Technical Readiness

After completing the steps below, please fill out the Technical Readiness Questionnaire to initiate deployment.

If you have any trouble performing the steps below, please refer to this step-by-step walk through video:

Licensing

Sensei IQ utilizes Microsoft 365 products to provide a best-in-class user experience. You may already be using these products, or may need to source additional licenses.

As an overview, Sensei IQ utilizes the following Microsoft Technologies form which the license requirements can be derived.

Each Sensei IQ User and the Sensei deployment account requires:

1. Power Apps license (choose one of the following)
   1. Power Apps Per App pass Click here for more details
   2. Power Apps Premium license (recommended for key users and the Sensei Deployment account)
   3. Power Apps pay-as-you-go
2. Power BI Pro, or organizational Power BI Premium capacity.
3. Microsoft 365 license that grants access to Microsoft Teams; E1, E3, E5, others.

Note

We recommend the PowerApps Premium license at least for the key users + the Sensei Deployment account. End users can be covered by "Per App" passes, but there is additional administration required to manage the per-app passes to user assignments. Click here for more information on Power Apps per App passes
Also please note - the "PowerApps for Office 365" and "PowerApps and Logic Flows" license(s) DO NOT meet the requirement for the necessary Power Apps license. Please see above for the acceptable Power Apps options.

Warning

Please do not use "Trial" licenses to satisfy any of these requirements.

Additional Licensing Scenarios

Looking at this from a role-based perspective:

Optional auxiliary roles:

¹ – License multiplexing rules for external systems may apply and often require end-users/consumers of data from those systems to hold an end user license. Contact the 3rd party vendor for more information on their individual licensing requirements.
² - Collaboration via Teams excluding the Sensei IQ Teams Application (this requires a Power Apps license).
³ - Viewing Power BI reports requires a Power BI license.
⁴ - Guest access via Teams and SharePoint has limitations and additional tenant requirements.
⁵ – AAD Guest access to the Sensei IQ Teams & Power App is not currently supported, but is likely to be enabled by a future update.

^* - A non-zero number of “Power Apps Premium” or “Power Automate Premium” licenses are required to deploy any Power Automate Flows that consume premium connectors. Power Apps per App users cannot be the owner of Power Automate Flows that utilize Premium connectors as the Flows will be disabled every 7 days.

Note

Effective as at 23-Jan-2021. Sensei provides indicative general licensing advice. Please consult your Microsoft licensing advisor to confirm the specific licensing costs/requirements for your deployment.

Licensing FAQ

Can my organization use Pay-as-you-go plan licensing for Power Apps?

Yes. Pay-as-you-go is a alternative licensing plan for Power Apps. Microsoft provides documentation on this option here.

---

In order to set up this option for licensing your users to use Sensei IQ, organizations should follow the Microsoft documentation here.

Note

In our experience, the “PowerApps per app baseline access” license was still needed for users accessing Sensei IQ. If this license type is not enabled in your tenant, please click this link.

Can I use Power BI Free instead of Pro or Premium?

The Shared and embedded reports in Sensei IQ require all end-users to have either a Power BI Pro license or to be hosted in a Power BI Premium capacity. From Microsoft:
"With sharing, whether you share content inside or outside your organization, you need a Power BI Pro license. Your recipients also need Power BI Pro licenses, unless the content is in a Premium capacity."

Can my organization use trial licensing for Sensei IQ?

No. Please invest in appropriate valid licensing as requested. Having trial licenses expire during the deployment or rollout is undesirable. The use of non-trial licenses is a requirement of IQ technical readiness.

Does the PowerApps provide my end-users with Power Automate capabilities?

The Microsoft Power Apps license allows Power Automate Flows to be used in conjunction with the Power App.
From Microsoft:
"In the original introduction of the new licensing and as a consequence of the older model, it was thought that a separate license would be required for a Power App to use A Power Automate Flow when, in fact, it is only the cost of the Power App that will apply even if the Premium connector is only accessed via the flow. The key guidance here is to understand the use case of the flow itself whether it is created to service the app or if it is the type that is expected to be shared or used outside of the application as it will then be a case of selecting the appropriate Power Automate license."

I'm confused by Power Apps per app plan license usage, can you help?

When using a Power Apps per app plan, you need to do the following things:

1. Purchase the Power Apps per app plan licenses in the quantity required.
2. Allocate the App passes to the environment in which the app will be used. This is done using 'Resources > Capacity > Add-ons'.

1. Ensure that you've granted each user "PowerApps per app baseline access" under 'Licenses and apps'.

Microsoft has additional documentation on Power Apps per app plan usage here: About Power Apps per app plans. If your company purchases licenses through a third party, it's possible that the user license for "PowerApps per app baseline access" won't be added to your M365 tenant. If this is the case, you can add that license type to your tenant by clicking this link. You'll then need to confirm that your users have the "PowerApps per app baseline access" license applied in the M365 admin center, and add it if they do not.

Licenses for External Execution/Scheduling Tools

For licensing information regarding any external execution or scheduling tools that an organization may choose to sync with Sensei IQ, please refer to the licensing information published by those software providers. For Project Online and Planner Premium see the Service Description from Microsoft here.

Tenant Functionality

Sensei IQ utilizes existing functionality of your Microsoft 365 installation in conjunction with Sensei content and components to deliver the IQ experience.

Sensei IQ is tested to work with Microsoft 365 in the Microsoft issued default configuration, however after receiving the Microsoft 365 Tenant it is possible for customers to disable key functionality that is needed for Sensei IQ to function correctly.

Sensei IQ relies on the following technologies within Microsoft 365:

• Internet Access for Users
• User driven M365 group creation
• Power BI workspaces
• Power Automate
• Microsoft Graph
• Teams Custom App Installation
• Exchange Online

Internet Access

This is a Managed Solution delivered from our presence on the Internet, and as such End-Users will require Internet access.

Services are delivered from URL's including (but not limited to):

• Microsoft Office 365
  • *.office.com
  • *.microsoft.com
  • *.powerapps.com
• Dynamics:
  • *.dynamics.com
• Sensei:
  • *.senseiiq.cloud
  • *.userback.io
  • dc.services.visualstudio.com

Please ensure there is no proxy servers preventing access to the above domains or sub-domains.

Microsoft 365 Group Creation

By default all Microsoft 365 users can create Microsoft 365 Groups. However some organizations choose to disable this feature.

Microsoft Project for the Web (and other Microsoft tools such as Teams, Roadmap, Planner, Power BI, Stream, etc.) utilize Microsoft 365 Groups to provide key functionality.

Sensei IQ utilizes Microsoft 365 groups to:

• Define the list of people who are working on each Project and define who can be assigned tasks in the schedule.
• Define who can see the items inside Sensei IQ associated with the project such as Risks and Issues.
• Store documents and provide a collaboration space in the SharePoint Site collection.

In the event that Group creation is prohibited, Groups can be pre-created by an administrator, and users can then associate their projects to existing groups if necessary, however the gating/approval process around Microsoft 365 Group creation is outside the scope of the Sensei IQ Product.

Microsoft Graph

The Microsoft Graph is an API that allows integration between Microsoft 365 Applications, and in the case of Microsoft 365 Groups and Teams is the only API available.

Sensei IQ utilizes Microsoft Graph API to provide integration between Power Apps, Groups and Teams.

Power BI Workspaces

Power BI stores reports in workspaces. By default all Power BI users can create workspaces, however some customers choose to disable this feature.

Sensei IQ utilizes Power BI to deliver shared reports that form part of the application. During deployment we will put these shared reports in a dedicated workspace to keep them separate from other reports in the environment.

To do this we will create the following Power BI workspaces:

• Sensei IQ - orgXXXXXXX
• Sensei IQ (Test) - orgXXXXXXX

It is recommended that Power BI workspace creation not be disabled for the Sensei deployment account.

Power Automate (Flow)

Power Automate is a Microsoft service that forms part of your M365 tenant utilized by Sensei IQ to to provide workflow capabilities. The Sensei deployment engineer will create the following connections in the nominated named Power Platform Environment. If you will have a DLP policy defined for the environment, please ensure that the following connections are allowed:

• 
• 
• 
• 

^* - A non-zero number of “Power Apps Per User” or “Power Automate Per User” licenses are required to deploy any Power Automate Flows that consume premium connectors. Power Apps per App users cannot be the owner of Power Automate Flows that utilize Premium connectors as the Flows will be disabled every 7 days.

Teams Custom App Deployment

By default Teams provides the ability for users to add Apps from the published store or to add custom apps to the environment. Customers can choose to disable the extensibility features in Microsoft Teams.

Sensei IQ comes with a Custom Teams App that will be added to the Teams deployment to provide integration features between Power Apps, SharePoint and Teams.

To allow this to occur, Custom Teams Apps must not be disabled (default setting), or at least the Sensei App must be specifically allowed by the governance policies in Microsoft 365:

Exchange Online

There are various workflows in the Sensei IQ product that will attempt to send users emails. This is done via the Exchange Online functionality of Microsoft 365 because the transmissions of the emails within the Exchange infrastructure (not SMTP) are assumed to be protected/encrypted.

If your organization doesn't use Exchange online, these workflows can be amended to use SMTP to external email providers at your option. This would be done via an additional engagement and with your consent that the content transmitted via email would not be encrypted.

Granting Consent

Sensei IQ is a Managed Solution offering integration with your Microsoft 365 tenant, and will require consent for deployment and continued operation. To facilitate this, an administrator will need to grant consent for the Sensei software to work in conjunction with your Microsoft 365 tenant.

To provide consent, click the links below, and agree to the terms on the dialog displayed. Example screenshots of the dialogs are provided. When this is completed a Service Principal will be added to your Azure AD. A Service Principal is nothing more than an identity which will be used by our service to interact with your tenant. You can revoke this consent at any time through the Azure AD Portal Enterprise App Registrations

Deployment

Sensei IQ will need to be initially deployed, as well as being updated from time to time to provide fixes and new functionality as part of the subscription. To do this a Service Principal is used for deployment that is separate from the other operational identities.

To allow this to occur an M365 administrator must >> click here to grant consent to the Sensei Deployment App<<.

Note

The blue tick mark next to Sensei indicates that this identity is a Verified Publisher and managed by a Microsoft Certified Partner.

Teams App

One of the major components of Sensei IQ is the integrated Teams experience. This is achieved via a Teams custom App. The permissions required are extensive however this stems from the functionality that is provided:

• Summarises data from the Dataverse
• Reads SharePoint site collections destinations associated to Projects to allow intuitive navigation.
• Automates the creation of Channels within Teams to provide an organized approach to Project collaboration when M365 Group creation is limited.
• Reads the set of files in SharePoint site collections connected to the Project to re-present it within the PowerApp for the user's convenience.

To provide this functionality, the Teams App must connect both to the Microsoft Graph and the Microsoft Dataverse services.

To allow this to occur an M365 administrator must >>click here to grant consent to the Sensei Teams App<<.

Note

The blue tick mark next to Sensei indicates that this identity is a Verified Publisher and managed by a Microsoft Certified Partner.

Delegated Permissions

The permissions in the above dialog are known as delegated permissions:

Delegated permissions are the subset of both the current user permissions and the application permissions.

Granting Delegated Permissions:

• Does not grant the application any permission by itself, a user must always be present.
• Does not grant the user permission to do anything they couldn't already do without the app.
• Is a filter that controls what the application can do on the user's behalf.
• Doesn't change the security posture of the Microsoft 365 tenant other than to trust Sensei software to work on behalf of the users to perform actions they could already do manually.

More information about delegated permissions.

Create an Environment

Sensei requires creation of a new, dedicated, production Power Platform environment to host Sensei IQ. This gives your organization control over security and additional management tasks when maintaining the solution and environment.

Sensei IQ is deployable into certain types of Power Platform Environments:

Environment Type	IQ Deployable?
Production (Recommended)	✅
Default	❌
Sandbox	✅
Trial	✅
Developer	❌
Dataverse for Teams (Oakdale)	❌

Create a new environment from the Power Platform admin center.

• Ensure the region is aligned with your Tenant and user locations.
• Set the type to 'Production'.
• Set "Add a Dataverse data store" to "Yes".
• Click "Next".
• Set languange and currency.
• Set the security group, or use "None" and allow open access for licensed users with a security role.
• Set a unique URL or use the default.
• Do not enable dynamics 365 apps or sample apps and data.

Note

Please do not use the environment name and url shown below - these are for EXAMPLE purposes only. Please discuss with your stakeholders to decide on a meaningful name and url for your organization. For example, if the organization was called "Kestral Industries", some appropriate names and urls might be "Kestral Sensei IQ" and "https://kestraliq.dynamics.crm.com" or "Kestral PMO" and "https://kestralpmo.dynamics.crm.com".

Warning

Once created, and IQ has been deployed, please DO NOT change the URL. This could impact the environment and prevent updates from being applied. If you do need to change the URL after deployment, please collaborate with your Sensei engagement lead.

For more information on how to complete these tasks, review the documentation on Microsoft docs here: https://docs.microsoft.com/en-us/power-platform/admin/create-environment#create-an-environment-with-a-database

Dataverse Capacity Management

Since Sensei IQ requires a Dataverse PowerPlatform Environment - this will consume at least 1GB of Dataverse Quota. This section details how to monitor and resolve Dataverse quota problems.

In April 2019 Microsoft introduced a new capacity-based model for tracking power platform storage and database usage. In this new storage model, environment creation rights are governed by the amount of available database capacity instead of being based on user license entitlement.

Within this new capacity model, the following points are important to understand:

Important

• A new environment may not be created without a minimum of 1gb database capacity available.
• Some administrative actions for environments are disabled while the organization is in capacity deficit.
• Capacity deficit will need to be resolved at time of license renewal.

Check capacity usage

Organization capacity usage can be observed in the Power Platform Admin Center > Resources > Capacity.

You should be presented with a breakdown of capacity usage similar to the following image:

If your capacity portal does not appear this way, your organization may be operating under the legacy storage model. Run through the process found at the following link to confirm:

Legacy storage capacity - Power Platform | Microsoft Docs

Please notify your Sensei contact if this is the case, as there may be deployment implications.

Addressing a capacity deficit

Many of Sensei's products are recommended to be deployed to a new environment. If the available capacity is less than the 1gb required for new environment creation, one or multiple of the following options will need to be investigated.

1. Delete unused / unnecessary environments

If any existing environments can be deemed unnecessary or unused, you may wish to delete them. This will immediately return at least 1gb of database capacity per deletion excluding size of environment content.

2. Free up storage space

Please visit the following page for a list of common procedures that may be followed to reclaim storage from existing environments and solutions.

Free up storage space - Power Platform | Microsoft Docs

3. User licensing

Capacity may be sourced via the purchase of user licenses. See the Power Apps and Power Automate Licensing Guide for purchasing information.

Note

Per app plans currently do not provide any additional capacity as detailed in the licensing guide.

This is expected to change, however no ETA is known at this stage.

Per user licensing provides 400mb database capacity per license as expected.

4. Purchase a capacity add-on

Capacity add-ons may be sourced via purchase of add-on capacity in 1gb increments.

See the Power Apps and Power Automate Licensing Guide for purchasing information.

More information on these add-ons can be found here: Capacity add-ons - Power Platform | Microsoft Docs

Deployment Account

To enable the Sensei deployment engineer to perform the interactive activities necessary to deploy Sensei IQ to your environment, we require at least temporary access via a deployment account.

Requirements for the deployment account

1. Must be accessible externally (from the Internet)
2. Must not be a "Guest" account, as guest accounts cannot be used with all the features of Power Apps at this time. i.e. the account must be created in the same Azure Active Directory as the target M365 tenant.
3. Licensed as per an end-user (see License section above). Power Apps Per User license is recommended for this account to make use of the Power Automate Flows that are included with Sensei IQ for notifications & approvals.

4. Dynamics permissions: The Sensei deployment account will need System Administrator permission within the target Power Platform environment for deployment and customization activities.

5. Teams Administrator: To allow us to deploy the Teams Application and configuration policy for your users we require access to the Teams Admin portal. To do this Grant the Sensei Deployment Account access in the Office Admin Centre. This is a once-off activity that could also be completed by the customer IT governance team if desired.
   

Decommissioning the Deployment Account

While it is possible to decommission the Deployment Account post-deployment of Sensei IQ, there are some considerations to note as detailed in Reference here: Decommission or Update the Deployment Account

Warning

To prevent system downtime, please work with your Sensei Engagement Lead before either disabling the Deployment Account or changing the password for the Deployment Account (this includes situations where password resets are forced, i.e. 90-day password expiry, as when this occurs, credentials will need to be updated in all places mentioned in the reference article here ).

Infrastructure considerations

Browser Support

With Sensei IQ we broadly have the same browser support provided by Microsoft 365 Platform.

In summary:

• Preferred Microsoft Edge: Latest version (Chromium based version)
• Chrome and Safari: Latest version
• Microsoft Edge Legacy browser: Might work, can’t provide any guarantees, unsupported after March 2021.
  • Microsoft IE11: Unsupported. See Internet Explorer 11 for Sensei Products for more details.
• Firefox: Might work, can’t provide any guarantees.

Popup blocking

There are several authentication windows throughout the solution that require popping up windows in the browser. This typically needs either

• The user to enable the popup windows when they encounter them

• Group policy enable popups for all or a group of users.

  The popup windows will be targeting the Dynamics organization URL. This usually takes the form of: https://orgXXXXXXXX.crmY.dynamics.com/
  (We will let you know the exact URL if this change is required)

3rd Party Cookies

The Power BI Sign-In button will appear on embedded reports within the application.
For this to work, you must have a Power BI license and you must have your browser settings set to not "Block third-party cookies".

This is the default setting for most browsers.

Azure AD Conditional Access

The Sensei IQ Teams Integration, Document Tabs, Groups and graph integration relies on authenticating to Azure AD by the end-user. If this is prevented by Azure AD Conditional access, a functionality deficit should be expected.

There are many governance policy settings available to M365 administrators that can cause Sensei IQ functionality to fail. As with all Governance options, care should be taken not to introduce policies that will cause a negative experience for end users.

Sensei IQ utilizes 2 service principals:

Applying policies that affect these should be done carefully as it could cause a negative effect on the end user experience.

Note

At this time (May 2021) Azure AD Conditional Access is incompatible with the Teams Desktop Client when using Sensei IQ and Microsoft provided tabs such Power BI, Forms, VSTS, PowerApps, and SharePoint List. https://docs.microsoft.com/en-us/microsoftteams/troubleshoot/known-issues/tabs-dont-work-after-enabling-conditional-access