Technical readiness
After completing the steps below, please fill out the Technical Readiness Questionnaire to initiate deployment.
Licensing
Altus utilises Microsoft 365 products to provide a best-in-class user experience. You may already be using these products, or may need to source additional licenses. We can help you acquire additional licenses if needed.
As an overview, Altus utilises the following Microsoft technologies from which the license requirements can be derived.
Each Altus User and the Altus deployment account requires:
- Power Apps license (per user license, or per app pass acquired direct or through Azure PAYG)
- Power BI Pro, or organisational Power BI premium capacity.
- Microsoft 365 license that grants access to Microsoft Teams; E1, E3, E5, others.
Note
We recommend the PowerApps per user license at least for the key users + the Altus deployment account. End users can be covered by per app passes, but there is additional administration required to manage the per-app passes to user assignments. More information can be found on the Microsoft about Power Apps per app page
In addition the Power Apps for Office 365 license does not meet the requirement for the necessary Power Apps license. Please see above for the acceptable Power Apps options.
Warning
Please do not use Trial licenses to satisfy any of these requirements.
Additional licensing scenarios
Looking at this from a role-based perspective:
Optional auxiliary roles:
1 – License multiplexing rules for external systems may apply and often require end-users/consumers of data from those systems to hold an end user license. Contact the third party vendor for more information on their individual licensing requirements.
2 - Collaboration via Teams excluding the Altus Teams application.
3 - Viewing Power BI reports requires a Power BI license.
4 - Guest access via Teams and SharePoint has limitations and additional tenant requirements.
5 – AAD Guest access to the Altus Teams & Power App is not currently supported, but is likely to be enabled by a future update.
* - At least one Power Apps Per User or Power Automate Per User licenses are required to deploy any Power Automate Flows that consume premium connectors. Power Apps per App users cannot be the owner of Power Automate Flows that utilise Premium connectors as the Flows will be disabled every 7 days.
Note
We only provide indicative general licensing advice, consult your Microsoft licensing advisor to confirm the specific licensing costs/requirements for your deployment.
Licensing FAQ
Can my organization use pay-as-you-go plan licensing for Power Apps?
Yes. Pay-as-you-go is a alternative licensing plan for Power Apps. Microsoft provides documentation on this option here
In order to set up this option for licensing your users to use Altus, organizations should follow the Microsoft documentation here.
Note
In our experience, the “PowerApps per app baseline access” license was still needed for users accessing Altus. If this license type is not enabled in your tenant, please click this link.
Can I use Power BI Free instead of Pro or Premium?
The shared and embedded reports in Altus require all end-users to have either a Power BI Pro license or to be hosted in a Power BI Premium capacity.
From Microsoft: "With sharing, whether you share content inside or outside your organization, you need a Power BI Pro license. Your recipients also need Power BI Pro licenses, unless the content is in a Premium capacity."
Can my organization use trial licensing for Altus?
No. Please invest in appropriate valid licensing as requested. Having trial licenses expire during the deployment or rollout is undesirable. The use of non-trial licenses is a requirement of Altus technical readiness.
Does the Power Apps provide my end-users with Power Automate capabilities?
The Microsoft Power Apps license allows Power Automate Flows to be used in conjunction with the Power App.
From Microsoft:. "In the original introduction of the new licensing and as a consequence of the older model, it was thought that a separate license would be required for a Power App to use A Power Automate Flow when, in fact, it is only the cost of the Power App that will apply even if the Premium connector is only accessed via the flow. The key guidance here is to understand the use case of the flow itself whether it is created to service the app or if it is the type that is expected to be shared or used outside of the application as it will then be a case of selecting the appropriate Power Automate license."
I'm confused by Power Apps per app plan license usage, can you help?
When using a Power Apps per app plan, you need to do the following things:
- Purchase the Power Apps per app plan licenses in the quantity required.
- Allocate the app passes to the environment in which the app will be used. This is done using Resources > Capacity > Add-ons.
- Ensure that you've granted each user PowerApps per app baseline access under Licenses and apps.
Microsoft has additional documentation on Power Apps per app plan usage here: About Power Apps per app plans.
If your company purchases licenses through a third party, it's possible that the user license for PowerApps per app baseline access won't be added to your M365 tenant. If this is the case, you can add that license type to your tenant by clicking this link. You'll then need to confirm that your users have the PowerApps per app baseline access license applied in the M365 admin center, and add it if they do not.
Licenses for external execution and scheduling tools
For licensing information regarding any external execution or scheduling tools that an organization may choose to sync with Altus, please refer to the licensing information published by those software providers. For Project Online and Project for the Web see the service description from Microsoft here.
Tenant functionality
Altus utilises content, components and existing functionality of your Microsoft 365 installation to deliver the Altus experience.
Altus is tested to work with Microsoft 365 in the Microsoft issued default configuration, however after receiving the Microsoft 365 tenant it is possible for customers to disable key functionality that is needed for Altus to function correctly.
Altus relies on the following technologies within Microsoft 365:
- Internet access for users
- User driven M365 group creation
- Power BI workspaces
- Power Automate
- Microsoft Graph
- Teams Custom app installation
- Exchange Online
Internet access
This is a software as a service product delivered from our presence on the internet, and as such end-users will require internet access.
Services are delivered from URLs including (but not limited to):
- Microsoft Office 365
- *.office.com
- *.microsoft.com
- *.powerapps.com
- Dynamics:
- *.dynamics.com
- Sensei:
- *.altus.pro
- *.sensei.cloud
- *.userback.io
- dc.services.visualstudio.com
Please ensure there are no proxy servers or firewalls preventing direct access to the above domains or sub-domains.
Note
Microsoft are planning on changing many of these URL's over to sub domains of *.cloud.microsoft. More information is available from Microsoft.
Microsoft 365 group creation
By default all Microsoft 365 users can create Microsoft 365 Groups, however some organisations choose to disable this feature.
Microsoft Project for the Web (and other Microsoft tools such as Teams, Roadmap, Planner, Power BI, Stream, etc.) utilise Microsoft 365 Groups to provide key functionality.
Altus utilises Microsoft 365 groups to:
- Define the list of people who are working on each project and define who can be assigned tasks in the schedule.
- Define who can see the items inside Altus associated with the project such as risks and issues.
- Store documents and provide a collaboration space in the SharePoint site collection.
In the event that group creation is prohibited, groups can be pre-created by an administrator, and users can then associate their projects to existing groups if necessary, however the gating/approval process around Microsoft 365 Group creation is outside the scope of Altus.
Microsoft Graph
The Microsoft Graph is an API that allows integration between Microsoft 365 applications, and in the case of Microsoft 365 groups and teams is the only API available.
Altus utilises the Microsoft Graph API to provide integration between Power Apps, groups and teams.
Power BI Workspaces
Power BI stores reports in workspaces. By default all Power BI users can create workspaces, however some customers choose to disable this feature.
Altus utilises Power BI to deliver shared reports that form part of the application. During deployment we will put these shared reports in a dedicated workspace to keep them separate from other reports in the environment.
To do this we will create the following Power BI workspaces:
- Altus - orgXXXXXXX
- Altus (Test) - orgXXXXXXX
It is recommended that Power BI workspace creation not be disabled for the Altus deployment account.
Power Automate (Flow)
Power Automate is a Microsoft service that forms part of your M365 tenant utilised by Altus to to provide workflow capabilities. The deployment engineer will create the following connections in the nominated named Power Platform environment. If you will have a DLP policy defined for the environment, please ensure that the following connections are allowed:
* - At least Power Apps Per User or Power Automate Per User licenses are required to deploy any Power Automate Flows that consume premium connectors. Power Apps per app users cannot be the owner of Power Automate Flows that utilise Premium connectors as the Flows will be disabled every 7 days.
Teams custom app deployment
By default Teams provides the ability for users to add Apps from the published store or to add custom apps to the environment. Customers can choose to disable the extensibility features in Microsoft Teams.
Altus comes with a Custom Teams App that will be added to the Teams deployment to provide integration features between Power Apps, SharePoint and Teams.
To allow this to occur, Custom Teams Apps must not be disabled (default setting), or at least the Altus App must be specifically allowed by the governance policies in Microsoft 365:
Exchange Online
There are various workflows within Altus that will attempt to send users emails. This is done via the Exchange Online functionality of Microsoft 365 because the transmissions of the emails within the Exchange infrastructure (not SMTP) are assumed to be protected/encrypted.
If your organisation doesn't use Exchange Online, these workflows can be amended to use SMTP to external email providers at your option. This would be done via an additional engagement and with your consent that the content transmitted via email would not be encrypted.
Granting consent
Altus is a software as a service offering integrated with your Microsoft 365 tenant, and will require consent for deployment and continued operation. To facilitate this, an administrator will need to grant consent for the Altus software to work in conjunction with your Microsoft 365 tenant.
To provide consent, click the links below, and agree to the terms on the dialog displayed. Example screenshots of the dialogs are provided. When this is completed a Service Principal will be added to your Azure AD. A Service Principal is nothing more than an identity which will be used by our service to interact with your tenant. You can revoke this consent at any time through the Azure AD Portal Enterprise App Registrations
Deployment
Altus will need to be initially deployed, as well as being updated from time to time to provide fixes and new functionality as part of the subscription. To do this a Service Principal is used for deployment that is separate from the other operational identities.
To allow this to occur an M365 administrator must click on the following link:
Grant consent to the Altus Deployment
Note
The blue tick mark next to Altus indicates that this identity is a Verified Publisher and managed by a Microsoft Certified Partner.
Microsoft Teams App
One of the major components of Altus is the integrated Teams experience. This is achieved via a Teams custom App. The permissions required are extensive however this stems from the functionality provided:
- Summarises data from the Dataverse.
- Reads SharePoint site collections destinations associated to projects to allow intuitive navigation.
- Automates the creation of channels within Teams to provide an organised approach to project collaboration when M365 Group creation is limited.
- Reads the set of files in SharePoint site collections connected to the project to re-present it within the PowerApp for the user's convenience.
To provide this functionality, the Teams app must connect both to the Microsoft Graph and the Microsoft Dataverse services.
To allow this to occur an M365 administrator must grant consent to the Altus Teams App:
Grant consent to Altus Applications
Note
The blue tick mark next to Altus indicates that this identity is a Verified Publisher and managed by a Microsoft Certified Partner.
Delegated permissions
The permissions in the above dialog are known as delegated permissions:
Delegated permissions are the subset of both the current user permissions and the application permissions.
Granting delegated permissions:
- Does not grant the application any permission by itself, a user must always be present.
- Does not grant the user permission to do anything they couldn't already do without the app.
- Is a filter that controls what the application can do on the user's behalf.
- Doesn't change the security posture of the Microsoft 365 tenant other than to trust Altus software to work on behalf of the users to perform actions they could already do manually.
More information about delegated permissions.
Altus Hub
Altus also has a website called Sensei Hub which is a centre for self-service access to end-users to monitor and make changes to their subscription services. This website utilises your own Azure AD to log in users from your Microsoft 365 tenant. This way Altus never stores any passwords for your users but is able to cryptographically verify their identity.
To allow this to occur an M365 administrator must grant consent to the Altus Hub app by navigating to the following: Grant consent to Sensei Hub .
Handling disabled user consent
Warning
If your tenant has turned off the ability for users to grant consent for applications, an administrator will be needed to grant consent to the Altus Hub application for all users via the following process.
- Verify your current User and Consent settings for Enterprise Applications
- Navigate to Enterprise Applications in your Azure Active Directory
- Click on Consent and permissions under the Security heading.
- Verify if User Consent is turned off by default for all Apps.
If user consent is disabled as pictured, an administrator will need to perform the following steps:
- Click the following link to bring up the consent dialog to grant consent to the Altus Hub App: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?scope=b861dbcc-a7ef-4219-a005-0e4de4ea7dcf%2Fuser_impersonation+00000007-0000-0000-c000-000000000000%2Fuser_impersonation+475226c6-020e-4fb2-8a90-7a972cbfc1d4%2Fuser+openid+profile+offline_access&response_type=code&client_id=1582c5df-e611-4e8a-80f4-fce07b9148ef&redirect_uri=https%3A%2F%2Fsensei.cloud%2Fconsentsuccess.html&client-request-id=81bc5808-f498-4065-ab68-a9c807e51b0c&x-client-SKU=MSAL.NetCore&x-client-Ver=4.21.1.0&x-client-OS=Microsoft+Windows+10.0.14393&prompt=select_account.
Ensure that the checkbox is selected as below and press Accept.
Note
The reason this is necessary is because governance setting above prevents the Deployment Account the ability to individually consent to the delegated permissions necessary for the Altus Hub deployment process, so the solution is to pre-consent for all users in the organisation.
- You should now see the following success screen:
Create an environment
A new, dedicated, production Power Platform environment is required to host Altus. This gives your organization control over security and additional management tasks when maintaining the solution and environment.
Note
While it is possible to deploy Altus into a pre-existing environment with other Dynamics 365 and 3rd party Apps, this is not a scenario we actively test, or support.
Altus is deployable into certain types of Power Platform environments:
Environment type | Altus deployable? |
---|---|
Production (recommended) | ✅ |
Default | ❌ |
Sandbox | ✅ |
Trial | ✅ |
Developer | ❌ |
Dataverse for Teams (Oakdale) | ❌ |
Create a new environment from the Power Platform admin center.
- Set the type to Production.
- Create the environment with a Dataverse database.
- Ensure the region is aligned with your tenant and user locations.
- Do not enable Dynamics 365 apps.
Warning
Once created, and Altus has been deployed, please DO NOT change the url. This could orphan the environment and prevent updates from being applied. If you do need to change the url after deployment, please collaborate with your engagement lead.
For more information on how to complete these tasks, review the documentation on Microsoft docs here: https://docs.microsoft.com/en-us/power-platform/admin/create-environment#create-an-environment-with-a-database
Create Office365/Security Groups
We recommend the usage of Office365 and Security Groups to ease the administrative burden of user and security permissions.
For proper deployment and full access to the RLS (Row Level Security) features within the Altus Power BI reports we recommend at miniumum two Security groups plus N Security/Office365 groups for user administration (where N is the logical grouping of users as per the client's request).
For the deployment guide we are going to employ the following group setup.
Recommended/Required | Name | Security Group | Office365 Group | Linked To Dataverse Team? | Security Roles | Purpose |
---|---|---|---|---|---|---|
Required | Altus General | ✓ | ✗ | ✗ | ✗ | Power BI RLS Administration for overview users. |
Required | Altus Work | ✓ | ✗ | ✗ | ✗ | Power BI RLS Administration for Altus work users. |
Altus Project Users | ✓ | ✓ | ✓ | Dataverse/Altus administration for project users. | ||
Altus Portfolio Users | ✓ | ✓ | ✓ | Dataverse/Altus administration for portfolio users. |
Altus General Security Group
This security group is to be used for administration of Power BI reports, specifically any users part of this group will be able to see information within the reports according to their business units and/or direct access to relevant records.
Altus Work Security Group
This security group is to be used for administration of Power BI reports, specifically this group should be populated with users who need access to the Altus Work report only.
Note
Being part of both Power BI Security Groups will cause the reports to show the report according to your highest security. E.g., if a user is part of both Altus General and Altus Work, when viewing the Altus Work report, they will see information for all users.
Altus Project Users (Example)
This security/Office365 group is to be used for the administration of Altus users, specifically any users who should have the permissions defined for the Altus Project User role.
Altus Portfolio Users (Example)
This security/Office365 group is to be used for the administration of Altus users, specifically any users who should have the permissions defined for the Altus Portfolio User role.
[!includeCDSCapacityReference
Deployment account
To enable the deployment engineer to perform the interactive activities necessary to deploy Altus to your environment, we require at least temporary access via a deployment account.
Requirements for the deployment account include:
- Must be accessible externally (from the internet)
- Must not be a guest account, as guest accounts cannot be used with all the features of Power Apps at this time. i.e. the account must be created in the same Azure Active Directory as the target M365 tenant.
- Licensed as per an end-user (see license section above). Power Apps Per User license is recommended for this account to make use of the Power Automate Flows that are included with Altus for notifications and approvals.
- Dynamics permissions: The deployment account will require System Administrator permission within the target Power Platform environment for deployment and customization activities.
- Teams Administrator: To allow us to deploy the Teams application and configuration policy for your users we require access to the Teams admin portal. To do this grant the deployment account access in the Office Admin Centre. This is a once-off activity that could also be completed by the customer IT governance team if desired.
Decommissioning the deployment account
While it is possible to decommission the Deployment Account post-deployment of Altus, there are some considerations to note as detailed in Reference here: Decommission or Update the Deployment Account
Warning
To prevent system downtime, please work with your engagement lead before either disabling the Deployment Account or changing the password for the Deployment Account.
Infrastructure considerations
Browser support
Altus broadly has the same browser support as the Microsoft 365 Platform.
In summary:
- Preferred Microsoft Edge: Latest version (Chromium based version)
- Chrome and Safari: Latest version (Note: Safari has a known issue with cross site scripting)
- Microsoft Edge legacy browser: Potentially works, is unsupported from March 2021.
- Microsoft IE11: Unsupported.
- Firefox: Potentially works, but not guaranteed.
Popup blocking
There are several authentication windows throughout the solution that require popping up windows in the browser. This typically needs either
- The user to enable the popup windows when they encounter them.
Group policy enable popups for all or a group of users.
The popup windows will be targeting the Dynamics organisation URL. This usually takes the form of: https://orgXXXXXXXX.crmY.dynamics.com/ (We will let you know the exact URL if this change is required)
Third-party cookies
The Power BI sign-in button will appear on embedded reports within the application. For this to work, you must have a Power BI license and you must have your browser settings set to not "Block third-party cookies".
This is the default setting for most browsers (Note: By default, when using Chrome incognito mode, third party cookies are disabled by default. As a result, this will need to be modified in Chrome settings)
Azure AD conditional access
The Altus Teams integration, document tabs, groups and graph integration relies on authenticating to Azure AD by the end-user. If this is prevented by Azure AD conditional access, a functionality deficit should be expected.
There are many governance policy settings available to M365 administrators that can cause Altus functionality to fail. As with all governance options, care should be taken not to introduce policies that will cause a negative experience for end users.
Altus utilises 3 service principals:
- Sensei Hub
- Altus Deployment
- Altus Applications
Applying policies that affect these should be done carefully as it could cause a negative effect on the end user experience.
Note
As at May 2021, Azure AD conditional access is incompatible with the Teams desktop client when using Altus and Microsoft provided tabs such Power BI, Forms, VSTS, PowerApps, and SharePoint List. https://docs.microsoft.com/en-us/microsoftteams/troubleshoot/known-issues/tabs-dont-work-after-enabling-conditional-access
Software Considerations
The following items need to be provided/provisioned as part of the post-installation configuration of Altus:
Basic Requirements
- Visual Studio Code
- Visual Studio 2019
- SQL Server Data Tools
- Dynamics 365 Report Authoring Tools
- Power BI Desktop
- Office 365 - Outlook (test approvals and transfer files if needed)
- XrmToolbox w/ extensions
- Plugin Registration
- Ribbon Workbench
- Solution Layers Explorer
Browser Extensions:
- Userback
- Dynamics 365 Power Pane
- Level up for Dynamics 365/Power Apps
Optional Requirements
- Project Professional
- SQL Server Management Studio
Optional XrmToolbox Extensions
- Access Checker
- Advanced Component Comparer
- Attribute Bulk Updater
- Attribute Usage Inspector
- Attributes Factory
- Audit Center
- BPF Manager
- Bulk Data Updater
- Bulk Form Attribute Manager
- Bulk Workflow Execution
- Clone Field Definitions
- Code Now
- CRM Trace Reader
- Custom Attributes Name Checker
- Document Templates Mover
- Environment Process Comparer
- Environment Variables Manager
- FLS Bulk Updater
- Form Libraries Manager
- Form Parameter Manager
- Iconator
- Manage NN Relationships
- Managed Solution Deletion Tool
- Metadata Browser
- Metadata Document Generator
- Plugin Registration
- Plugin Trace Viewer
- Polymorphic Lookup Manager
- Power BI option-Set Assistant
- Privileges Discovery
- Ribbon Workbench
- Role Updater
- Script Finder
- SiteMap Editor
- Solution Components Mover
- Solution Import
- Solution Layers Explorer
- Solution Transfer Tool
- Sync Filter Manager
- UML Diagram Creator
- Unmanaged Active Layer Bulk Remover
- Unmanaged Solution Deleter
- User Roles Manager
- User Settings Utility
- User Views Display Settings
- View Layout Replicator
- View Transfer Tool
- Webresources Manager
Updating Fetch XML Reports
- Visual Studio Enterprise 2019
- Visual Studio Extensions
- v9.0 Dynamics 365 Report Authoring Extension
- XRMToolbox
- Power Platform CLI
- Plugin Registration Tool
Recommended screen resolution
Altus is designed to provide you with the best user experience possible utilising the Power Platform. To enjoy the full functionality and visual quality of the application, we recommend that you use a screen resolution of 1920x1080 pixels (as a recommended minimum). This resolution will allow you to see all the details and features of Altus without any distortion or cropping. If your screen resolution is lower than 1920x1080, you may encounter some issues with layout and performance. Therefore, we suggest that you adjust your screen settings to match our recommended resolution.