Installing and configuring the Teams Connector in Azure

You need to specify a range of PowerShell variables that are used during the installation process.

We recommend that you save these variables as a separate initialization script that you can reuse (and subsequently update if necessary). This will make it easier if you have to abort and restart the installation for any reason, or if you redeploy or upgrade your Teams Connector in the future.

You must replace the example values set in the variables with the real values for your deployment.

If you are deploying a Teams Connector in multiple regions, create a separate initialization script for each region, changing the relevant region-specific variables as appropriate. Save each region-specific version of your script in a safe place.

The PowerShell variables initialization script is listed below.

Note that this script does not produce any output. It only sets some variables for subsequent use in the installation script.

# Powershell variables
# Set the following variables for ease of use of the subsequent commands - if starting a new window, just re-set these variables.

# Size of the virtual machines in the Virtual Machine Scale Set
# Possible choices: Standard_D4s_v5, Standard_D4as_v5, Standard_F4s
# Default: Standard_D4s_v5
$PxAzureVmSize = "Standard_D4s_v5"

# Name prefix for all Teams Connector resources, e.g. company name.
# PxBaseConnName can have a maximum of 9 characters
# PxBaseConnName + PxVmssRegion must be minimum 3 and maximum 14 chars when combined
# It has to begin with a letter and cannot contain dashes, spaces or other non a-z0-9 chars.
$PxBaseConnName = "yourname" # replace with your company name

# Freetext region shortname (2-4 characters, no dashes, only use a-z) to separate regional deployments and/or
# to differentiate between deployment versions if you are following a blue-green deployment strategy
$PxVmssRegion = "eu"

# Hostname of Teams Connector in Azure - Must match name in pfx certificate below
# You need a different hostname for each region
$PxTeamsConnFqdn = "pexip-teamsconn-eu.teams.example.com"

# Conference or Edge node pool (must be reachable from Teams Connector in Azure)
# This name must exist in the certificate presented by the Pexip nodes
# Example 1) Multiple individual Edge nodes
# $PxNodeFqdns = "us-pxedge01.vc.example.com,us-pxedge01.vc.example.com"
# Example 2) Certificate with SAN names, this name is in the cert presented by all nodes
$PxNodeFqdns = "pxedge.vc.example.com"

# Azure Subscription ID for Pexip Teams Connector deployment (GUID)
$PxSubscriptionId = "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"

# Azure Region (must be a supported region) in lower case
$PxAzureLocation = "westeurope"

# Username for the Windows VM accounts. Specifies the name of the administrator account.
# Windows-only restriction: Cannot end in "."
# Disallowed values: "administrator", "admin", "user", "user1", "test", "user2", "test1", "user3", "admin1",
# "123", "a", "actuser", "adm", "admin2", "aspnet", "backup", "console", "david", "guest", "john", "owner",
# "root", "server", "sql", "support", "support_388945a0", "sys", "test2", "test3", "user4", "user5", "1".
# It must be between 1 and 20 characters long
$PxWinAdminUser = "pexadmin"

# Password for the Windows VM administrator account
# Skip this step (setting the password) if you want to specify the password
# later from within the installation script (via Get-Credential)
# The password must include at least 3 of the following: 1 lower case character,
# 1 upper case character, 1 number, 1 special character that is not "\" or "-" or "$"
# It must be between 8 and 123 characters
# It must not include unsupported characters or reserved words (including "abc@123", "P@$$w0rd", "P@ssw0rd",
# "P@ssword123", "Pa$$word", "pass@word1", "Password!", "Password1", "Password22", "iloveyou!")
$PxWinAdminPassword = "ReplaceThisPassword!" # Password for Windows account

# Number of Teams Connector VMs (string "1"-"100")
$PxTeamsConnInstanceCount = "3"

# Setting the dynamic regional resource group name
$PxTeamsConnResourceGroupName = "$($PxBaseConnName)-TeamsConn-$($PxVmssRegion)-RG"

# Setting the static regional resource group name
$PxTeamsConnStaticResourceGroupName = "$($PxBaseConnName)-TeamsConn-$($PxVmssRegion)-static-RG"

# Setting the Azure bot resource group name
$PxBotResourceGroupName = "$($PxBaseConnName)-TeamsBot-RG"

# Enable incident reporting
$PxTeamsConnIncidentReporting = $true

# Wildcard, SAN or single name cert for FQDN of Teams Connector (PxTeamsConnServiceFQDN),
# the PFX must contain the intermediate chain as well.
$PxPfxCertFileName = ".\your_connector_certificate.pfx"

# Public-facing IP address of management networks – used for RDP access
# If not specified (default) – RDP is always blocked
# Any security scans should not come from these IPs
# Example:
# x.x.x.x - Management IP address #1
# y.y.y.y - Management IP address #2
# z.z.z.0/24 - Management subnet
# $PxMgmtSrcAddrPrefixes = @( "x.x.x.x", "y.y.y.y", "z.z.z.0/24" )
$PxMgmtSrcAddrPrefixes = @()

# Pexip public facing Conferencing / Edge node IP addresses
# If not specified (default) – HTTPS access is always enabled
#
# Example Pexip Edge nodes public IP source ports:
# a.a.a.a - IP of us-pxedge01.vc.example.com
# c.c.c.0/28 – IP subnet of eu-pxedges (allows for future expansion)
#
# Example (specifying Pexip Edge nodes and Management networks defined above):
# $PxNodesSourceAddressPrefixes = @( "a.a.a.a", "c.c.c.0/28" ) + $PxMgmtSrcAddrPrefixes
$PxNodesSourceAddressPrefixes = @()

# These are the IPs/subnets that are allowed to access the Admin Consent web page.
# If not specified it is exposed/public by default. If left exposed then anyone accessing this web page can
# see the company's app IDs. You can alternatively stop the app service after granting consent.
# The page URL is in the form: https://$PxBaseConnName-pexip-cvi-abcde.azurewebsites.net/
#
# Example (specifying the Pexip management networks defined above):
# $PxConsentSourceAddressPrefixes = $PxMgmtSrcAddrPrefixes
$PxConsentSourceAddressPrefixes = @()

# Schedule installation of Windows updates to a specific day.
# String in range "0"-"7".
# "0" = Every day. "1" through "7" = The days of the week from Sunday ("1") to Saturday ("7")
$PxWupdScheduledInstallDay = "1"

# Schedule update installation time to a specific hour (UTC)
# String in range = "0"-"23" starts with 12 AM ("0") and ends with 11 PM ("23")
$PxWupdScheduledInstallTime = "22"

# Set active hours to start at a specific hour (UTC)
# If the restart is needed to finish update installation, it won't take place during the active hours.
# String in range = "0"-"23" starts with 12 AM ("0") and ends with 11 PM ("23")
$PxWupdActiveHoursStart = "6"

# Set active hours to end at a specific hour (UTC)
# Time between Active hours start and end is limited to 18 hours. Script stops if this is not the case.
# String in range = "0"-"23" starts with 12 AM ("0") and ends with 11 PM ("23")
$PxWupdActiveHoursEnd = "22"

# Do you want to allow Microsoft to track and report to Pexip the Azure usage associated with this deployment?
# You must set $PxCustomerUsageAttribution to either $true (allow reporting) or $false (no reporting)
$PxCustomerUsageAttribution = <replace with $true or $false>

# Optional tags (name-value pairs) to apply to Azure resources and resource groups
# For example $tags= @{"ResourceOwner"="user@domain"; "CostCenter"="Video Services";}
$tags= @{}

# Teams Connector API app ID - update this with the API App ID that is created during the installation process
# If you are deploying in multiple regions you will have a different App ID per region
$TeamsConnectorApiApplicationId = ""

# If set to $true, the Azure functions apps are deployed using dedicated function app plan.
# This incurs additional charges, but allows for advanced networking configuration and increased stability.
$FunctionsDedicatedHostingPlan = $false

# IP addresses of the Pexip Management Node / NAT gateway that can communicate with the Teams Connector Event
# Hub over port 5671.
# This only applies if used together with dedicated functions and VNet integration: 
# (parameter FunctionsDedicatedHostingPlan and parameter VnetIntegration).
# These addresses can also be added after the deployment.
# Example: Pexip Management Node public IP address or NAT address:
# x.x.x.x    - IP of mgr.vc.example.com
# z.z.z.0/24 - IP subnet of mgr.vc.example.com
$EventHubSourceAddressPrefixes = @()

# If set to $true, certain resources (key vault, storage accounts and event hubs) will be
# accessible via virtual network instead of public endpoint.
# (With the exception of the Event hub -> Management Node connection.)
# This only applies if used together with dedicated functions (parameter FunctionsDedicatedHostingPlan).
$VnetIntegration = $false

# Set to $true if your organization participates in Microsoft's Azure Hybrid Benefit scheme
$PxUseAzureHybridBenefit = $false

# The FQDN of the Teams Connector from the perspective of Pexip Infinity — it must match the name in
# the Connector's PFX certificate.
# If the Teams Connector sits behind an additional proxy, this should be set to the FQDN of that proxy.
# If not set it defaults to TeamsConnectorFqdn ($PxTeamsConnFqdn), which is normally correct.
$PexipConfiguredConnectorFqdn = ""

# This is used for Microsoft Teams Rooms SIP/H.323 calling.
# Set it to the DNS name of the nodes to target when dialing out to Pexip Infinity from a Teams Room.
# It should represent all external nodes and could be either round-robin DNS, a reverse proxy, or
# anything else that load balances across Pexip Infinity.
$PexipOutboundFqdn = ""

# Optional setting. Contains the resource ID of an existing (pre-created) VNET.
# Referencing a VNET in a different subscription is not supported.
# You must use the script create_vnet_deployment.ps1 to create this VNET.
$PxExistingVNETResourceId = ""

# If set to $true, an additional internal load balancer is created (to support private routing).
# VNET peering must be enabled between the Infinity VNET and the Teams Connector's VNET.
# When Infinity is deployed in Azure, it allows traffic to be routed between Infinity and the
# Teams Connector through Microsoft's private network only.
$PxUsePrivateRouting = $false

The initialization script contains the following variables. If you are deploying a Teams Connector in multiple regions, each version of your script per region should use a different value for those variables ticked as Regional.

Variable name	Description and example usage	Regional
$PxAzureVmSize	This specifies the type/size of the virtual machines in the Virtual Machine Scale Set (VMSS). Each instance type has the same call capacity. See Preparing your Azure environment, regions, instance type, and capacity planning for more information. The options are: Standard_D4s_v5, Standard_D4as_v5, Standard_F4s. Default: Standard_D4s_v5
$PxBaseConnName	This is a prefix used when naming all Teams Connector resources. We recommend using your own company name. PxBaseConnName can have a maximum of 9 characters, and PxBaseConnName + PxVmssRegion must be a minimum 3 and maximum 14 characters when combined. It cannot contain dashes, spaces or other non a-z0-9 characters, and must start with an alphabetic character. Note that if you are setting up multiple test environments within the same Azure subscription, ensure that each Teams Connector deployment has a unique $PxBaseConnName.
$PxVmssRegion	A short (we recommend 2-8 characters) name to differentiate resource names in your deployments: It can be used to represent the region in which you are deploying the Teams Connector, for example, "eu". This will help in your naming convention if you deploy the Teams Connector in multiple regions. You can also use this variable to name your deployments if you are following a blue-green deployment strategy, for example "blue". If you have multiple regions and are also following a blue-green strategy then just combine the two names, for example "eublue". It cannot contain dashes, spaces or other non a-z0-9 characters.
$PxTeamsConnFqdn	The hostname of the Teams Connector, for example "pexip-teamsconn-eu.teams.example.com". This name must match the subject name in the PFX certificate specified in $PxPfxCertFileName. If you are installing multiple Teams Connectors in different regions you must use a different hostname for each region. This is also the name you will configure in Pexip Infinity (Call control > Microsoft Teams Connectors > Address of Teams Connector) later in the process.
$PxNodeFqdns	The pool name or names of the Conferencing Nodes (typically Proxying Edge Nodes) that will communicate with the Teams Connector. This can be a comma-separated list. The name(s) specified here must exist in the certificate presented by those Conferencing Nodes. These names cannot include wildcard characters. See Ensuring Conferencing Nodes have suitable certificates for more information.	(typically)
$PxSubscriptionId	The Azure Subscription ID for your Teams Connector installation and Azure bot resource. This takes the GUID format "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee".
$PxAzureLocation	The name of the Azure region into which you are deploying the Teams Connector, for example "westeurope", "southcentralus" etc. as per the RegionName in Decide Azure deployment region(s) and instance type.
$PxWinAdminUser	The account username for the Windows VMs that will be created in Azure. You may need this for RDP login when troubleshooting. See this Microsoft article for username requirements.
$PxWinAdminPassword	The account password for the Windows Teams Connector VMs that will be created in Azure. If you don't want to store the password in the variables script, you can skip this step and specify the password later from within the installation script (via Get-Credential cmdlet). The password must: include at least 3 of the following: 1 lower case character 1 upper case character 1 number 1 special character that is not "\" or "-" or "$" be between 8 and 123 characters long (must have a minimum of 14 characters in GCC High / Azure US Government Cloud deployments) not include reserved words or unsupported characters.
$PxTeamsConnInstanceCount	The number of Teams Connector instances (VMs) to deploy. A string in the range "1"-"100", for example "3". Each instance can handle approximately 10 VTC connections into Teams meetings. You can easily modify the number of instances via the Azure portal after installation of the Teams Connector, to reflect changing capacity requirements.
$PxTeamsConnResourceGroupName	The regional resource group name for dynamic VMSS resources. We recommend setting this variable to a concatenated combination of the first two variables plus some additional text, for example: $PxTeamsConnResourceGroupName = "$($PxBaseConnName)-TeamsConn-$($PxVmssRegion)-RG" which, in our examples, would generate a resource group name of pexip-TeamsConn-eu-RG.
$PxTeamsConnStaticResourceGroupName	The static regional resource group name. This stores static resources such as name and address information for the load balancer, and the Azure Key Vault. It should follow the same pattern as the previous variable ($PxTeamsConnResourceGroupName), and be set to a concatenated combination of the first two variables plus some additional text, for example: $PxTeamsConnStaticResourceGroupName = "$($PxBaseConnName)-TeamsConn-$($PxVmssRegion)-static-RG" which, in our examples, would generate a static resource group name of pexip-TeamsConn-eu-static-RG. This is the resource group that must be created before running the installation script (see Create the resource groups).
$PxBotResourceGroupName	The Azure bot resource group name. It should follow the same pattern as the other resource group names. We recommend: $PxBotResourceGroupName = "$($PxBaseConnName)-TeamsBot-RG"
$PxTeamsConnIncidentReporting	When this feature is enabled, incident reports are sent automatically to a secure web server owned and managed by Pexip. The options are $true to enable incident reporting or $false to disable reporting. We recommend keeping this enabled.
$PxPfxCertFileName	The filename of the PFX certificate file to upload to the Teams Connector. See Obtaining and preparing the TLS certificate for the Teams Connector for more information.
$PxMgmtSrcAddrPrefixes	Specifies the public-facing IP addresses of any management workstations/networks that may be required to administer the Teams Connector instances over RDP. Any addresses specified here are added into the Azure Network Security Group "RDP" rule that is assigned to the Teams Connector instances to allow RDP access to those instances from those addresses. You should not perform any security scans from these addresses. For example to allow RDP access from: x.x.x.x Management IP address #1 y.y.y.y Management IP address #2 z.z.z.0/24 Management subnet you would specify $PxMgmtSrcAddrPrefixes = @( "x.x.x.x", "y.y.y.y", "z.z.z.0/24" ) If no addresses are specified i.e. $PxMgmtSrcAddrPrefixes = @( ) then all RDP access is blocked and can only be enabled in the future by specifying a value for this variable and redeploying.
$PxNodesSourceAddressPrefixes	Specifies the public IP addresses of the Conferencing Nodes (typically Proxying Edge Nodes) that can communicate with the Teams Connector instances over port 443 (https). This is used to populate the Azure Network Security Group "MCU-signalling-endpoint" rule. For example, if these are the public addresses of your Pexip Conferencing Nodes: a.a.a.a - IP of us-pxedge01.vc.example.com c.c.c.0/28 – IP subnet of eu-pxedges (allows for future expansion) you would specify: $PxNodesSourceAddressPrefixes = @( "a.a.a.a", "c.c.c.0/28" ) + $PxMgmtSrcAddrPrefixes which sets the variable to the addresses of your Conferencing Nodes plus the IP addresses of any management workstations/networks (as specified in the previous variable). If no addresses are specified i.e. $PxNodesSourceAddressPrefixes = @( ) then anything can connect via https to the Teams Connector instances.	(typically)
$PxConsentSourceAddressPrefixes	Specifies the external IP address (as seen from the Teams Connector's perspective) of the workstation / management network that will provide consent for the Pexip CVI app to access Microsoft Teams in the Office 365 tenant. If not specified, the consent page is exposed/public by default. If left exposed then anyone accessing this page can see the company's app IDs. As an alternative to restricting access, you can stop the Azure app service after granting consent (the app service is in the <prefix>-TeamsBot-RG resource group). The URL of the consent page is in the form: https://<prefix>-pexip-cvi-abcde.azurewebsites.net/. For example, to use the Pexip management networks defined above you would specify: $PxConsentSourceAddressPrefixes = $PxMgmtSrcAddrPrefixes Alternatively, you can specify specific addresses in the same way as shown above when defining the values for $PxNodesSourceAddressPrefixes. If no addresses are specified i.e. $PxConsentSourceAddressPrefixes = @( ) then anything can connect via https to the consent page.
$PxWupdScheduledInstallDay	Schedules the installation of Windows updates (everything that applies to Windows Server 2016) to a specific day. A string in the range "0"-"7" where "0" = every day and "1" through "7" are the days of the week from Sunday ("1") to Saturday ("7"). Default = "1" (Sunday) Example: $PxWupdScheduledInstallDay = "1"
$PxWupdScheduledInstallTime	Schedules the Windows update installation time to a specific hour (UTC). A string in the range "0"-"23" starting with 12 AM ("0") and ending with 11 PM ("23"). Default = "22" (10 PM) Example: $PxWupdScheduledInstallTime = "22"
$PxWupdActiveHoursStart	Sets the active (business) hours to start at a specific hour (UTC). If a restart is needed to finish a Windows update, it won't take place during the active hours. A string in the range "0"-"23" starting with 12 AM ("0") and ending with 11 PM ("23"). Default = "6" (6 AM) Example: $PxWupdActiveHoursStart = "6"
$PxWupdActiveHoursEnd	Sets active (business) hours to end at a specific hour (UTC). The time between Active hours start and Active hours end is limited to a maximum of 18 hours. The script stops if this is not the case. A string in the range "0"-"23" starting with 12 AM ("0") and ending with 11 PM ("23"). Default = "22" (10 PM) Example: $PxWupdActiveHoursEnd = "22"
$PxCustomerUsageAttribution	Controls whether Microsoft tracks and reports to Pexip the Azure usage that is associated with your deployment of Pexip software. When enabled, Microsoft can identify the installation of Pexip software and correlate the Azure resources that are used to support that software. Microsoft collects this information to provide the best experiences with their products and to operate their business. The data is collected and governed by Microsoft's privacy policies, which can be found at https://www.microsoft.com/trustcenter. The data made visible to Pexip is controlled by Microsoft, and as of April 2019 includes usage and spend on all of the Azure resources associated with your Teams Connector. You can also track your usage of resources within the Azure portal. To enable usage tracking and reporting to Pexip, use: $PxCustomerUsageAttribution = $true To disable usage tracking and reporting to Pexip, use: $PxCustomerUsageAttribution = $false You must set the $PxCustomerUsageAttribution variable to either $true or $false otherwise the installation will not complete.
$tags	You can optionally specify a set of tags (name-value pairs) to apply to the Azure resources and resource groups that are created for the Teams Connector. For example, to apply a tag named "ResourceOwner" with a value of "user@domain" and a second tag named "CostCenter" with a value of "Video Services" you would use: $tags= @{"ResourceOwner"="user@domain"; "CostCenter"="Video Services";} To not apply any tags, leave the variable set to an empty hash table: $tags= @{}
$TeamsConnectorApiApplicationId	The ID of the Microsoft Entra ID application that is used to secure requests to the Teams Connector APIs. It is created during the installation process as described below at Create the Teams Connector API app, and you should then set this variable to the ID generated by that process. If you are deploying in multiple regions you'll have a different API App ID per region.
$FunctionsDedicatedHostingPlan	If set to $true, the Azure functions apps are deployed using a dedicated function app plan. This incurs additional charges, but allows for advanced networking configuration and increased stability. Set it to $false if you do not want to use dedicated functions.
$EventHubSourceAddressPrefixes	Specifies the IP addresses of the Pexip Management Node / NAT gateway that can communicate with the Teams Connector Event Hub over port 5671. This only applies if used together with dedicated functions and VNet integration (parameter FunctionsDedicatedHostingPlan and parameter VnetIntegration). These addresses can also be added after the deployment. For example to allow access from: x.x.x.x Management IP address #1 y.y.y.y Management IP address #2 z.z.z.0/24 Management subnet you would specify $EventHubSourceAddressPrefixes = @( "x.x.x.x", "y.y.y.y", "z.z.z.0/24" ) Specify $EventHubSourceAddressPrefixes = @() if you are not using these features.
$VnetIntegration	If set to $true, certain resources (Key Vault, storage accounts and Event Hubs) will be accessible via the virtual network instead of public endpoint (with the exception of the Event Hub to Management Node connection). It only applies if used together with dedicated functions (parameter FunctionsDedicatedHostingPlan). Set it to $false if you do not want to use VNet integration.
$PxUseAzureHybridBenefit	Set this option to $true if your organization uses Azure Hybrid Benefit and you want to take advantage of this licensing for your Teams Connector virtual machines. For more information, see Microsoft's website. By default this is $false
$PexipConfiguredConnectorFqdn	This is used for Microsoft Teams Rooms SIP/H.323 calling, and is typically only required in advanced deployments, otherwise it can be left blank (""). Set it to the FQDN of the Teams Connector from the perspective of Pexip Infinity — it must match the name in the Teams Connector's PFX certificate. If the Teams Connector sits behind an additional proxy, such as an Azure Traffic Manager, this should be set to the FQDN of that proxy. If not set it defaults to TeamsConnectorFqdn ($PxTeamsConnFqdn), which is normally suitable for most standard deployments.
$PexipOutboundFqdn	This is used for Microsoft Teams Rooms SIP/H.323 calling. Set it to the DNS name of the Conferencing Nodes to target when dialing out to Pexip Infinity from a Teams Room. It should represent all external nodes and could be either round-robin DNS, a reverse proxy, or anything else that load balances across Pexip Infinity. These nodes must be reachable from the Teams Connector in Azure. A value only needs to be assigned if MTR calling is needed, otherwise it can be left blank ("").
$PxExistingVNETResourceId	This is an optional variable. It contains the resource ID of an existing (pre-created) VNET and is used for referring to a custom VNET or for private routing. Default = "" See Using a custom VNET with the Teams Connector and Using private routing with the Teams Connector for more information.
$PxUsePrivateRouting	If set to $true, an additional internal load balancer is created (to support private routing). Default = $false See Using private routing with the Teams Connector for more information.

Please skip this section if you are following a standard deployment model.

If this is a GCC High / Azure US Government Cloud deployment, and you are using the CIS STIG image, there are some additional steps required to enable the image in Azure.

Note that using the CIS STIG image is optional, but typical, in GCC High deployments. If you do not want to use a STIG image you can skip this section and also remove the VmImage switch from the installation script.

1. Verify that the CIS image is available in your subscription:

   • Run the following command:

     Get-AzVMImage -Location "USGovTexas" -PublisherName "center-for-internet-security-inc" -Offer "cis-windows-server" -Skus "cis-windows-server2019-stig-gen1"

2. Accept terms for the STIG image:

   • Run the following commands:

     $agreementTerms = Get-AzMarketplaceterms -Publisher "center-for-internet-security-inc" -Product "cis-windows-server" -Name "cis-windows-server2019-stig-gen1"

     Set-AzMarketplaceTerms -Publisher "center-for-internet-security-inc" -Product "cis-windows-server" -Name "cis-windows-server2019-stig-gen1" -Terms $agreementTerms -Accept

3. Configure Programmatic Deployment in Azure Marketplace for the STIG image:

   1. In the Azure Marketplace, search for "CIS Hardened Images on Microsoft Windows Server".

      

   2. Click CIS Hardened Image STIG on Microsoft Windows Server 2019 - Gen 1.

   3. Click Get started.

      

   4. Click Enable and then Save.

      

This section describes the Azure permissions, steps and PowerShell commands used to install the Teams Connector.

First-time use

You must install supported versions of PowerShell modules.

1. Open a new PowerShell ISE or PowerShell session before you install the modules.
2. Run the following PowerShell commands (as Administrator):

# Set execution policy for the current PowerShell process, when prompted type A (Yes to All)
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process

Install-Module -Name Az.Accounts -RequiredVersion 2.13.2 -Scope AllUsers -AllowClobber -Force
Install-Module -Name Az.Automation -RequiredVersion 1.9.1 -Scope AllUsers -AllowClobber -Force
Install-Module -Name Az.Compute -RequiredVersion 7.1.0 -Scope AllUsers -AllowClobber -Force
Install-Module -Name Az.EventHub -RequiredVersion 4.2.0 -Scope AllUsers -AllowClobber -Force
Install-Module -Name Az.KeyVault -RequiredVersion 5.0.1 -Scope AllUsers -AllowClobber -Force
Install-Module -Name Az.Network -RequiredVersion 7.1.0 -Scope AllUsers -AllowClobber -Force
Install-Module -Name Az.Resources -RequiredVersion 6.12.1 -Scope AllUsers -AllowClobber -Force
Install-Module -Name Az.Storage -RequiredVersion 6.0.1 -Scope AllUsers -AllowClobber -Force
Install-Module -Name Az.Websites -RequiredVersion 3.1.2 -Scope AllUsers -AllowClobber -Force
Install-Module -Name Microsoft.Graph.Authentication -RequiredVersion 2.11.1 -Scope AllUsers -AllowClobber -Force
Install-Module -Name Microsoft.Graph.Applications -RequiredVersion 2.11.1 -Scope AllUsers -AllowClobber -Force
Install-Module -Name Microsoft.Graph.Identity.DirectoryManagement -RequiredVersion 2.11.1 -Scope AllUsers -AllowClobber -Force

Note that:

• The Az PowerShell module collects telemetry data (usage data) by default, however you can opt out from this data collection using Disable-AzDataCollection (see this article for more information).
• The Az PowerShell module remembers login information by default (i.e. you're not automatically logged out when closing your PowerShell window), but you can disable this with Disable-AzContextAutosave if required (see this article for more information).

Import required versions of Az Powershell and Microsoft.Graph Powershell modules

You must import the required versions of PowerShell modules for this Teams Connector version:

1. Open a new PowerShell ISE or PowerShell session.
2. Change directory to the folder into which you extracted the files from the Teams Connector ZIP.
3. Run the following PowerShell commands to import the required module versions:

# Set execution policy for the current PowerShell process, when prompted type A (Yes to All)
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process

# The Unblock-File cmdlet lets you run PowerShell script files that were downloaded from the internet. 
# By default, these files are blocked to protect the computer from untrusted files.
Get-ChildItem -Recurse | Unblock-File

# Import the PexTeamsCviApplication PowerShell module
Import-Module .\PexTeamsCviApplication.psm1

# Import Az Powershell modules
Import-PexAzurePowershellModules -ErrorAction Stop
# Import Microsoft.Graph Powershell modules
Import-PexMicrosoftGraphPowershellModules -ErrorAction Stop

Azure permissions requirements

You (the person performing the installation) must have appropriate Azure permissions for some of the resources used for the Teams Connector:

• You must have the Azure Owner role for the static and dynamic resource groups, and Contributor role for the Azure Bot resource group that are created (as described below) for each Teams Connector, and the Owner role for the API app.
• If the Microsoft Entra ID tenant is configured with Users can register applications set to No, then appropriate permissions are also required to register the Pexip apps. If the applications are created by another user, then the user that is running the deployment script needs to have been given owner permissions of the applications. (See this article for more information).
• We recommend that the Teams Connector is deployed by a member account within the tenant. However, if it is deployed by a guest user within the tenant, that guest user also requires the Directory Readers role for the tenant.
• The user account used for deployment does not need to retain any RBAC permissions to the Teams Connector resource groups. The roles assigned can be removed or downgraded after deployment if this is a local policy requirement. However, apppropriate roles would have to be re-assigned to upgrade the Teams Connector.
• We recommend reviewing the role assignments that grant access to the deployed resources, with special attention to inherited RBAC roles.

Create the resource groups

Before you install the Teams Connector CVI application you must first create all of the resource groups that are to be used for each Teams Connector. This is a mix of static resource groups that persist whenever the Teams Connector is upgraded, and dynamic resource groups that need recreating whenever you upgrade or redeploy a Teams Connector.

To set up the resource groups:

These steps must be performed by the Owner of the Azure subscription used for the Teams Connector.

1. Run the following PowerShell command to connect to Azure:

   • In all standard deployments run:

     Connect-AzAccount

   • If this is a GCC High / Azure US Government Cloud deployment then use this command instead:

     Connect-AzAccount -EnvironmentName AzureUSGovernment

   Then follow the prompts to sign in to Azure.

2. Run the variable initialization script (to set the required subscription, resource group name and region variables).

3. Ensure that you are using the Azure subscription for the Teams Connector:

   Set-AzContext -SubscriptionId $PxSubscriptionId

4. Run the following script to create the resource groups:

   Copy to clipboard

   # Resource group for static resources for the Teams Connector / region
   New-AzResourceGroup -Name $PxTeamsConnStaticResourceGroupName -Location $PxAzureLocation -Force -Tag $tags
   
   # Resource group for the Teams Connector VMSS (per region)
   New-AzResourceGroup -Name $PxTeamsConnResourceGroupName -Location $PxAzureLocation -Tag $tags
   
   # Resource group for the Azure Bot
   New-AzResourceGroup -Name $PxBotResourceGroupName -Location $PxAzureLocation -Tag $tags

5. Ensure that the person who will perform all of the remaining installation steps has the Azure Owner role for the static and dynamic resource groups, and Contributor role for the Azure Bot resource group you have just created. If the Owner of the Azure subscription will perform all of the remaining installation steps then you can skip to Create the Teams Connector API app below.

   Otherwise, you must run the following commands to assign the required roles for the resource groups you have just created to the person who will perform all of the remaining installation steps:

   New-AzRoleAssignment -SignInName <email_name> -RoleDefinitionName "Owner" -ResourceGroupName $PxTeamsConnStaticResourceGroupName

   New-AzRoleAssignment -SignInName <email_name> -RoleDefinitionName "Owner" -ResourceGroupName $PxTeamsConnResourceGroupName

   New-AzRoleAssignment -SignInName <email_name> -RoleDefinitionName "Contributor" -ResourceGroupName $PxBotResourceGroupName

   where <email_name> is the email address / user principal name of the person who will perform the remaining installation steps; for example where alice@example.com will perform the upgrade/redeploy, the SignInName would be -SignInName alice@example.com for the commands listed above.

Note:

• Some of these resource groups only need creating once; others need recreating when you upgrade or if you redeploy:

  • The static resource group ($PxTeamsConnStaticResourceGroupName) only has to be created when deploying in a region for the first time — you do not have to repeat this when redeploying or for subsequent upgrades.
  • The dynamic resource group ($PxTeamsConnResourceGroupName) has to be recreated in each region whenever you upgrade or redeploy.
  • The Azure Bot resource group ($PxBotResourceGroupName) only has to be created once, and only in your first region — you do not have to repeat this when redeploying or for subsequent upgrades.
• In the future, if another person were to upgrade or redeploy the Teams Connector, that person would also have to be granted the appropriate roles for these resource groups.
• You can also use the Azure portal to check/assign permissions by selecting the resource group and using the Access control (IAM) option.

Create the Teams Connector API app

You must create a Microsoft Entra ID application that is used to secure requests to the Teams Connector APIs.

1. Run the following PowerShell command to connect to Azure:

   • In all standard deployments run:

     Connect-AzAccount

   • If this is a GCC High / Azure US Government Cloud deployment then use this command instead:

     Connect-AzAccount -EnvironmentName AzureUSGovernment

   Then follow the prompts to sign in to Azure.

2. Change directory to the folder into which you extracted the files from the Teams Connector ZIP.

3. Run the following PowerShell commands to connect to Microsoft Graph:

   Copy to clipboard

   # Set execution policy for the current PowerShell process, when prompted type A (Yes to All)
   Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process
   
   # The Unblock-File cmdlet lets you run PowerShell script files that were downloaded from the internet. 
   # By default, these files are blocked to protect the computer from untrusted files.
   Get-ChildItem -Recurse | Unblock-File
   
   # Import the PexTeamsCviApplication PowerShell module
   Import-Module .\PexTeamsCviApplication.psm1
   
   # Connect to Graph
   Connect-PexTeamsMsGraph

4. Run your variable initialization script to set the required prefix and region name variables.

5. Run the following command to create the Teams Connector API app.

   Copy to clipboard

   $teamsConnectorApiApp = New-MgApplication -DisplayName "${PxBaseConnName}-TeamsConn-${PxVmssRegion} Pexip Teams Connector API" -SignInAudience "AzureADMyOrg"

   Please allow one minute for this command to complete and propagate within Azure.

6. Run the following commands to obtain the Teams Connector API app ID.

   Note that if the New-MgServicePrincipal command fails, this means that you have not waited long enough for the previous command to complete.

   Copy to clipboard

   $teamsConnectorApiSp = New-MgServicePrincipal -AppId $teamsConnectorApiApp.AppId -Tags {WindowsAzureActiveDirectoryIntegratedApp}
   $TeamsConnectorApiApplicationId = $teamsConnectorApiApp.AppId
   
   Write-Host
   Write-Host
   Write-Host "`n----------------------------------------`n"
   Write-Host
   Write-Host "### Teams Connector API App ID MUST be saved in the variables initialization script ###"
   Write-Host
   Write-Host "`$TeamsConnectorApiApplicationId = `"$($TeamsConnectorApiApplicationId)`""
   Write-Host
   Write-Host "`n----------------------------------------`n"
   Write-Host
   Write-Host

7. When the command runs, it generates some output that lists the Teams Connector API App ID, similar to this:

   

8. Copy the output line that defines the API App ID and paste it into the variable initialization script, replacing the existing line in the script that says:

   $TeamsConnectorApiApplicationId = ""

   (If you will be performing the rest of the deployment, in the same PowerShell session, there is no need to re-run the variable initialization script as the new $TeamsConnectorApiApplicationId variable has been set in the previous steps.)

9. If somebody else will be completing the deployment, ensure that the person who will perform all of the remaining installation steps has Owner permissions for the API app. See Assigning Owner permissions for the API app for more information.

Note that:

• This app does not have to be granted any permissions. It does not have access to any resources in the Microsoft Entra ID tenant. It has no associated credentials.
• It is different from the main Pexip CVI App which is created by the installation script.
• If you intend to deploy the Teams Connector in multiple Azure regions, you must create an API app in each region, and store the app ID ($TeamsConnectorApiApplicationId) in the relevant variable initialization script for that region.

Deploying the Teams Connector

After creating the resource groups and the Teams Connector API App, you can now use the following PowerShell script and commands to connect to Microsoft Graph, connect to Azure Resource Manager, set up the Pexip CVI App ID, and then deploy the Teams Connector. The purpose of each command is explained as a comment within the script.

• If you need to upgrade or redeploy your Teams Connector you should use the redeploy process instead. If you want to deploy a new Teams Connector in a different Azure region, see Installing Teams Connectors in multiple Azure regions.
• The Microsoft Graph login you use must be a user in the tenant, not a Windows Live ID account.

• Before running your scripts we recommend that you check the Azure status (https://status.azure.com) for your region. Any ongoing issues in your region with the Azure services used by the Teams Connector could cause the script to fail.

Installation script

The following script is referred to as the installation script:

• This script only needs to be run once (per Azure subscription).
• As there are several commands in this installation process, we recommend running each group of commands step-by-step within PowerShell (you can copy-paste the commands below) to ensure that no elements are missed, and any unexpected issues are identified. If you use PowerShell ISE instead of the normal PowerShell CLI prompt you can run one line at a time (select section and press F8).
• After launching PowerShell you must change directory to the folder into which you extracted the files from the Teams Connector ZIP.
• The create_vmss_deployment.ps1 command in the script that creates the Teams Connector VMs can take up to 30 minutes to complete.
• See Troubleshooting Microsoft Teams and Pexip Infinity integrations for help with any installation script errors.

Remember to run the variable initialization script (above) first, before running this installation script.

Regarding the CVI App certificate, you should note that:

• The script passes a -ValidityInMonths parameter to the PexTeamsCviApplicationCertificateCredential cmdlet to specify the validity period of the CVI App certificate. In this case it specifies "-ValidityInMonths 24" i.e. 2 years but you can specify your own period as required.
• The Teams Connector application will stop working if the CVI App certificate expires. We recommend that you set certificate contact notifications (see this Microsoft article) as they can warn you of certificates that are due to expire.
• If required, you can use you own certificate instead of the self-signed certificate — see Using your own certificate for the CVI App for details.

This script applies to software version 34. If you are using an earlier version you should refer to our previous documentation.

# Ensure the correct script and software combination is being used
try {$PxConnMajorVersion = (Get-Content .\version.json -ErrorAction Stop | Out-String | ConvertFrom-Json).major} catch {Write-Warning "Can't find version.json file. Make sure you run the installation script from the folder into which you extracted the files from the Teams Connector ZIP"}

if ($PxConnMajorVersion -ne "34"){Write-Warning "The Connector version (extracted ZIP files) and this deployment script version do not match. Connector version = $PxConnMajorVersion. Deployment script version = 34"}

# Connect to Microsoft Graph, Azure Resource Manager account and import Pexip CVI module
# Microsoft Graph commands
# Connect to Microsoft Graph
# If AAD/365 admin account is not the same as Azure Resource Manager admin account,
# the next section is to be run by the AAD admin.
#
# IMPORTANT: The output of IDs/credentials here must be saved as it will be required later

# Set execution policy for the current PowerShell process, when prompted type A (Yes to All)
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process

# The Unblock-File cmdlet lets you run PowerShell script files that were downloaded from the internet. 
# By default, these files are blocked to protect the computer from untrusted files.
Get-ChildItem -Recurse | Unblock-File

# Connect to Azure with an authenticated account for use with Azure Resource Manager (in same window to reuse variables)
Connect-AzAccount

# Import the PexTeamsCviApplication PowerShell module
Import-Module .\PexTeamsCviApplication.psm1

# Connect to Graph
Connect-PexTeamsMsGraph

# Create Pexip CVI Application
# Create App
$App = New-PexTeamsCviApplication -AppDisplayName "$($PxBaseConnName)TeamsConn" -Confirm:$false
$AppId = $App.AppId

# Create App Certificate - the certificate validity period is defined via the -ValidityInMonths parameter passed to New-PexTeamsCviApplicationCertificateCredential
# New-PexTeamsCviApplicationCertificateCredential cmdlet creates a self signed certificate and uploads it to Microsoft Entra ID for use as a credential for the CVI app
Write-Host "### Create and save CVI App certificate password using a password manager ###"
$AppCertificatePath = $App | New-PexTeamsCviApplicationCertificateCredential -ValidityInMonths 24

Write-Host
Write-Host
Write-Host "`n----------------------------------------`n"
Write-Host
Write-Host "### Save CVI App ID (use a password manager) ###"
Write-Host "### Save CVI App certificate ###"
Write-Host
Write-Host "`$AppId = `"$($AppId)`""
Write-Host "`$AppCertificatePath = `"$($AppCertificatePath)`""
Write-Host
Write-Host "`n----------------------------------------`n"
Write-Host
Write-Host

# Change context to the Pexip Subscription
Set-AzContext -SubscriptionId $PxSubscriptionId

# Azure Bot for the CVI AppID
# Create bot (must be globally unique, and only needs to be created once - in any of your regions)
Register-PexTeamsCviApplicationBot -SubscriptionId $PxSubscriptionId -ResourceGroupName $PxBotResourceGroupName -BotName "$($PxBaseConnName)-TeamsBot" -AppId $AppId -Confirm:$false -Tag $tags

# Deploy Pexip Teams Connector admin consent web page
$AdminConsentUrl = Publish-PexTeamsAdminConsentWebSite -SubscriptionId $PxSubscriptionId -ResourceGroupName $PxBotResourceGroupName -PxBaseConnName $PxBaseConnName -AppId $AppId -SourceAddressPrefixes $PxConsentSourceAddressPrefixes -Confirm:$false -Tag $tags

# Virtual Machine Scale Set (VMSS) creation
# Provide credentials to be used as local user/password for Pexip Teams Connector VMs
# Create a password (using the initialization script variables) for the Windows VM
$PxWinAdminSecurePassword = ConvertTo-SecureString -AsPlainText $PxWinAdminPassword -Force
$PxWinAdminCred = New-Object System.Management.Automation.PSCredential -ArgumentList $PxWinAdminUser,$PxWinAdminSecurePassword

# Optionally if you did not want to specify the password as a variable, use Get-Credential
# $PxWinAdminCred = Get-Credential

# Deploy the Teams Connector VMs
# this step can take up to 30 minutes to complete
.\create_vmss_deployment.ps1 -SubscriptionId $PxSubscriptionId -AzureVmSize $PxAzureVmSize -ResourceGroupName $PxTeamsConnResourceGroupName -VmssName "$($PxBaseConnName)$($PxVmssRegion)" -VMAdminCredential $PxWinAdminCred -PfxPath $PxPfxCertFileName -TeamsConnectorFqdn $PxTeamsConnFqdn -PexipFqdns $PxNodeFqdns -instanceCount $PxTeamsConnInstanceCount -AppId $AppId -AppCertificatePath $AppCertificatePath -StaticResourcesResourceGroupName $PxTeamsConnStaticResourceGroupName -IncidentReporting $PxTeamsConnIncidentReporting -RdpSourceAddressPrefixes $PxMgmtSrcAddrPrefixes -PexipSourceAddressPrefixes $PxNodesSourceAddressPrefixes -WupdScheduledInstallDay $PxWupdScheduledInstallDay -WupdScheduledInstallTime $PxWupdScheduledInstallTime -WupdActiveHoursStart $PxWupdActiveHoursStart -WupdActiveHoursEnd $PxWupdActiveHoursEnd -CustomerUsageAttribution $PxCustomerUsageAttribution -UseAzureHybridBenefit $PxUseAzureHybridBenefit -Tag $tags -TeamsConnectorApiApplicationId $TeamsConnectorApiApplicationId -FunctionsDedicatedHostingPlan $FunctionsDedicatedHostingPlan -EventHubSourceAddressPrefixes $EventHubSourceAddressPrefixes -VnetIntegration $VnetIntegration -PexipConfiguredConnectorFqdn $PexipConfiguredConnectorFqdn -PexipOutboundFqdn $PexipOutboundFqdn -ExistingVNETResourceId $PxExistingVNETResourceId -UsePrivateRouting $PxUsePrivateRouting

# supply the PFX Teams Connector TLS certificate file password when prompted

# Please enter the password for the PFX Teams Connector TLS certificate '.\xxxxxxxx.pfx': ***************

# supply the PFX CVI app certificate file password when prompted

# Please enter the password for the CVI app PFX certificate '.\xxxxxxxx.pfx': ***************

# Generating the next steps summary (this assumes you are connected to Microsoft Graph and with an authenticated account for use with Azure Resource Manager)
#
# Setting subscription
Set-AzContext -SubscriptionId $PxSubscriptionId

# Getting IP configurations
if ($PxUsePrivateRouting) {
    $LB = Get-AzLoadBalancer -ResourceGroupName $PxTeamsConnResourceGroupName
    $ExtLB = $LB | Where-Object { $_.Name.EndsWith("-LB") }
    $IntLB = $LB | Where-Object { $_.Name.EndsWith("-INTLB") }
    $LBExtIPID = $ExtLB.FrontendIpConfigurations[0].PublicIpAddress.id
    $LBIntIP = $IntLB.FrontendIpConfigurations[0].PrivateIpAddress
    $PublicIPAddresses = Get-AzPublicIpAddress -ResourceGroupName $PxTeamsConnStaticResourceGroupName
    $ConnectorPublicIP = $PublicIPAddresses | Where-Object Id -eq $LBExtIPID
    $publicIpAddress = $ConnectorPublicIP[0].IpAddress
    $privateIpAddress = $LBIntIP
} else {
    $LB = (Get-AzLoadBalancer -ResourceGroupName $PxTeamsConnResourceGroupName)[0]
    $LBPublicIPID = $LB.FrontendIpConfigurations[0].PublicIpAddress.id
    $PublicIPAddresses = Get-AzPublicIpAddress -ResourceGroupName $PxTeamsConnStaticResourceGroupName
    $ConnectorPublicIP = $PublicIPAddresses | Where-Object Id -eq $LBPublicIPID
    $publicIpAddress = $ConnectorPublicIP[0].IpAddress
}

# Getting connection string for the newly deployed Event hub
$eventHub = (Get-AzResource -ResourceGroupName $PxTeamsConnStaticResourceGroupName -ResourceType Microsoft.EventHub/namespaces)[0]
$eventHubKey = Get-AzEventHubKey -Name "pexip_teams_connector_access" -NamespaceName $eventHub.Name -ResourceGroupName $eventHub.ResourceGroupName

# Printing next steps
Write-Host
Write-Host
Write-Host "`n--------------------------`n"
Write-Host
Write-Host "When the Teams Connector is deployed, you have to create a DNS A record for your hostname,"
Write-Host "then the Office 365 admin must consent for the CVI App Id to join Teams Meetings"
Write-Host
Write-Host "1) Set up a public DNS A record for $($PxTeamsConnFqdn) pointing to the Public IP of "
Write-Host "   the load balancer ($($publicIpAddress))"
Write-Host
Write-Host "2) Give consent to the CVI app. Go to: $AdminConsentUrl"
Write-Host
Write-Host "   If Management Consent Source Address prefixes are defined, the administrator"
Write-Host "   doing consent must come from one of these addresses (or subnets)."
Write-Host "   Consent address prefixes: $($PxConsentSourceAddressPrefixes)"
Write-Host
Write-Host "3) Update the Management Node setting 'Azure Event Hub connection string' for $($PxTeamsConnFqdn) to:"
Write-Host "    $($eventHubKey.PrimaryConnectionString)"
Write-Host
if ($PxUsePrivateRouting) {
    Write-Host "4) Set up a private DNS A record for $($PxTeamsConnFqdn) pointing to the (private) frontend IP of "
    Write-Host "   the internal load balancer ($($privateIpAddress))"
    Write-Host "   See: https://docs.pexip.com/admin/teams_routing.htm#enabling"
}
Write-Host
Write-Host "`n--------------------------`n"
Write-Host
Write-Host

# This script only applies to GCC High / Azure US Government Cloud deployments

# Ensure the correct script and software combination is being used
try {$PxConnMajorVersion = (Get-Content .\version.json -ErrorAction Stop | Out-String | ConvertFrom-Json).major} catch {Write-Warning "Can't find version.json file. Make sure you run the installation script from the folder into which you extracted the files from the Teams Connector ZIP"}

if ($PxConnMajorVersion -ne "34"){Write-Warning "The Connector version (extracted ZIP files) and this deployment script version do not match. Connector version = $PxConnMajorVersion. Deployment script version = 34"}

# Set VmImage variable to hold the CIS STIG image properties - STIG image is optional but typical
# In a later step in this script you can choose not to use the STIG image 
$VmImage = @{
"sku"       = "cis-windows-server2019-stig-gen1"
"offer"     = "cis-windows-server"
"publisher" = "center-for-internet-security-inc"
"version"   = "latest"}

# Connect to Microsoft Graph, Azure Resource Manager account and import Pexip CVI module
# Microsoft Graph commands
# Connect to Microsoft Graph
# If AAD/365 admin account is not the same as Azure Resource Manager admin account,
# the next section is to be run by the AAD admin.
#
# IMPORTANT: The output of IDs/credentials here must be saved as it will be required later

# Set execution policy for the current PowerShell process, when prompted type A (Yes to All)
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process

# The Unblock-File cmdlet lets you run PowerShell script files that were downloaded from the internet. 
# By default, these files are blocked to protect the computer from untrusted files.
Get-ChildItem -Recurse | Unblock-File

# Connect to Azure USGovernment with an authenticated account for use with Azure Resource Manager (in same window to reuse variables)
Connect-AzAccount -EnvironmentName AzureUSGovernment

# Import the PexTeamsCviApplication PowerShell module
Import-Module .\PexTeamsCviApplication.psm1

# Connect to Graph
Connect-PexTeamsMsGraph

# Create Pexip CVI Application
# Create App
$App = New-PexTeamsCviApplication -AppDisplayName "$($PxBaseConnName)TeamsConn" -Confirm:$false
$AppId = $App.AppId

# Create App Certificate - the certificate validity period is defined via the -ValidityInMonths parameter passed to New-PexTeamsCviApplicationCertificateCredential
# New-PexTeamsCviApplicationCertificateCredential cmdlet creates a self signed certificate and uploads it to Microsoft Entra ID for use as a credential for the CVI app
Write-Host "### Create and save CVI App certificate password using a password manager ###"
$AppCertificatePath = $App | New-PexTeamsCviApplicationCertificateCredential -ValidityInMonths 24

Write-Host
Write-Host
Write-Host "`n----------------------------------------`n"
Write-Host
Write-Host "### Save CVI App ID (use a password manager) ###"
Write-Host "### Save CVI App certificate ###"
Write-Host
Write-Host "`$AppId = `"$($AppId)`""
Write-Host "`$AppCertificatePath = `"$($AppCertificatePath)`""
Write-Host
Write-Host "`n----------------------------------------`n"
Write-Host
Write-Host

# Change context to the Pexip Subscription
Set-AzContext -SubscriptionId $PxSubscriptionId

# Azure Bot for the CVI AppID
# Create bot (must be globally unique, and only needs to be created once - in any of your regions)
Register-PexTeamsCviApplicationBot -SubscriptionId $PxSubscriptionId -ResourceGroupName $PxBotResourceGroupName -BotName "$($PxBaseConnName)-TeamsBot" -AppId $AppId -Confirm:$false -Tag $tags -TeamsEnvironmentName TeamsGCCHigh

# Deploy Pexip Teams Connector admin consent web page
$AdminConsentUrl = Publish-PexTeamsAdminConsentWebSite -SubscriptionId $PxSubscriptionId -ResourceGroupName $PxBotResourceGroupName -PxBaseConnName $PxBaseConnName -AppId $AppId -SourceAddressPrefixes $PxConsentSourceAddressPrefixes -Confirm:$false -Tag $tags

# Virtual Machine Scale Set (VMSS) creation
# Provide credentials to be used as local user/password for Pexip Teams Connector VMs
# Create a password (using the initialization script variables) for the Windows VM
$PxWinAdminSecurePassword = ConvertTo-SecureString -AsPlainText $PxWinAdminPassword -Force
$PxWinAdminCred = New-Object System.Management.Automation.PSCredential -ArgumentList $PxWinAdminUser,$PxWinAdminSecurePassword

# Optionally if you did not want to specify the password as a variable, use Get-Credential
# $PxWinAdminCred = Get-Credential

# Deploy the Teams Connector VMs
# this step can take up to 30 minutes to complete
# if you are not using a STIG image then remove the following parameter from this command: -VmImage $VmImage
.\create_vmss_deployment.ps1 -SubscriptionId $PxSubscriptionId -AzureVmSize $PxAzureVmSize -ResourceGroupName $PxTeamsConnResourceGroupName -VmssName "$($PxBaseConnName)$($PxVmssRegion)" -VMAdminCredential $PxWinAdminCred -PfxPath $PxPfxCertFileName -TeamsConnectorFqdn $PxTeamsConnFqdn -PexipFqdns $PxNodeFqdns -instanceCount $PxTeamsConnInstanceCount -AppId $AppId -AppCertificatePath $AppCertificatePath -StaticResourcesResourceGroupName $PxTeamsConnStaticResourceGroupName -IncidentReporting $PxTeamsConnIncidentReporting -RdpSourceAddressPrefixes $PxMgmtSrcAddrPrefixes -PexipSourceAddressPrefixes $PxNodesSourceAddressPrefixes -WupdScheduledInstallDay $PxWupdScheduledInstallDay -WupdScheduledInstallTime $PxWupdScheduledInstallTime -WupdActiveHoursStart $PxWupdActiveHoursStart -WupdActiveHoursEnd $PxWupdActiveHoursEnd -CustomerUsageAttribution $PxCustomerUsageAttribution -UseAzureHybridBenefit $PxUseAzureHybridBenefit -Tag $tags -TeamsConnectorApiApplicationId $TeamsConnectorApiApplicationId -FunctionsDedicatedHostingPlan $FunctionsDedicatedHostingPlan -EventHubSourceAddressPrefixes $EventHubSourceAddressPrefixes -VnetIntegration $VnetIntegration -VmImage $VmImage -TeamsEnvironmentName TeamsGCCHigh -PexipConfiguredConnectorFqdn $PexipConfiguredConnectorFqdn -PexipOutboundFqdn $PexipOutboundFqdn -ExistingVNETResourceId $PxExistingVNETResourceId -UsePrivateRouting $PxUsePrivateRouting

# supply the PFX Teams Connector TLS certificate file password when prompted

# Please enter the password for the PFX Teams Connector TLS certificate '.\xxxxxxxx.pfx': ***************

# supply the PFX CVI app certificate file password when prompted

# Please enter the password for the CVI app PFX certificate '.\xxxxxxxx.pfx': ***************

# Generating the next steps summary (this assumes you are connected to Microsoft Graph and with an authenticated account for use with Azure Resource Manager)
#
# Setting subscription
Set-AzContext -SubscriptionId $PxSubscriptionId

# Getting IP configurations
if ($PxUsePrivateRouting) {
    $LB = Get-AzLoadBalancer -ResourceGroupName $PxTeamsConnResourceGroupName
    $ExtLB = $LB | Where-Object { $_.Name.EndsWith("-LB") }
    $IntLB = $LB | Where-Object { $_.Name.EndsWith("-INTLB") }
    $LBExtIPID = $ExtLB.FrontendIpConfigurations[0].PublicIpAddress.id
    $LBIntIP = $IntLB.FrontendIpConfigurations[0].PrivateIpAddress
    $PublicIPAddresses = Get-AzPublicIpAddress -ResourceGroupName $PxTeamsConnStaticResourceGroupName
    $ConnectorPublicIP = $PublicIPAddresses | Where-Object Id -eq $LBExtIPID
    $publicIpAddress = $ConnectorPublicIP[0].IpAddress
    $privateIpAddress = $LBIntIP
} else {
    $LB = (Get-AzLoadBalancer -ResourceGroupName $PxTeamsConnResourceGroupName)[0]
    $LBPublicIPID = $LB.FrontendIpConfigurations[0].PublicIpAddress.id
    $PublicIPAddresses = Get-AzPublicIpAddress -ResourceGroupName $PxTeamsConnStaticResourceGroupName
    $ConnectorPublicIP = $PublicIPAddresses | Where-Object Id -eq $LBPublicIPID
    $publicIpAddress = $ConnectorPublicIP[0].IpAddress
}

# Getting connection string for the newly deployed Event hub
$eventHub = (Get-AzResource -ResourceGroupName $PxTeamsConnStaticResourceGroupName -ResourceType Microsoft.EventHub/namespaces)[0]
$eventHubKey = Get-AzEventHubKey -Name "pexip_teams_connector_access" -NamespaceName $eventHub.Name -ResourceGroupName $eventHub.ResourceGroupName

# Printing next steps
Write-Host
Write-Host
Write-Host "`n--------------------------`n"
Write-Host
Write-Host "When the Teams Connector is deployed, you have to create a DNS A record for your hostname,"
Write-Host "then the Office 365 admin must consent for the CVI App Id to join Teams Meetings"
Write-Host
Write-Host "1) Set up a public DNS A record for $($PxTeamsConnFqdn) pointing to the Public IP of "
Write-Host "   the load balancer ($($publicIpAddress))"
Write-Host
Write-Host "2) Give consent to the CVI app. Go to: $AdminConsentUrl"
Write-Host
Write-Host "   If Management Consent Source Address prefixes are defined, the administrator"
Write-Host "   doing consent must come from one of these addresses (or subnets)."
Write-Host "   Consent address prefixes: $($PxConsentSourceAddressPrefixes)"
Write-Host
Write-Host "3) Update the Management Node setting 'Azure Event Hub connection string' for $($PxTeamsConnFqdn) to:"
Write-Host "    $($eventHubKey.PrimaryConnectionString)"
Write-Host
if ($PxUsePrivateRouting) {
    Write-Host "4) Set up a private DNS A record for $($PxTeamsConnFqdn) pointing to the (private) frontend IP of "
    Write-Host "   the internal load balancer ($($privateIpAddress))"
    Write-Host "   See: https://docs.pexip.com/admin/teams_routing.htm#enabling"
}
Write-Host
Write-Host "`n--------------------------`n"
Write-Host
Write-Host

After deploying the (first) Teams Connector

1. When the script ran, it generated some output that listed the CVI App ID and certificate path, similar to this:

   

2. Store the items as instructed:

   1. Store the CVI App ID and CVI App certificate password in a password manager. These variables are needed to redeploy the Teams Connector.
   2. Store the CVI App certificate PFX file in a safe location.

This means that if you need to run the redeploy script, you will not rerun the commands that imported the PowerShell module and created the app. Instead you will set the variables to the ID and certificate of the CVI app that you created the first time.

Information about the permissions required by the Pexip CVI app is provided in the following table: