Table of Contents

Technical readiness

The goal of Altus Technical readiness is to prepare and clear the way so that a smooth Altus deployment can be performed by your implementation partner. The major points are:

After completing Technical Readiness please fill out this Technical Readiness Checklist to initiate deployment process with your partner.

Licensing

Altus utilises Microsoft 365 products to provide a best-in-class user experience. You may already be using these products, or may need to source additional licenses. We can help you acquire additional licenses if needed.

As an overview, Altus utilises the following Microsoft technologies from which the license requirements can be derived.

The license breakdown for using Altus

Each Altus User and the Altus deployment account requires:

  1. Power Apps license (per user license, or per app pass)
  2. Power BI Pro, or organisational Power BI premium capacity.
  3. A license that grants Microsoft Teams usage. For Microsoft customers prior to April 2024, this is likely an Enterprise series license like E1, E3, E5, others. For new customers Teams must be purchased separately via a Microsoft Teams Enterprise license. More info here...
Note

We recommend the PowerApps Premium (per user) license at least for the key users + the Altus deployment account. End users can be covered by per app passes, but note there is additional administration required to manage the per-app passes to user assignments. More information can be found on the Microsoft about Power Apps per app page
The free Power Apps for Office 365 license does not meet the requirement for the necessary standalone Power Apps license. Please see above for the acceptable Power Apps options.

Warning

Please do not use Trial licenses to satisfy any of these requirements.

Additional licensing scenarios

Looking at this from a role-based perspective:

Table of additional licencing from a role based perspective

Optional auxiliary roles:

Table of optional auxiliary roles

1 – License multiplexing rules from Microsoft and external systems may apply and could require end-users consuming or authoring data to hold additional end user licenses. Contact the relevant third party vendors for more information on their individual licensing requirements. More information about License Multiplexing in Altus.

2 - Collaboration via Teams excluding the Altus Teams application.

3 - Viewing Power BI reports requires a Power BI license.

4 - Guest access via Teams and SharePoint has limitations and additional tenant requirements.

5 – AAD Guest access to the Altus Teams & Power App is not currently supported, but is likely to be enabled by a future update.

* - At least one Power Apps Per User or Power Automate Per User licenses are required to deploy any Power Automate Flows that consume premium connectors. Power Apps per App users cannot be the owner of Power Automate Flows that utilise Premium connectors as the Flows will be disabled every 7 days.

Warning

Use of External/Guest accounts is unsupported. There are known issues with accessing the Microsoft Power Platform, Teams and Altus via External/Guest accounts. While using an External/Guest account some features will be unavailable and performance will be impacted.

Note

We only provide indicative general licensing advice, consult your Microsoft licensing advisor to confirm the specific licensing costs/requirements for your deployment.

Licensing FAQ

Can my organization use pay-as-you-go plan licensing for Power Apps?

Yes. Pay-as-you-go is a alternative licensing plan for Power Apps. Microsoft provides documentation on this option here

In order to set up this option for licensing your users to use Altus, organizations should follow the Microsoft documentation here.

Note

In our experience, the “PowerApps per app baseline access” license was still needed for users accessing Altus. If this license type is not enabled in your tenant, please click this link.

Can I use Power BI Free instead of Pro or Premium?

The shared and embedded reports in Altus require all end-users to have either a Power BI Pro license or to be hosted in a Power BI Premium capacity.

From Microsoft: "With sharing, whether you share content inside or outside your organization, you need a Power BI Pro license. Your recipients also need Power BI Pro licenses, unless the content is in a Premium capacity."

Can my organization use trial licensing for Altus?

No. Please invest in appropriate valid licensing as requested. Having trial licenses expire during the deployment or rollout is undesirable. The use of non-trial licenses is a requirement of Altus technical readiness.

Does the Power Apps provide my end-users with Power Automate capabilities?

The Microsoft Power Apps license allows Power Automate Flows to be used in conjunction with the Power App.

From Microsoft:. "In the original introduction of the new licensing and as a consequence of the older model, it was thought that a separate license would be required for a Power App to use A Power Automate Flow when, in fact, it is only the cost of the Power App that will apply even if the Premium connector is only accessed via the flow. The key guidance here is to understand the use case of the flow itself whether it is created to service the app or if it is the type that is expected to be shared or used outside of the application as it will then be a case of selecting the appropriate Power Automate license."

I'm confused by Power Apps per app plan license usage, can you help?

When using a Power Apps per app plan, you need to do the following things:

  1. Purchase the Power Apps per app plan licenses in the quantity required.
  2. Allocate the app passes to the environment in which the app will be used. This is done using Resources > Capacity > Add-ons.

    The Power Platform Resource Capacity screen
  3. Ensure that you've granted each user PowerApps per app baseline access under Licenses and apps.

    An example of a User screen in Licenses and apps

Microsoft has additional documentation on Power Apps per app plan usage here: About Power Apps per app plans.

If your company purchases licenses through a third party, it's possible that the user license for PowerApps per app baseline access won't be added to your M365 tenant. If this is the case, you can add that license type to your tenant by clicking this link. You'll then need to confirm that your users have the PowerApps per app baseline access license applied in the M365 admin center, and add it if they do not.

Licenses for external execution and scheduling tools

For licensing information regarding any external execution or scheduling tools that an organization may choose to sync with Altus, please refer to the licensing information published by those software providers. For Project Online and Planner Premium see the service description from Microsoft here.

Tenant functionality

Altus utilises content, components and existing functionality of your Microsoft 365 installation to deliver the Altus experience.

Altus is tested to work with Microsoft 365 in the Microsoft issued default configuration, however after receiving the Microsoft 365 tenant it is possible for customers to disable key functionality that is needed for Altus to function correctly.

Altus relies on the following technologies within Microsoft 365:

  • Internet access for users
  • User driven M365 group creation
  • Power BI workspaces
  • Power Automate
  • Microsoft Graph
  • Teams Custom app installation
  • Exchange Online

Internet access

This is a software as a service product delivered from our presence on the internet, and as such end-users will require internet access.

Services are delivered from URLs including (but not limited to):

  • Microsoft Office 365
    • *.office.com
    • *.microsoft.com
    • *.powerapps.com
    • *.cloud.microsoft
  • Dynamics:
    • *.dynamics.com
  • Altus:
  • Complimentary Services:
    • *.userback.io
    • *.productfruits.com
    • productfruits.help
    • dc.applicationinsights.azure.com
    • dc.applicationinsights.microsoft.com
    • dc.services.visualstudio.com

Please ensure there are no proxy servers or firewalls preventing direct access to the above domains or sub-domains.

Warning

This information is provided for informational purposes only. As URLs to dependent services change regularly, URL whitelist approaches are expected to cause end-user outages that will invalidate product SLAs.

Note

Microsoft are planning on changing many of these URL's over to sub domains of cloud.microsoft. More information is available from Microsoft.

Microsoft 365 group creation

By default all Microsoft 365 users can create Microsoft 365 Groups, however some organisations choose to disable this feature.

Microsoft Project for the Web (and other Microsoft tools such as Teams, Roadmap, Planner, Power BI, Stream, etc.) utilise Microsoft 365 Groups to provide key functionality.

Altus utilises Microsoft 365 groups to:

  • Define the list of people who are working on each project and define who can be assigned tasks in the schedule.
  • Define who can see the items inside Altus associated with the project such as risks and issues.
  • Store documents and provide a collaboration space in the SharePoint site collection.

In the event that group creation is prohibited, groups can be pre-created by an administrator, and users can then associate their projects to existing groups if necessary, however the gating/approval process around Microsoft 365 Group creation is outside the scope of Altus.

Microsoft Graph

The Microsoft Graph is an API that allows integration between Microsoft 365 applications, and in the case of Microsoft 365 groups and teams is the only API available.

Altus utilises the Microsoft Graph API to provide integration between Power Apps, groups and teams.

Power BI Workspaces

Power BI stores reports in workspaces. By default all Power BI users can create workspaces, however some customers choose to disable this feature.

Altus utilises Power BI to deliver shared reports that form part of the application. During deployment we will put these shared reports in a dedicated workspace to keep them separate from other reports in the environment.

To do this we will create the following Power BI workspaces:

  • Altus - orgXXXXXXX
  • Altus (Test) - orgXXXXXXX

It is recommended that Power BI workspace creation not be disabled for the Altus deployment account.

Power Automate (Flow)

Power Automate is a Microsoft service that forms part of your M365 tenant utilised by Altus to to provide workflow capabilities. The deployment engineer will create the following connections in the nominated named Power Platform environment. If you will have a DLP policy defined for the environment, please ensure that the following connections are allowed:

Image shows connection approvals
Image shows connection dataverse
Image shows O365 connection
Image shows Teams connection

* - At least Power Apps Per User or Power Automate Per User licenses are required to deploy any Power Automate Flows that consume premium connectors. Power Apps per app users cannot be the owner of Power Automate Flows that utilise Premium connectors as the Flows will be disabled every 7 days.

Teams custom app deployment

By default Teams provides the ability for users to add Apps from the published store or to add custom apps to the environment. Customers can choose to disable the extensibility features in Microsoft Teams.

Altus comes with a Custom Teams App that will be added to the Teams deployment to provide integration features between Power Apps, SharePoint and Teams.

To allow this to occur, Custom Teams Apps must not be disabled (default setting), or at least the Altus App must be specifically allowed by the governance policies in Microsoft 365:

Image shows allow custom teams apps

Exchange Online

There are various workflows within Altus that will attempt to send users emails. This is done via the Exchange Online functionality of Microsoft 365 because the transmissions of the emails within the Exchange infrastructure (not SMTP) are assumed to be protected/encrypted.

If your organisation doesn't use Exchange Online, these workflows can be amended to use SMTP to external email providers at your option. This would be done via an additional engagement and with your consent that the content transmitted via email would not be encrypted.

Altus is deployed into your Microsoft 365 tenant, and will requires consent for deployment and continued operation. To facilitate this, an administrator will need to grant consent for the Altus software to work in conjunction with the Microsoft 365 tenant.

To provide consent, click on the links below, and agree to the terms on the dialog displayed. Example screenshots of each of the expected dialogs are provided.

Altus Deployment

Altus will need to be initially deployed, as well updated regularly. To allow this, consent is given to a Service Principal that is used solely for deployment, separate from the other operational identities.

To consent to deployment an M365 administrator of the tenant must click on the following link:

Grant consent to the Altus Deployment



Image shows the consent deployment

Note

This consent does not grant Altus any permissions by itself. Instead, it allows permissions to be granted to the service principal later, within a dedicated Altus Power Platform environment created in subsequent steps. This ensures that the service principal has no access to additional data or systems while enabling regular patches and updates to be deployed to the environment. Microsoft CRM and Project Operations are updated using the same mechanism.

Altus Applications

Altus provides the user with an experience that integrates with the services provided in your M365 Tenant. This is achieved via making connections to Power BI Reports, the Microsoft Graph and Microsoft Dataverse services.

To allow this to occur and prevent each user from receiving this consent request, an M365 administrator must grant pre-consent to Altus Applications:

Grant consent to Altus Applications

Image shows delegated permissions

Note

This consent is solely for user-delegated permissions (Application Permissions) that the Altus needs to function while the user is present. Granting this consent does not give the application any abilities beyond what the user can do, and it filters what the application can do while the user is present. It cannot be used remotely by Altus and does not confer any additional permissions to end-users. More information about delegated permissions....

Note

The blue tick mark next to Sensei indicates that this identity is a Verified Publisher and is managed by a Microsoft Certified Partner.

Altus Hub

Altus also has a website called Altus Hub which is used to initially deploy Altus as well as a centre for self-service access to end-users to monitor and make changes to their subscription services. This website utilises your own Azure AD to log in users from your Microsoft 365 tenant. This way Altus never stores any passwords for users but is able to cryptographically verify their identity.

To allow this to occur an M365 administrator must grant consent to the Altus Hub app by navigating to the following: Grant consent to Altus Hub .

Image shows consent for the Altus Hub

Note

Altus Hub is for the administrative self-service. This consent is for basic profile information allows us to sign on users and verify the tenancy they are coming from. Only username and basic profile attributes can be read. This allows you to control security via Entra-ID conditional access and prevents us from needing a separate username/password database for your self-service admin users, which could potentially have a greater impact on security posture.

Warning

If your tenant has turned off the ability for users to grant consent for applications, an administrator may be needed to grant consent to the Altus Hub application via the this process.

Consent Overview: Consent must be granted for:

Deployment account

To enable the deployment engineer to perform the interactive activities necessary to deploy Altus to your environment, they will require at least temporary access via an account in the target environment.

Requirements for the deployment account include:

  • Must be accessible externally (from the Internet)
  • Must not be a guest account, as guest accounts cannot be used with all the features of Power Apps at this time. i.e. the account must be created in the same Entra ID Directory as the Power Platform environment.
  • Licensed as per an end-user (see license section above). A Power Apps Per User license is required for this account to enable Power Automate Flows.
  • Dynamics permissions: The deployment account will require System Administrator permission within the target Power Platform environment for deployment and customization activities. (This will be set during deployment)

    Image shows the Dynamics system admin
  • Teams Administrator: To allow us to deploy the Teams application and configuration policy for your users we require access to the Teams admin portal. To do this grant the deployment account access in the Office Admin Centre. This is a once-off activity that could also be completed by the customer IT governance team if desired.

    Image shows the Dynamics service admin
Note

Altus does not recommend the use of "Shared Accounts". It is always important to adhere to the relevant Information Security Policy for the target environment.

Decommissioning the deployment account

It is possible to decommission the Deployment Account after the deployment of Altus, however a new responsible person will be needed to own the Power Platform assets. More information on this procedure is here: Decommission or Update the Deployment Account

Warning

To prevent system downtime, please work with your engagement lead before either disabling the Deployment Account or changing the password for the Deployment Account.

Create an environment

A new, dedicated, production Power Platform environment is required to host Altus. This gives your organization control over security and additional management tasks when maintaining the solution and environment.

Note

While it is possible to deploy Altus into a pre-existing environment with other Dynamics 365 and 3rd party Apps, this is not a scenario we actively test, or support.

Altus is deployable into certain types of Power Platform environments:

Environment type Altus deployable?
Production (recommended)
Default
Sandbox
Trial
Developer
Dataverse for Teams (Oakdale)

Create a new environment from the Power Platform admin center.

  • Set the type to Production.
  • Create the environment with a Dataverse database.

New environment modal

  • Ensure the region is aligned with your tenant and user locations.
  • Do not enable Dynamics 365 apps unless other Dynamics 365 apps, like Dynamics CRM, will be installed in this environment.

Add database modal

Warning

Once created, and Altus has been deployed, please DO NOT change the url. This could orphan the environment and prevent updates from being applied. If you do need to change the url after deployment, please collaborate with your engagement lead.

For more information on how to complete these tasks, review the documentation on Microsoft docs here: https://docs.microsoft.com/en-us/power-platform/admin/create-environment#create-an-environment-with-a-database

Add premissions for the Deployment Account

If the user creating the environment is not the deployment account, please grant the deployment account as a system administrator of the newly created environment:

Add system admin permissions to the deployment account

Dataverse capacity management

Since Altus requires a Dataverse Power Platform environment - this will consume at least 1 GB of Dataverse quota. This section details how to monitor and resolve Dataverse quota problems.

In April 2019 Microsoft introduced a new capacity-based model for tracking power platform storage and database usage. In this new storage model, environment creation rights are governed by the amount of available database capacity instead of being based on user license entitlement.

Within this new capacity model, the following points are important to understand:

Important
  • A new environment may not be created without a minimum of 1 GB database capacity available.
  • Some administrative actions for environments are disabled while the organization is in capacity deficit.
  • Capacity deficit will need to be resolved at time of license renewal.

Check capacity usage

Organization capacity usage can be observed in the Power Platform Admin Center > Resources > Capacity.

You should be presented with a breakdown of capacity usage similar to the following image:

Image shows the storage capacity usage page

If your capacity portal does not appear this way, your organization may be operating under the legacy storage model. Run through the process found at the following link to confirm: Legacy storage capacity - Power Platform | Microsoft Docs

Please notify your implementation contact if this is the case, as there may be deployment implications.

Addressing a capacity deficit

Many products are recommended to be deployed to a new environment. If the available capacity is less than the 1 GB required for new environment creation, one or multiple of the following options will need to be investigated.

1. Delete unused / unnecessary environments

If any existing environments can be deemed unnecessary or unused, you may wish to delete them. This will immediately return at least 1 GB of database capacity per deletion excluding size of environment content.

2. Free up storage space

Please visit the following page for a list of common procedures that may be followed to reclaim storage from existing environments and solutions: Free up storage space - Power Platform | Microsoft Docs

3. User licensing

Capacity may be sourced via the purchase of user licenses. See the Power Apps and Power Automate Licensing Guide for purchasing information.

Note

Per app plans currently do not provide any additional capacity as detailed in the licensing guide. This is expected to change, however no ETA is known at this stage. Per user licensing provides 400 MB database capacity per license as expected.

4. Purchase a capacity add-on

Capacity add-ons may be sourced via purchase of add-on capacity in 1 GB increments. See the Power Apps and Power Automate Licensing Guide for purchasing information.

More information on these add-ons can be found here: Capacity add-ons - Power Platform | Microsoft Docs

Additional Considerations

Infrastructure considerations

Browser support

Altus broadly has the same browser support as the Microsoft 365 Platform.

In summary:

  • Preferred Microsoft Edge: Latest version (Chromium based version)
  • Chrome and Safari: Latest version (Note: Safari has a known issue with cross site scripting)
  • Microsoft Edge legacy browser: Potentially works, is unsupported from March 2021.
  • Microsoft IE11: Unsupported.
  • Firefox: Potentially works, but not guaranteed.
Mobility Support

Please note the following:

  • Mobile Browsers: Currently, there are accessibility challenges with certain features on small-screen and mobile browsers. We are committed to enhancing the mobile user experience in future updates.
  • Offline Use: While the Power Platform does offer some offline capabilities, full offline functionality is not yet supported.
  • PowerApps Player: The PowerApps mobile player allows for basic data entry, but does not support advanced grids or visualizations at this time.

There are several authentication windows throughout the solution that require popping up windows in the browser. This typically needs either

  • The user to enable the popup windows when they encounter them.
  • Group policy enable popups for all or a group of users.

The popup windows will be targeting the Dynamics organisation URL. This usually takes the form of: https://orgXXXXXXXX.crmY.dynamics.com/ (We will let you know the exact URL if this change is required)

Third-party cookies

The Power BI sign-in button will appear on embedded reports within the application. For this to work, you must have a Power BI license and you must have your browser settings set to not "Block third-party cookies".

This is the default setting for most browsers (Note: By default, when using Chrome incognito mode, third party cookies are disabled by default. As a result, this will need to be modified in Chrome settings)

Entra ID Conditional Access

Customers have the flexibility to set up Conditional Access in various ways, which can range from having a significant impact on user activities to having minimal impact. Altus relies on Entra ID for authentication, meaning its functionality is governed by the Conditional Access Policies in place.

Since Altus is inside your Microsoft tenancy Conditional Access policies will also impact Altus usage, for example:

  • MFA Requirements
  • Location based access requirements
  • Device compliance
  • Risk based policies like impossible travel, etc.
  • Time based access
  • .. and many more, see Conditional Access documentation for details.

Altus is designed to provide you with the best user experience possible utilising the Power Platform. To enjoy the full functionality and visual quality of the application, we recommend that you use a screen resolution of 1920x1080 pixels (as a recommended minimum). This resolution will allow you to see all the details and features of Altus without any distortion or cropping. If your screen resolution is lower than 1920x1080, you may encounter some issues with layout and performance. Therefore, we suggest that you adjust your screen settings to match our recommended resolution.

Complete the checklist

After completing Technical Readiness please fill out this Technical Readiness Checklist to initiate deployment process with your partner.

Edit this page