayName -ne $null } $Authorized = $false $RequiredRoles = @("Global Administrator", "Privileged Role Administrator") foreach ($role in $UserRoles) { $roleName = $role.AdditionalProperties.displayName if ($roleName -in $RequiredRoles) { $Authorized = $true Write-Host "Access Granted: $roleName" -ForegroundColor Green break } } if (-not $Authorized) { Write-Host "`nCRITICAL ERROR: Insufficient Privileges." -ForegroundColor Red Write-Host "Account must be 'Global Administrator' or 'Privileged Role Administrator'." -ForegroundColor Yellow Disconnect-MgGraph Read-Host "`nPress Enter to exit"; exit } } catch { Write-Error "Login failed: $_" Read-Host "Press Enter to exit"; exit } # --- USER INPUT --- Write-Host "`n--- APPLICATION SETUP ---" -ForegroundColor Cyan $InputName = Read-Host "Enter the name for your new Entra ID Application (Default: Workspace Migration App)" $AppName = if ([string]::IsNullOrWhiteSpace($InputName)) { "Workspace Migration App" } else { $InputName } # --- CONFIGURATION --- # Updated Map containing all the requested application permissions $PermissionMap = @{ "member.read.hidden" = "Member.Read.Hidden" "organization.read.all" = "Organization.Read.All" "channelmember.read.all" = "ChannelMember.Read.All" "channelmessage.read.all" = "ChannelMessage.Read.All" "channelsettings.read.all" = "ChannelSettings.Read.All" "group.read.all" = "Group.Read.All" "team.readbasic.all" = "Team.ReadBasic.All" "teammember.read.all" = "TeamMember.Read.All" "user.read.all" = "User.Read.All" “application.read.all” = “Application.Read.All” } $TenantId = $Context.TenantId $GraphAppId = "00000003-0000-0000-c000-000000000000" try { # --- STEP 1: REGISTER APPLICATION --- Write-Host "Creating Application: $AppName..." -ForegroundColor Cyan $Application = New-MgApplication -BodyParameter @{ displayName = $AppName signInAudience = "AzureADMyOrg" } # --- STEP 2: PREPARE SERVICE PRINCIPAL --- $NewServicePrincipal = New-MgServicePrincipal -BodyParameter @{ appId = $Application.AppId } Write-Host "Waiting 10 seconds for replication..." -ForegroundColor DarkGray Start-Sleep -Seconds 10 # --- STEP 3: CONFIGURE & GRANT PERMISSIONS --- Write-Host "Configuring API Permissions & Granting Admin Consent..." -ForegroundColor Cyan $GraphSP = Get-MgServicePrincipal -Filter "AppId eq '$GraphAppId'" | Select-Object -First 1 $ResourceAccessList = @() foreach ($key in $PermissionMap.Keys) { $RealRoleName = $PermissionMap[$key] $Role = $GraphSP.AppRoles | Where-Object { $_.Value -eq $RealRoleName } if ($Role) { $ResourceAccessList += @{ id = $Role.Id; type = "Role" } New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $NewServicePrincipal.Id -BodyParameter @{ principalId = $NewServicePrincipal.Id resourceId = $GraphSP.Id appRoleId = $Role.Id } | Out-Null Write-Host " - Granted: $RealRoleName" -ForegroundColor Gray } } Update-MgApplication -ApplicationId $Application.Id -RequiredResourceAccess @(@{ resourceAppId = $GraphAppId resourceAccess = $ResourceAccessList }) # --- STEP 4: CREATE CLIENT SECRET --- Write-Host "Generating Client Secret..." -ForegroundColor Cyan $ExpiryDate = (Get-Date).AddYears(2).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssZ") $PasswordCred = Add-MgApplicationPassword -ApplicationId $Application.Id -BodyParameter @{ passwordCredential = @{ displayName = "MigrationToolSecret" endDateTime = $ExpiryDate } } # --- OUTPUT --- Write-Host "`n-------------------------------------------------------" -ForegroundColor Yellow Write-Host " SETUP COMPLETE - SAVE THESE DETAILS" -ForegroundColor Yellow Write-Host "-------------------------------------------------------" -ForegroundColor Yellow Write-Host "Application Name : $AppName" Write-Host "Application (Client) ID : $($Application.AppId)" Write-Host "Client Secret Value : $($PasswordCred.SecretText)" Write-Host "Directory (Tenant) ID : $TenantId" Write-Warning "IMPORTANT: Copy the Client Secret Value immediately." } catch { Write-Error "Operation failed: $_" } # --- FINAL DISCONNECT --- Disconnect-MgGraph Read-Host "`nPress Enter to close this window"
- Toma nota de las siguientes credenciales y guárdalas de forma segura. Si se filtran las credenciales, los hackers podrían acceder a todos tus datos de Teams.
- Secreto del cliente
- ID de app (cliente)
- ID del directorio (inquilino)
Opción 2: Usa Windows PowerShell
- En Windows, crea un archivo de texto sin formato nuevo y asígnale el nombre migration_app_creator.ps1.
- Copia el siguiente bloque de código, pégalo en el archivo nuevo y haz clic en Ejecutar con PowerShell.
<# .SYNOPSIS Automates the creation of a Single-Tenant Entra ID App for Workspace Migration. Strictly forces account selection and verifies specific Admin roles. #> # Check if the module is missing if (-not (Get-Module -ListAvailable -Name Microsoft.Graph.Authentication)) { Write-Host "Microsoft Graph module is NOT installed." -ForegroundColor Yellow $UserResponse = Read-Host "Would you like to try installing Microsoft Graph? (Y/N)" if ($UserResponse -ieq "Y") { try { # Use only native cmdlets, no .NET property setting Install-Module -Name Microsoft.Graph -Scope CurrentUser -Force -AllowClobber Write-Host "Installation complete!" -ForegroundColor Green } catch { Write-Error "Policy is blocking installation. Please contact IT to install Microsoft.Graph module." Read-Host "Press Enter to exit"; exit } } else { exit } } else { Write-Host "Microsoft Graph modules detected. Proceeding..." -ForegroundColor Green } # --- STEP 0: THE "DEEP" LOGOUT --- Write-Host "Forcing session cleanup..." -ForegroundColor Gray Disconnect-MgGraph -ErrorAction SilentlyContinue # Force clear the local token cache folder if it exists $CachePath = "$env:USERPROFILE\.mg" if (Test-Path $CachePath) { try { Remove-Item $CachePath -Recurse -Force -ErrorAction SilentlyContinue } catch {} } Write-Host "Opening Microsoft Login... (Please select the correct account)" -ForegroundColor Cyan $RequiredScopes = @( "Application.ReadWrite.All", "AppRoleAssignment.ReadWrite.All", "Directory.Read.All", "RoleManagement.Read.Directory" ) try { # In v2, -ContextScope Process is the most reliable way to force account selection # and prevent the session from saving to the machine permanently. Connect-MgGraph -Scopes $RequiredScopes -ContextScope Process $Context = Get-MgContext if ($null -eq $Context) { throw "Login was cancelled or failed." } $UserPrincipal = $Context.Account Write-Host "Logged in as: $UserPrincipal" -ForegroundColor Green # --- ROLE VALIDATION --- Write-Host "Verifying Directory Roles..." -ForegroundColor Gray $UserRoles = Get-MgUserMemberOf -UserId $Context.Account -All | Where-Object { $_.AdditionalProperties.displayName -ne $null } $Authorized = $false $RequiredRoles = @("Global Administrator", "Privileged Role Administrator") foreach ($role in $UserRoles) { $roleName = $role.AdditionalProperties.displayName if ($roleName -in $RequiredRoles) { $Authorized = $true Write-Host "Access Granted: $roleName" -ForegroundColor Green break } } if (-not $Authorized) { Write-Host "`nCRITICAL ERROR: Insufficient Privileges." -ForegroundColor Red Write-Host "Account must be 'Global Administrator' or 'Privileged Role Administrator'." -ForegroundColor Yellow Disconnect-MgGraph Read-Host "`nPress Enter to exit"; exit } } catch { Write-Error "Login failed: $_" Read-Host "Press Enter to exit"; exit } # --- USER INPUT --- Write-Host "`n--- APPLICATION SETUP ---" -ForegroundColor Cyan $InputName = Read-Host "Enter the name for your new Entra ID Application (Default: Workspace Migration App)" $AppName = if ([string]::IsNullOrWhiteSpace($InputName)) { "Workspace Migration App" } else { $InputName } # --- CONFIGURATION --- # Updated Map containing all the requested application permissions $PermissionMap = @{ "member.read.hidden" = "Member.Read.Hidden" "organization.read.all" = "Organization.Read.All" "channelmember.read.all" = "ChannelMember.Read.All" "channelmessage.read.all" = "ChannelMessage.Read.All" "channelsettings.read.all" = "ChannelSettings.Read.All" "group.read.all" = "Group.Read.All" "team.readbasic.all" = "Team.ReadBasic.All" "teammember.read.all" = "TeamMember.Read.All" "user.read.all" = "User.Read.All" “application.read.all” = “Application.Read.All” } $TenantId = $Context.TenantId $GraphAppId = "00000003-0000-0000-c000-000000000000" try { # --- STEP 1: REGISTER APPLICATION --- Write-Host "Creating Application: $AppName..." -ForegroundColor Cyan $Application = New-MgApplication -BodyParameter @{ displayName = $AppName signInAudience = "AzureADMyOrg" } # --- STEP 2: PREPARE SERVICE PRINCIPAL --- $NewServicePrincipal = New-MgServicePrincipal -BodyParameter @{ appId = $Application.AppId } Write-Host "Waiting 10 seconds for replication..." -ForegroundColor DarkGray Start-Sleep -Seconds 10 # --- STEP 3: CONFIGURE & GRANT PERMISSIONS --- Write-Host "Configuring API Permissions & Granting Admin Consent..." -ForegroundColor Cyan $GraphSP = Get-MgServicePrincipal -Filter "AppId eq '$GraphAppId'" | Select-Object -First 1 $ResourceAccessList = @() foreach ($key in $PermissionMap.Keys) { $RealRoleName = $PermissionMap[$key] $Role = $GraphSP.AppRoles | Where-Object { $_.Value -eq $RealRoleName } if ($Role) { $ResourceAccessList += @{ id = $Role.Id; type = "Role" } New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $NewServicePrincipal.Id -BodyParameter @{ principalId = $NewServicePrincipal.Id resourceId = $GraphSP.Id appRoleId = $Role.Id } | Out-Null Write-Host " - Granted: $RealRoleName" -ForegroundColor Gray } } Update-MgApplication -ApplicationId $Application.Id -RequiredResourceAccess @(@{ resourceAppId = $GraphAppId resourceAccess = $ResourceAccessList }) # --- STEP 4: CREATE CLIENT SECRET --- Write-Host "Generating Client Secret..." -ForegroundColor Cyan $ExpiryDate = (Get-Date).AddYears(2).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssZ") $PasswordCred = Add-MgApplicationPassword -ApplicationId $Application.Id -BodyParameter @{ passwordCredential = @{ displayName = "MigrationToolSecret" endDateTime = $ExpiryDate } } # --- OUTPUT --- Write-Host "`n-------------------------------------------------------" -ForegroundColor Yellow Write-Host " SETUP COMPLETE - SAVE THESE DETAILS" -ForegroundColor Yellow Write-Host "-------------------------------------------------------" -ForegroundColor Yellow Write-Host "Application Name : $AppName" Write-Host "Application (Client) ID : $($Application.AppId)" Write-Host "Client Secret Value : $($PasswordCred.SecretText)" Write-Host "Directory (Tenant) ID : $TenantId" Write-Warning "IMPORTANT: Copy the Client Secret Value immediately." } catch { Write-Error "Operation failed: $_" } # --- FINAL DISCONNECT --- Disconnect-MgGraph Read-Host "`nPress Enter to close this window"
- Secreto del cliente
- ID de app (cliente)
- ID del directorio (inquilino)
Usa Azure Active Directory para configurar una conexión manual
Los pasos específicos de Microsoft pueden variar según la versión del portal de Azure y las actualizaciones que realice Microsoft. Consulta la documentación de Microsoft para obtener la orientación más reciente sobre el registro y la autorización de aplicaciones.
Paso 1: Registra una aplicación nueva
Por motivos de seguridad, te recomendamos que registres la nueva aplicación como un solo arrendatario.
- Como administrador, accede al portal de Azure.
- En Azure Active Directory (Azure AD), ve a Registros de aplicaciones.
- Haz clic en New Registration y, luego, ingresa un nombre para tu aplicación (por ejemplo, Advanced import app).
- En Tipos de cuentas compatibles, haz clic en Cuentas solo en este directorio de la organización para crear una aplicación de un solo arrendatario.
- Haz clic en Register.
Paso 2: Configura los permisos de API
Elige una de las siguientes opciones:
Opción 1: Agrega permisos de forma manual
- En el lateral, en Administrar, haz clic en Permisos de API.
- Haz clic en Agregar un permisoAPIs de MicrosoftMicrosoft Graph.
- En permisos de aplicación, selecciona lo siguiente:
- Application.Read.All
- ChannelMember.Read.All
- ChannelMessage.Read.All
- ChannelSettings.Read.All
- Group.Read.All
- Member.Read.Hidden
- Organization.Read.All
- Team.ReadBasic.All
- TeamMember.Read.All
- User.Read.All
- Haz clic en Grant admin consent for your organization.
Opción 2: Edita el manifiesto de la aplicación
- Abre el manifiesto de la aplicación.
- Ve a “resourceAccess” : [ ] y elige una opción:
- Si “resourceAccess” : [ ] ya tiene un valor, agrega una coma y, luego, pega el siguiente bloque de código.
- Si “resourceAccess” : [ ] no tiene un valor, copia y pega el siguiente bloque de código.
{ "id": "658aa5d8-239f-45c4-aa12-864f4fc7e490", "type": "Role" },
{ "id": "498476ce-e0fe-48b0-b801-37ba7e2685c6", "type": "Role" },
{ "id": "3b55498e-47ec-484f-8136-9013221c06a9", "type": "Role" },
{ "id": "7b2449af-6ccd-4f4d-9f78-e550c193f0d1", "type": "Role" },
{ "id": "c97b873f-f59f-49aa-8a0e-52b32d762124", "type": "Role" },
{ "id": "5b567255-7703-4780-807c-7be8301ae99b", "type": "Role" },
{ "id": "2280dda6-0bfd-44ee-a2f4-cb867cfc4c1e", "type": "Role" },
{ "id": "660b7406-55f1-41ca-a0ed-0b035e182f3e", "type": "Role" },
{ "id": "df021288-bdef-4463-88db-98f22de89214", "type": "Role" },
{ "id": "9a5d68dd-52b0-4cc2-bd40-abcf44ac3a30", "type": "Role" }
- Haz clic en Grant admin consent for your organization.
Paso 3: Genera el secreto del cliente
- En el menú lateral, en Administrar, haz clic en Certificados y secretosNuevo secreto del cliente.
- Ingresa una descripción, selecciona un período de vencimiento y haz clic en Agregar.
- Copia el valor del secreto del cliente y guárdalo de forma segura. El valor se muestra solo una vez.
Paso 4: Recopila las credenciales de la aplicación
Importante: Almacena las credenciales de la aplicación de forma segura. Si se filtran las credenciales, los hackers podrían acceder a todos tus datos de Teams.
Haz clic en Descripción general y anota de forma segura las siguientes credenciales:
- ID de app (cliente)
- ID del directorio (inquilino)
Google, Google Workspace y las marcas y los logotipos relacionados son marcas de Google LLC. Todos los demás nombres de productos y empresas son marcas de las empresas con las que están asociados.