Configurare un'applicazione Azure per Teams

Segui questi passaggi per creare un'applicazione Microsoft Azure nel portale Azure. Se utilizzi il metodo di importazione avanzata dei dati per copiare i dati di Microsoft Teams nei tuoi account Google Workspace, hai bisogno dell'applicazione Azure per garantire un'importazione sicura dei dati. Puoi scegliere uno dei due metodi:

Utilizzare uno script PowerShell per configurare una connessione automatica

Per completare questi passaggi, devi essere un amministratore dei ruoli globale o con privilegi.

Opzione 1: utilizza Azure Cloud Shell

  1. In qualità di amministratore, accedi al portale di Azure.
  2. Fai clic su Cloud Shelle poiPowershell.
  3. Se richiesto, crea un account di archiviazione e accetta le impostazioni predefinite.
  4. Per creare l'applicazione, inserisci questo comando e poi fai clic su Invio:

    Install-Module Microsoft.Graph -Scope CurrentUser

  5. Se viene visualizzato un messaggio che ti chiede di installare da un repository non attendibile, inserisci Y e poi fai clic su Invio.
  6. Copia il seguente blocco di codice, incollalo in PowerShell e fai clic su Invio. 
         <#    
.SYNOPSIS    
Automates the creation of a Single-Tenant Entra ID App for Workspace Migration.    
Strictly forces account selection and verifies specific Admin roles.    
#>

# Check if the module is missing
if (-not (Get-Module -ListAvailable -Name Microsoft.Graph.Authentication)) {
    Write-Host "Microsoft Graph module is NOT installed." -ForegroundColor Yellow
    $UserResponse = Read-Host "Would you like to try installing Microsoft Graph? (Y/N)"

    if ($UserResponse -ieq "Y") {
        try {
            # Use only native cmdlets, no .NET property setting
            Install-Module -Name Microsoft.Graph -Scope CurrentUser -Force -AllowClobber
            Write-Host "Installation complete!" -ForegroundColor Green
        }
        catch {
            Write-Error "Policy is blocking installation. Please contact IT to install Microsoft.Graph module."
            Read-Host "Press Enter to exit"; exit
        }
    }
    else {
        exit
    }
} else {
    Write-Host "Microsoft Graph modules detected. Proceeding..." -ForegroundColor Green
}

# --- STEP 0: THE "DEEP" LOGOUT ---
Write-Host "Forcing session cleanup..." -ForegroundColor Gray
Disconnect-MgGraph -ErrorAction SilentlyContinue

# Force clear the local token cache folder if it exists
$CachePath = "$env:USERPROFILE\.mg"
if (Test-Path $CachePath) {
    try { Remove-Item $CachePath -Recurse -Force -ErrorAction SilentlyContinue } catch {}
}

Write-Host "Opening Microsoft Login... (Please select the correct account)" -ForegroundColor Cyan

$RequiredScopes = @(
    "Application.ReadWrite.All", 
    "AppRoleAssignment.ReadWrite.All", 
    "Directory.Read.All", 
    "RoleManagement.Read.Directory"
)

try {
    # In v2, -ContextScope Process is the most reliable way to force account selection
    # and prevent the session from saving to the machine permanently.
    Connect-MgGraph -Scopes $RequiredScopes -ContextScope Process

    $Context = Get-MgContext
    if ($null -eq $Context) { throw "Login was cancelled or failed." }

    $UserPrincipal = $Context.Account
    Write-Host "Logged in as: $UserPrincipal" -ForegroundColor Green

    # --- ROLE VALIDATION ---
    Write-Host "Verifying Directory Roles..." -ForegroundColor Gray
    $UserRoles = Get-MgUserMemberOf -UserId $Context.Account -All | Where-Object { $_.AdditionalProperties.displayName -ne $null }
    
    $Authorized = $false
    $RequiredRoles = @("Global Administrator", "Privileged Role Administrator")

    foreach ($role in $UserRoles) {
        $roleName = $role.AdditionalProperties.displayName
        if ($roleName -in $RequiredRoles) {
            $Authorized = $true
            Write-Host "Access Granted: $roleName" -ForegroundColor Green
            break
        }
    }

    if (-not $Authorized) {
        Write-Host "`nCRITICAL ERROR: Insufficient Privileges." -ForegroundColor Red
        Write-Host "Account must be 'Global Administrator' or 'Privileged Role Administrator'." -ForegroundColor Yellow
        Disconnect-MgGraph
        Read-Host "`nPress Enter to exit"; exit
    }

} catch {
    Write-Error "Login failed: $_"
    Read-Host "Press Enter to exit"; exit
}

# --- USER INPUT ---
Write-Host "`n--- APPLICATION SETUP ---" -ForegroundColor Cyan
$InputName = Read-Host "Enter the name for your new Entra ID Application (Default: Workspace Migration App)"
$AppName = if ([string]::IsNullOrWhiteSpace($InputName)) { "Workspace Migration App" } else { $InputName }

# --- CONFIGURATION ---
# Updated Map containing all the requested application permissions
$PermissionMap = @{
    "member.read.hidden"          = "Member.Read.Hidden"
    "organization.read.all"       = "Organization.Read.All"
    "channelmember.read.all"      = "ChannelMember.Read.All"
    "channelmessage.read.all"     = "ChannelMessage.Read.All"
    "channelsettings.read.all"    = "ChannelSettings.Read.All"
    "group.read.all"              = "Group.Read.All"
    "team.readbasic.all"          = "Team.ReadBasic.All"
    "teammember.read.all"         = "TeamMember.Read.All"
    "user.read.all"               = "User.Read.All"
    application.read.all        = Application.Read.All
}

$TenantId = $Context.TenantId
$GraphAppId = "00000003-0000-0000-c000-000000000000"

try {
    # --- STEP 1: REGISTER APPLICATION ---
    Write-Host "Creating Application: $AppName..." -ForegroundColor Cyan
    $Application = New-MgApplication -BodyParameter @{
        displayName = $AppName
        signInAudience = "AzureADMyOrg"
    }
    
    # --- STEP 2: PREPARE SERVICE PRINCIPAL ---
    $NewServicePrincipal = New-MgServicePrincipal -BodyParameter @{ appId = $Application.AppId }

    Write-Host "Waiting 10 seconds for replication..." -ForegroundColor DarkGray
    Start-Sleep -Seconds 10

    # --- STEP 3: CONFIGURE & GRANT PERMISSIONS ---
    Write-Host "Configuring API Permissions & Granting Admin Consent..." -ForegroundColor Cyan
    $GraphSP = Get-MgServicePrincipal -Filter "AppId eq '$GraphAppId'" | Select-Object -First 1
    
    $ResourceAccessList = @()

    foreach ($key in $PermissionMap.Keys) {
        $RealRoleName = $PermissionMap[$key]
        $Role = $GraphSP.AppRoles | Where-Object { $_.Value -eq $RealRoleName }

        if ($Role) {
            $ResourceAccessList += @{ id = $Role.Id; type = "Role" }

            New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $NewServicePrincipal.Id -BodyParameter @{
                principalId = $NewServicePrincipal.Id
                resourceId  = $GraphSP.Id
                appRoleId   = $Role.Id
            } | Out-Null
            Write-Host " - Granted: $RealRoleName" -ForegroundColor Gray
        }
    }

    Update-MgApplication -ApplicationId $Application.Id -RequiredResourceAccess @(@{
        resourceAppId  = $GraphAppId
        resourceAccess = $ResourceAccessList
    })

    # --- STEP 4: CREATE CLIENT SECRET ---
    Write-Host "Generating Client Secret..." -ForegroundColor Cyan
    $ExpiryDate = (Get-Date).AddYears(2).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssZ")
    $PasswordCred = Add-MgApplicationPassword -ApplicationId $Application.Id -BodyParameter @{
        passwordCredential = @{
            displayName = "MigrationToolSecret"
            endDateTime = $ExpiryDate
        }
    }

    # --- OUTPUT ---
    Write-Host "`n-------------------------------------------------------" -ForegroundColor Yellow
    Write-Host "        SETUP COMPLETE - SAVE THESE DETAILS" -ForegroundColor Yellow
    Write-Host "-------------------------------------------------------" -ForegroundColor Yellow
    Write-Host "Application Name        : $AppName"
    Write-Host "Application (Client) ID : $($Application.AppId)"
    Write-Host "Client Secret Value     : $($PasswordCred.SecretText)"
    Write-Host "Directory (Tenant) ID   : $TenantId"
    Write-Warning "IMPORTANT: Copy the Client Secret Value immediately."

}
catch {
    Write-Error "Operation failed: $_"
}

# --- FINAL DISCONNECT ---
Disconnect-MgGraph
Read-Host "`nPress Enter to close this window"
  7. Prendi nota delle seguenti credenziali e archiviale in modo sicuro. Se le credenziali vengono divulgate, gli hacker potrebbero accedere a tutti i tuoi dati di Teams.
    • Client secret
    • ID applicazione (client)
    • ID directory (tenant)

Opzione 2: utilizza Windows PowerShell

  1. In Windows, crea un nuovo file di testo normale e chiamalo migration_app_creator.ps1.
  2. Copia il seguente blocco di codice, incollalo nel nuovo file e fai clic su Esegui con PowerShell.
     <#    
.SYNOPSIS    
Automates the creation of a Single-Tenant Entra ID App for Workspace Migration.    
Strictly forces account selection and verifies specific Admin roles.    
#>

# Check if the module is missing
if (-not (Get-Module -ListAvailable -Name Microsoft.Graph.Authentication)) {
    Write-Host "Microsoft Graph module is NOT installed." -ForegroundColor Yellow
    $UserResponse = Read-Host "Would you like to try installing Microsoft Graph? (Y/N)"

    if ($UserResponse -ieq "Y") {
        try {
            # Use only native cmdlets, no .NET property setting
            Install-Module -Name Microsoft.Graph -Scope CurrentUser -Force -AllowClobber
            Write-Host "Installation complete!" -ForegroundColor Green
        }
        catch {
            Write-Error "Policy is blocking installation. Please contact IT to install Microsoft.Graph module."
            Read-Host "Press Enter to exit"; exit
        }
    }
    else {
        exit
    }
} else {
    Write-Host "Microsoft Graph modules detected. Proceeding..." -ForegroundColor Green
}

# --- STEP 0: THE "DEEP" LOGOUT ---
Write-Host "Forcing session cleanup..." -ForegroundColor Gray
Disconnect-MgGraph -ErrorAction SilentlyContinue

# Force clear the local token cache folder if it exists
$CachePath = "$env:USERPROFILE\.mg"
if (Test-Path $CachePath) {
    try { Remove-Item $CachePath -Recurse -Force -ErrorAction SilentlyContinue } catch {}
}

Write-Host "Opening Microsoft Login... (Please select the correct account)" -ForegroundColor Cyan

$RequiredScopes = @(
    "Application.ReadWrite.All", 
    "AppRoleAssignment.ReadWrite.All", 
    "Directory.Read.All", 
    "RoleManagement.Read.Directory"
)

try {
    # In v2, -ContextScope Process is the most reliable way to force account selection
    # and prevent the session from saving to the machine permanently.
    Connect-MgGraph -Scopes $RequiredScopes -ContextScope Process

    $Context = Get-MgContext
    if ($null -eq $Context) { throw "Login was cancelled or failed." }

    $UserPrincipal = $Context.Account
    Write-Host "Logged in as: $UserPrincipal" -ForegroundColor Green

    # --- ROLE VALIDATION ---
    Write-Host "Verifying Directory Roles..." -ForegroundColor Gray
    $UserRoles = Get-MgUserMemberOf -UserId $Context.Account -All | Where-Object { $_.AdditionalProperties.displayName -ne $null }
    
    $Authorized = $false
    $RequiredRoles = @("Global Administrator", "Privileged Role Administrator")

    foreach ($role in $UserRoles) {
        $roleName = $role.AdditionalProperties.displayName
        if ($roleName -in $RequiredRoles) {
            $Authorized = $true
            Write-Host "Access Granted: $roleName" -ForegroundColor Green
            break
        }
    }

    if (-not $Authorized) {
        Write-Host "`nCRITICAL ERROR: Insufficient Privileges." -ForegroundColor Red
        Write-Host "Account must be 'Global Administrator' or 'Privileged Role Administrator'." -ForegroundColor Yellow
        Disconnect-MgGraph
        Read-Host "`nPress Enter to exit"; exit
    }

} catch {
    Write-Error "Login failed: $_"
    Read-Host "Press Enter to exit"; exit
}

# --- USER INPUT ---
Write-Host "`n--- APPLICATION SETUP ---" -ForegroundColor Cyan
$InputName = Read-Host "Enter the name for your new Entra ID Application (Default: Workspace Migration App)"
$AppName = if ([string]::IsNullOrWhiteSpace($InputName)) { "Workspace Migration App" } else { $InputName }

# --- CONFIGURATION ---
# Updated Map containing all the requested application permissions
$PermissionMap = @{
    "member.read.hidden"          = "Member.Read.Hidden"
    "organization.read.all"       = "Organization.Read.All"
    "channelmember.read.all"      = "ChannelMember.Read.All"
    "channelmessage.read.all"     = "ChannelMessage.Read.All"
    "channelsettings.read.all"    = "ChannelSettings.Read.All"
    "group.read.all"              = "Group.Read.All"
    "team.readbasic.all"          = "Team.ReadBasic.All"
    "teammember.read.all"         = "TeamMember.Read.All"
    "user.read.all"               = "User.Read.All"
    application.read.all        = Application.Read.All
}

$TenantId = $Context.TenantId
$GraphAppId = "00000003-0000-0000-c000-000000000000"

try {
    # --- STEP 1: REGISTER APPLICATION ---
    Write-Host "Creating Application: $AppName..." -ForegroundColor Cyan
    $Application = New-MgApplication -BodyParameter @{
        displayName = $AppName
        signInAudience = "AzureADMyOrg"
    }
    
    # --- STEP 2: PREPARE SERVICE PRINCIPAL ---
    $NewServicePrincipal = New-MgServicePrincipal -BodyParameter @{ appId = $Application.AppId }

    Write-Host "Waiting 10 seconds for replication..." -ForegroundColor DarkGray
    Start-Sleep -Seconds 10

    # --- STEP 3: CONFIGURE & GRANT PERMISSIONS ---
    Write-Host "Configuring API Permissions & Granting Admin Consent..." -ForegroundColor Cyan
    $GraphSP = Get-MgServicePrincipal -Filter "AppId eq '$GraphAppId'" | Select-Object -First 1
    
    $ResourceAccessList = @()

    foreach ($key in $PermissionMap.Keys) {
        $RealRoleName = $PermissionMap[$key]
        $Role = $GraphSP.AppRoles | Where-Object { $_.Value -eq $RealRoleName }

        if ($Role) {
            $ResourceAccessList += @{ id = $Role.Id; type = "Role" }

            New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $NewServicePrincipal.Id -BodyParameter @{
                principalId = $NewServicePrincipal.Id
                resourceId  = $GraphSP.Id
                appRoleId   = $Role.Id
            } | Out-Null
            Write-Host " - Granted: $RealRoleName" -ForegroundColor Gray
        }
    }

    Update-MgApplication -ApplicationId $Application.Id -RequiredResourceAccess @(@{
        resourceAppId  = $GraphAppId
        resourceAccess = $ResourceAccessList
    })

    # --- STEP 4: CREATE CLIENT SECRET ---
    Write-Host "Generating Client Secret..." -ForegroundColor Cyan
    $ExpiryDate = (Get-Date).AddYears(2).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssZ")
    $PasswordCred = Add-MgApplicationPassword -ApplicationId $Application.Id -BodyParameter @{
        passwordCredential = @{
            displayName = "MigrationToolSecret"
            endDateTime = $ExpiryDate
        }
    }

    # --- OUTPUT ---
    Write-Host "`n-------------------------------------------------------" -ForegroundColor Yellow
    Write-Host "        SETUP COMPLETE - SAVE THESE DETAILS" -ForegroundColor Yellow
    Write-Host "-------------------------------------------------------" -ForegroundColor Yellow
    Write-Host "Application Name        : $AppName"
    Write-Host "Application (Client) ID : $($Application.AppId)"
    Write-Host "Client Secret Value     : $($PasswordCred.SecretText)"
    Write-Host "Directory (Tenant) ID   : $TenantId"
    Write-Warning "IMPORTANT: Copy the Client Secret Value immediately."

}
catch {
    Write-Error "Operation failed: $_"
}

# --- FINAL DISCONNECT ---
Disconnect-MgGraph
Read-Host "`nPress Enter to close this window"
  • Prendi nota delle seguenti credenziali e archiviale in modo sicuro. Se le credenziali vengono divulgate, gli hacker potrebbero accedere a tutti i tuoi dati di Teams.
    • Client secret
    • ID applicazione (client)
    • ID directory (tenant)
    •

    Utilizzare Azure Active Directory per configurare una connessione manuale

    I passaggi specifici di Microsoft possono variare in base alla versione del portale Azure e agli aggiornamenti apportati da Microsoft. Per le indicazioni più recenti su registrazione e autorizzazione delle app, consulta la documentazione di Microsoft.

    Passaggio 1: registra una nuova applicazione

    Per motivi di sicurezza, ti consigliamo di registrare la nuova applicazione come single-tenant.

    1. In qualità di amministratore, accedi al portale di Azure.
    2. In Azure Active Directory (Azure AD), vai a Registrazioni app.
    3. Fai clic su Nuova registrazione e inserisci un nome per l'applicazione (ad esempio, App di importazione avanzata).
    4. Per Tipi di account supportati, fai clic su Solo account in questa directory dell'organizzazione per creare un'applicazione single-tenant.
    5. Fai clic su Register (Registrati).

    Passaggio 2: configura le autorizzazioni API

    Scegli una delle seguenti opzioni:

    Opzione 1: aggiungi manualmente le autorizzazioni

    1. A lato, in Gestione, fai clic su Autorizzazioni API.
    2. Fai clic su Aggiungi un'autorizzazionee poiAPI Microsofte poiMicrosoft Graph.
    3. Per le autorizzazioni dell'applicazione, seleziona:
      • Application.Read.All
      • ChannelMember.Read.All
      • ChannelMessage.Read.All
      • ChannelSettings.Read.All
      • Group.Read.All
      • Member.Read.Hidden
      • Organization.Read.All
      • Team.ReadBasic.All
      • TeamMember.Read.All
      • User.Read.All
    4. Fai clic su Concedi il consenso amministratore per la tua organizzazione.

    Opzione 2: modifica il manifest dell'applicazione

    1. Apri il manifest dell'applicazione.
    2. Vai a "resourceAccess" : [ ] e scegli un'opzione:
      • Se "resourceAccess" : [ ] ha già un valore, aggiungi una virgola e poi incolla il seguente blocco di codice.
      • Se "resourceAccess" : [ ] non ha un valore, copia e incolla il seguente blocco di codice.

      { "id": "658aa5d8-239f-45c4-aa12-864f4fc7e490", "type": "Role" },

      { "id": "498476ce-e0fe-48b0-b801-37ba7e2685c6", "type": "Role" },

      { "id": "3b55498e-47ec-484f-8136-9013221c06a9", "type": "Role" },

      { "id": "7b2449af-6ccd-4f4d-9f78-e550c193f0d1", "type": "Role" },

      { "id": "c97b873f-f59f-49aa-8a0e-52b32d762124", "type": "Role" },

      { "id": "5b567255-7703-4780-807c-7be8301ae99b", "type": "Role" },

      { "id": "2280dda6-0bfd-44ee-a2f4-cb867cfc4c1e", "type": "Role" },

      { "id": "660b7406-55f1-41ca-a0ed-0b035e182f3e", "type": "Role" },

      { "id": "df021288-bdef-4463-88db-98f22de89214", "type": "Role" },

      { "id": "9a5d68dd-52b0-4cc2-bd40-abcf44ac3a30", "type": "Role" }

    3. Fai clic su Concedi il consenso amministratore per la tua organizzazione.

    Passaggio 3: genera il client secret

    1. Nel riquadro laterale, in Gestione, fai clic su Certificati e secrete poiNuovo client secret.
    2. Inserisci una descrizione, seleziona un periodo di scadenza e fai clic su Aggiungi.
    3. Copia il valore del client secret e memorizzalo in modo sicuro. Il valore viene visualizzato una sola volta.

    Passaggio 4: raccogli le credenziali dell'applicazione

    Importante: memorizza le credenziali dell'applicazione in modo sicuro. Se le credenziali vengono divulgate, gli hacker potrebbero accedere a tutti i tuoi dati di Teams.

    Fai clic su Panoramica e annota in modo sicuro le seguenti credenziali:

    • ID applicazione (client)
    • ID directory (tenant)


    Google, Google Workspace e i marchi e i loghi correlati sono marchi di Google LLC. Tutti gli altri nomi di società e prodotti sono marchi delle società a cui sono associati.