You have RM Unify with a Microsoft® 365™ domain federated and Microsoft Teams enabled. You have Microsoft 365 tiles installed to your users' Launch Pads which are single sign-on (SSO) tiles. When your users click one of the official Microsoft 365 tiles, they are immediately signed in to Microsoft 365 as expected.

However, there is no tile for Microsoft Teams available in the App Library. You manually create an establishment (link) tile for Teams but end users clicking the tile find they are prompted to sign in to Microsoft 365, rather than being automatically transferred to Teams.

It is not possible to create a (smooth) direct link to Microsoft 365 services, unless the service supports a domain hint parameter. When you hit a Microsoft 365 service, it redirects to Azure AD to authenticate the user and start a session. The browser, at that point, must then tell Azure AD which domain name the user is from, else the user cannot be directed to RM Unify for sign in - this is called 'home realm discovery'. If there is nothing in the URL, or in a cookie, that can inform Azure AD, then the user is asked to provide their email address (i.e. presented with a Microsoft authentication prompt).

Automatic 'home realm discovery' is possible with Microsoft 365 services such as Microsoft Outlook and SharePoint, for example, but not with Yammer or Teams.

It is possible, however, to create a bespoke 'deep link' establishment tile for your RM Unify establishment, which will authenticate your users with Microsoft 365 Azure AD using RM Unify's single sign-on and redirect them to Teams without a further prompt to sign in.

You will require:

• Microsoft Teams to be enabled, licensed and accessible in the tenancy for your Microsoft 365 users.
• SharePoint admin access for your Microsoft 365 tenancy.
• An RM Unify Super Admin, or Launch Pad admin, user to create the establishment tile.

The Procedure consists of two parts:

• Create a SharePoint site to host a redirector script.
• Create an RM Unify establishment tile, configured to transfer users to the redirector SharePoint page.

1. Go to https://admin.microsoft.com and sign in as a Global Admin.
2. Select Show All and under Admin Centers, select SharePoint.
3. Select Settings, scroll to the bottom of the page and click the 'classic settings page' link.
4. Scroll down to the Custom Script section.
5. Ensure that the 'Allow users to run custom script on personal sites' and 'Allow users to run custom script on self-service created sites' boxes are ticked.
6. Select OK if you have made any changes.
7. Return to the SharePoint Admin Center.
8. In the left-hand pane, under Sites, select 'Active sites' and click Create.
9. Select 'Team site' and enter the site name, e.g. TeamsRedirector.
10. Set the Group Owner as the Global Admin user you signed in as and ensure that the language selected is English.
11. Select Advanced Settings, set the Privacy Settings to 'Private', set the Time Zone to UTC Dublin Edinburgh Lisbon London and click Next.
12. Leave the members list empty and click Finish.
13. Open a Windows® PowerShell® window and run the following command to install/update the SharePoint Management PowerShell Module:

Install-Module -Name Microsoft.Online.SharePoint.PowerShell

14. Click OK to accept the repository warning.
15. If you receive a warning that the module is already installed, please continue.
16. Run the following commands, inserting the information relevant to your tenancy:

$adminUserID="<M365_Global_Administrator>"

$userCredential = Get-Credential -UserName $adminUserID -Message "Enter password"

Connect-SPOService -Url https://<Tenancy_Name>-admin.sharepoint.com/ -Credential $userCredential

Set-SPOsite "https://<Tenancy_Name>.sharepoint.com/sites/TeamsRedirector" -DenyAddAndCustomizePages 0

17. Find the new TeamsRedirector site in the list of Active Sites (use the search box on the top right-hand side, if required) and select it.
18. Select the URL '…/sites/TeamsRedirector'.
19. If prompted to start designing your site, select the X on the top right-hand side to close the window.
20. If the next step sidebar appears, select the X on the top right-hand side to close the window.
21. On the top right-hand side of the page, select Edit.
22. In each web part, click the down arrow icon and select Delete to delete the web part, leaving a blank page.
23. Click Save.
24. From the left-hand menu, select Pages, click New, Web Part Page and name the web part page as TeamsRedirectorPage.
25. For the Layout Template, select Full Page, Vertical.
26. Under Save Location, Document Library, click the down arrow icon and select Site Pages.
27. Select Create. The new page will open automatically.
28. Click 'Add a Web Part'.
29. From Categories, select 'Media and Content' and from Parts, select 'Script Editor'. Click Add.
    Note: If you don't see the Script Editor part listed, re-check step 5 above and if your M365 account is set as a site admin for the TeamsRedirector site.
30. In the Script Editor web part, select EDIT SNIPPET, paste in all of the script given below and click Insert:

***START CONTENT***
 We are now redirecting you to your site...
 <div id="destinationURLFromQueryString">.</div>
 If this page stays, the redirect has failed :(
 
 <SCRIPT type="text/javascript">
 var destination = getParameterByName("destination");
 document.getElementById('destinationURLFromQueryString').innerHTML = destination;
 
 var allowedDestinations = ['https://teams.microsoft.com'];
 
 if (destination && urlIsSafeDestination(destination, allowedDestinations))
 {
    // send them to the destination :)
    window.location.href = destination;
 }
 
 function getParameterByName(name, url) {
     if (!url) url = window.location.href;
     name = name.replace(/[\[\]]/g, "\\$&");
     var regex = new RegExp("[?&]" + name + "(=([^&#]*)|&|#|$)"),
         results = regex.exec(url);
     if (!results) return null;
     if (!results[2]) return '';
     return decodeURIComponent(results[2].replace(/\+/g, " "));
 }
 
 function urlIsSafeDestination(url, allowedDomains) {
    var length = allowedDomains.length;
    while(length--) {
       if (url.indexOf(allowedDomains[length]) == 0) {
          // one of the allowed domains is in the destination
          return allowedDomains[length];
          }
    }
    return null;
 }
 </SCRIPT>

***END CONTENT***

31. On the top left-hand side, select Stop Editing.
32. In the very top navigation bar, select the Settings 'cog' icon and click 'Site settings', 'Site permissions'.
33. Select 'Advanced permissions settings', TeamsRedirector Visitors and then click New.
34. In the top box, type Everyone and select 'Everyone except external users'.
35. Select SHOW OPTIONS, clear the 'Send an email invitation' box and click Share.

1. Copy the URL of the new TeamsRedirector SharePoint site and paste it into Notepad for further use in the following steps.
2. Log on to RM Unify as a Super Admin or Launch Pad admin, browse to the App Library and select Add.
3. Give an appropriate Title (Subtitle and Description are optional) and upload an Image as desired.
4. Enter the following for the Address (URL):
   
   https://login.microsoftonline.com/login.srf?wa=wsignin1.0&wp=MBI_KEY&wreply=https%3A%2F%2FXXXXXXXX%2Fsites%2FTeamsRedirector%2FSitePages%2FTeamsRedirectorPage.aspx%2F%3Fdestination%3Dhttps%3A%2F%2Fteams.microsoft.com%26auth%3D2%23&whr=YYYYYYYY&CBCXT=out
   
   • 'XXXXXXXX' is your tenancy name, e.g. stmarys.sharepoint.com
   • 'YYYYYYYY' is your Microsoft 365 domain name, e.g. stmarys.sch.uk
     
5. Click OK and install the tile for the desired Roles and Launch Pads.

• Before accessing Microsoft Teams via the Teams Redirector tile, the user's Microsoft 365 account must have the timezone and keyboard language configurations already configured, i.e. they must have previously logged on to Microsoft 365 and saved their selections.
• This process does not work with Incognito or InPrivate browser sessions.
• In some cases, the SharePoint page hosting the Script Editor web part may need to be devoid of any and all other web parts, i.e. they need to be deleted from the page.