MS Teams Bot Provisioning on Private Cloud

1. Introduction

We are in the process of setting up the Microsoft Teams Bot for Private Cloud on their Azure environment. While the Teams Bot code from our side is fully ready, we are facing challenges in provisioning the bot on Private Cloud's Azure subscription due to certain limitations and configuration issues.

2. Requirements for Bot Provisioning

2.1 Side Loading

In order to provision the Teams Bot on Private Cloud Azure, side loading must be enabled for our account on Private Cloud Azure. Currently, side loading is disabled, which is preventing us from proceeding with the provisioning process.

·         

2.2 Azure Quota

 Once side loading is enabled, sufficient quota must be available in the Azure subscription to create bot-specific services. During the bot’s auto-provisioning, Azure automatically creates the required services. If the quota is not available, the provisioning will fail.

Below are the services which will be auto created while provisioning the MS Teams Bot on Azure

o   

3. Issues Encountered

When we previously attempted provisioning with side loading enabled, the process failed while creating the required bot-related services. The error details are shared below for reference.

3.1 Error Details

[Error] - code:Solution.FailedToDeployArmTemplatesToAzure, message: [Teams Toolkit] Failed to deploy ARM templates. Resource group name: LucyAI. Deployment name: teams_toolkit_deployment
Error message: The long-running operation has failed.
Detailed message:
{
"provisionResources": {
"azureWebAppBotProvision": {
"lucyfa1901bot": {
"code": "Unauthorized",
"message": "This region has quota of 0 instances for your subscription. Try selecting different region or SKU.",
"details": [
{
"message": "This region has quota of 0 instances for your subscription. Try selecting different region or SKU."
},
{
"code": "Unauthorized"
},
{}
]
}
}
}
  }

4. Next Steps

To successfully provision the Teams Bot on Private Cloud Azure, we recommend the following steps:

•  Enable side loading for our account on Private Cloud Azure. 
• Ensure sufficient quota is available in the Azure subscription for the bot services (Web App Bot, App Service Plan, Azure Storage, etc.).
• Retry the provisioning process after the above requirements are met.

5. Steps to Enable Side Loading

To enable side loading in Microsoft Teams for our user account, please follow the steps below:

• Sign in to the Microsoft Teams Admin Center (https://admin.teams.microsoft.com).
• Navigate to Teams apps > Setup policies.
• Select the policy that applies to our user account, or create a new policy if needed.
• Under Custom apps, ensure that 'Upload custom apps' (side loading) is turned ON
• Assign this policy to our user account in Private Cloud's Azure Active Directory.
• Wait for policy propagation (can take several hours) and reattempt bot provisioning.
• Only Private Cloud's Teams/Azure administrator has the permissions to enable this

6. Steps to Resolve Azure Quota Issue

The error indicates that the selected Azure region has a quota of 0 instances for the required service (App Service Plan or Web App Bot). To resolve this, follow these steps:

• Sign in to the Azure Portal (https://portal.azure.com).
• Navigate to Subscriptions and select the subscription being used.
• Go to Usage + quotas or Resource provider limits.
• Check the quota for Microsoft.BotService and App Service Plan (S1 or F0 SKU depending on requirement) in the selected region.
• If the quota is 0, raise a Support Request with Microsoft Azure to increase the quota.
• Navigate to Help + support > New support request.
• Choose Service and subscription limits (quotas).
• Specify the service (App Service / Bot Service) and region and request an increase.
• Alternatively, retry provisioning the bot in a different region that has available quota.
• Once quota is increased or a supported region is selected, retry the bot provisioning process.

7. Steps to Provision and Delegate API Management (APIM) Gateway Access

In order to securely expose the Teams Bot while keeping the actual services private, we will use Azure API Management (APIM) as the gateway. To minimize Private Cloud's operational overhead, we request only IAM access on the APIM resource so our team can complete all setup.

7.1 Provision APIM Instance

• Sign in to Azure Portal.
• Navigate to Create a resource → API Management.
• Provide resource group, instance name, and region.
• Select SKU (Consumption/Premium for production).
• No further configuration is needed at this stage.
  
   

7.2 Grant IAM Access

• Go to the created APIM instance → Access control (IAM).
• Click Add role assignment.
• Assign the Owner roles to our service account.
• Scope: This resource only (APIM instance).
• Enter our Azure AD user/service principal and confirm.

8. Post-Provisioning Steps: Bot Review and Publishing

Once the Microsoft Teams Bot is successfully provisioned in Private Cloud's Azure environment, the next steps must be completed by Private Cloud's Teams Administrator to make the bot available for use within the Private Cloud organization.

8.1 Review Bot Details on Developer Portal

• Sign in to the Microsoft Teams Developer Portal: https://dev.teams.microsoft.com/apps
• Locate the newly provisioned bot under Apps.
• Review the bot’s configuration details (App ID, name, descriptions, icons, permissions, etc.).
• Update or adjust any details as required to match organizational standards or Private Cloud's internal compliance requirements.
• Save the updated configuration.

8.2 Publish the Bot to the Organization

• From the Teams Developer Portal, submit the bot app for publishing.
• The app will move to the organizational publishing workflow.

8.3 Approve the Bot in Microsoft Teams Admin Center

• Sign in to the Teams Admin Center: https://admin.teams.microsoft.com/policies/manage-apps
• Navigate to Teams apps > Manage apps.
• Locate the newly published bot.
• Approve the app for use within the organization.
• If required, assign the bot app via App permission policies or App setup policies to specific users or groups.