IC3 ACS - Auth] <stable/2025-06-30> ACS Token Exchange for Teams Phone Extensibility

[paveldostalms]

Data Plane API Specification Update Pull Request

Tip

Overwhelmed by all this guidance? See the Getting help section at the bottom of this PR description.

APIs supporting authorization mechanism and token exchange for Teams Phone Extensibility
New Identifier Model representing Teams Phone Extensibility user in ACS
Stable API containing part of changes approved for beta preview
(preview PRs #32703 #32704)

Teams Phone Extensibility

• Enhances Teams phone functionality via ACS SDKs to meet advanced voice needs in the Contact Center as a Service(CCaaS) space. ​
• Enables interoperability between Teams-owned phone numbers and ACS Call Automation, supporting:​
  • Secure handover of calls from Teams to ACS Call Automation​
  • Forwarding calls back to Teams from ACS Call Automation​

Multi-persona

• Application of Entra ID for ACS in the Teams Phone Extensibility context​
• The data of a Teams user is separate from the data of the same Entra ID user when using a CCaaS application (call history, endpoint ringing, presence must be separate between the apps)​

Why Authorization

• Azure RBAC only works for users in the same tenant as the ACS resource​
• Common scenario for CCaaS: an ISV provides CCaaS for somebody else; the ISV owns the ACS resource, but the Teams users are in different tenants ​
• Azure RBAC cannot be used​, no plans for Azure RBAC to become multi tenant​
• We were told to build our own authorization mechanism to setup authorization for users to the ACS resource​

Why Token Exchange to Skype tokens

• There are current limitations that require a token exchange with the ACS token:​
  • IC3 services do not support Entra tokens and rely on Skype tokens.​
  • Entra tokens are not scoped to ACS resources​
• Our long-term aim is to have a trusted Entra token for all ACS and IC3 services.

PR review workflow diagram

Please understand this diagram before proceeding. It explains how to get your PR approved & merged.

API Info: The Basics

Most of the information about your service should be captured in the issue that serves as your API Spec engagement record.

• Link to API Spec engagement record issue:

Is this review for (select one):

• a private preview
• a public preview
• GA release

Change Scope

^{This section will help us focus on the specific parts of your API that are new or have been modified.
Please share a link to the design document for the new APIs, a link to the previous API Spec document (if applicable), and the root paths that have been updated.}

• Design Document: https://microsoft.sharepoint-df.com/:w:/t/IC3SDK/EVJaUNZNBANLjr2fh3zX-mABhg1c5_T4iefrktNyu2Kg4g?e=yxutpL

• Previous API Spec Doc:

  • Previous Stable
    • https://github.com/Azure/azure-rest-api-specs/blob/main/specification/communication/data-plane/Identity/stable/2023-10-01/CommunicationIdentity.json
    • https://github.com/Azure/azure-rest-api-specs/blob/main/specification/communication/data-plane/Common/stable/2023-11-15/common.json
  • Approved preview
    • https://github.com/Azure/azure-rest-api-specs/blob/main/specification/communication/data-plane/Identity/preview/2025-03-02-preview/CommunicationIdentity.json
    • https://github.com/Azure/azure-rest-api-specs/blob/main/specification/communication/data-plane/Common/preview/2025-03-15-preview/common.json

• Updated paths:

  • new properties on PhoneNumberIdentifierModel, new TeamsExtensionUserIdentifierModel
  • new "/access/teamsExtension/:exchangeAccessToken" with post method
  • new "/access/teamsExtension/tenants/{tenantId}/assignments/{objectId}" with get, put, delete methods

Viewing API changes

For convenient view of the API changes made by this PR, refer to the URLs provided in the table
in the Generated ApiView comment added to this PR. You can use ApiView to show API versions diff.

https://apiview.dev/Assemblies/Review/0d3704e599a74da69d6b8a7eadb53d96?revisionId=7e5f925bafdc44dd88611c7db5872f8d

Suppressing failures

If one or multiple validation error/warning suppression(s) is detected in your PR, please follow the
Swagger-Suppression-Process
to get approval.

Release planner

A release plan should have been created. If not, please create one as it will help guide you through the REST API and SDK creation process.

❔Got questions? Need additional info?? We are here to help!

Contact us!

The Azure API Review Board is dedicated to helping you create amazing APIs. You can read about our mission and learn more about our process on our wiki.

• 💬 Teams Channel
• 💌 email

Click here for links to tools, specs, guidelines & other good stuff

Tooling

• Open API validation tools were run on this PR. Go here to see how to fix errors
• Spectral Linting

Guidelines & Specifications

• Azure REST API Guidelines
• OpenAPI Style Guidelines
• Azure Breaking Change Policy

Helpful Links

• Schedule a data plane REST API spec review

Getting help

• First, please carefully read through this PR description, from top to bottom.
• If you don't have permissions to remove or add labels to the PR, request write access per aka.ms/azsdk/access#request-access-to-rest-api-or-sdk-repositories
• To understand what you must do next to merge this PR, see the Next Steps to Merge comment. It will appear within few minutes of submitting this PR and will continue to be up-to-date with current PR state.
• For guidance on fixing this PR CI check failures, see the hyperlinks provided in given failure
  and https://aka.ms/ci-fix.
• If the PR CI checks appear to be stuck in queued state, please add a comment with contents /azp run.
  This should result in a new comment denoting a PR validation pipeline has started and the checks should be updated after few minutes.
• If the help provided by the previous points is not enough, post to https://aka.ms/azsdk/support/specreview-channel and link to this PR.

[openapi-pipeline-app]

Next Steps to Merge

Next steps that must be taken to merge this PR:

• ❌ This PR targets either the main branch of the public specs repo or the RPSaaSMaster branch of the private specs repo. These branches are not intended for iterative development. Therefore, you must acknowledge you understand that after this PR is merged, the APIs are considered shipped to Azure customers. Any further attempts at in-place modifications to the APIs will be subject to Azure's versioning and breaking change policies. Additionally, for control plane APIs, you must acknowledge that you are following all the best practices documented by ARM at aka.ms/armapibestpractices. If you do intend to release the APIs to your customers by merging this PR, add the PublishToCustomers label to your PR in acknowledgement of the above. Otherwise, retarget this PR onto a feature branch, i.e. with prefix release- (see aka.ms/azsdk/api-versions#release--branches).
• ❌ Your PR requires an API stewardship board review as it introduces a new API version (label: new-api-version). Schedule the review by following aka.ms/azsdk/onboarding/restapischedule.
• ❌ The required check named Automated merging requirements met has failed. This is the final check that must pass. Refer to the check in the PR's 'Checks' tab for details on how to fix it and consult the aka.ms/ci-fix guide. In addition, refer to step 4 in the PR workflow diagram

[openapi-pipeline-app]

PR validation pipeline restarted successfully. If there is ApiView generated, it will be updated in this comment.

[github-actions]

API Change Check

APIView identified API level changes in this PR and created the following API reviews

Language	API Review for Package
Swagger	CallAutomation-Common
Swagger	CallAutomation-Identity