Introducing Restricted Enterprise Access

  • Updated on Jun 24, 2025
  • Published on Jun 20, 2025
  • 1 minute(s) read
Prev Next

Enterprise Admins are typically sent a registration email that prompts them to authorize access to their Microsoft Teams organization. This process then directs them to the Enterprise Portal, where they can configure services and deploy ConnecttoTeams apps to their Teams app catalog for end users.

However, some ConnecttoTeams providers prefer to manage this process within their own portals, avoiding the registration email and keeping Enterprise Admins within the provider’s environment. To support this, ConnecttoTeams offers an alternative workflow called “Restricted Enterprise Access.”

Restricted Enterprise Access Workflow

To support the Restricted Enterprise Access feature where Enterprise Admins should complete required actions without accessing the ConnecttoTeams portal directly, the ConnecttoTeams API provides a dedicated URL for each action type. These URLs can be embedded as buttons or hyperlinks within the provider’s portal, allowing customers to perform necessary tasks seamlessly within the provider environment.

The sequence diagram below illustrates how this workflow operates.


The follow steps further explains this diagram:

  1. Generating an Action-Specific URL.
    The client application (such as the provider’s portal) calls the ConnecttoTeams API endpoint /enterprise/getActionItemUrl to request a URL for a specific action type. This request requires a callback URL parameter, which serves as the redirection target upon the completion of the consent process.

    Action types can be for registering the enterprise, getting consent to access Teams user, Contacts, and deploy apps to Teams catalog.

  2. Providing the URL for Consent.

    Upon receiving the API call, ConnecttoTeams responds with a URL. The client application then presents this URL to the Enterprise Admin, who clicks it to begin the consent process.

  3. Redirecting to Microsoft Consent Screen.
    After the Enterprise Admin clicks the URL, they are redirected to the Microsoft consent screen, where they can review and approve the required permissions based on the specific action type

  4. Handling User Consent & Processing the Response
    After the Enterprise Admin grants consent, Microsoft redirects them to the ConnecttoTeams Broker, which processes the consent response to determine the outcome.

  5. Final Redirect Based on Success/Error

    The ConnecttoTeams Broker then redirects the user to the callback URL specified in the original /enterprise/getActionItemUrl request. For registration or login actions, it delivers an MSAL object , while for consent-related actions, it delivers a status message.