Teams Connector Setup

Provide necessary API permissions to index Teams channels.

Index Teams channels, chat, messages, and meeting transcripts by creating a dedicated App Registration with the appropriate permissions.

Setup Checklist

Before starting, ensure you have:

  • Azure Global Administrator or Cloud Application Administrator role
  • Teams Premium licensing (for meeting transcripts)
  • Certificate generated (see Certificate Generation Guide)
  • Active Atolio deployment

Required API Permissions

Step 1: Create App Registration

  1. Navigate to Azure Portal > App Registrations
  2. Click “New registration”
  3. Enter name: Atolio Teams
  4. Select “Accounts in this organizational directory only”
  5. Click “Register”

Step 2: Add API Permissions

⚠️ Important: Only add Application permissions, not Delegated permissions

  1. In your App Registration, click “API permissions” in the left menu
  2. Click “Add a permission”
  3. Select “Microsoft Graph”
  4. Click “Application permissions” (not Delegated permissions)

Add these Microsoft Graph permissions:

Identity & Directory Permissions (Required for ACL mapping)

  • Application.Read.All
  • Group.Read.All
  • GroupMember.Read.All
  • User.Read.All
  • Directory.Read.All (optional - can omit with disable_full_permissions: true in configuration)

Teams Content Permissions

  • Channel.ReadBasic.All
  • ChannelMember.Read.All
  • ChannelMessage.Read.All
  • Chat.Read.All
  • ChatMember.Read.All
  • ChatMessage.Read.All
  • Team.ReadBasic.All
  • TeamMember.Read.All

Teams Meeting Transcripts (Optional)

  • OnlineMeetings.Read.All
  • OnlineMeetingTranscript.Read.All
  • Calendars.Read
  • Domain.Read.All
  1. After adding all permissions, click “Grant admin consent for [your tenant name]” at the top of the API permissions page
  2. Confirm by clicking “Yes”
  3. Verify all permissions show “Granted for [your tenant name]” with green checkmarks

Step 4: Upload Certificate

  1. Click “Certificates & secrets” in the left menu
  2. Click “Upload certificate”
  3. Select your .cer file (not the .pfx file)
  4. Add description: Atolio Teams Authentication
  5. Click “Add”

Step 5: Collect Configuration Values

From the “Overview” page, copy:

  • Application (client) ID
  • Directory (tenant) ID

You’ll provide these along with your base64-encoded .pfx certificate to your Atolio support contact. This link is beside the Add a permission link.

Application Access Policy for Teams Meeting Transcripts

In addition to Entra ID permissions above, you need to setup an application access policy for Atolio to access transcripts.

  • Open PowerShell. Install the Microsoft Teams PS module:
    • Install-Module -Name MicrosoftTeams -Force -AllowClobber
  • Connect to Teams module w/ an admin account on your shell. This will prompt a login page on your browser:
    • Import-Module MicrosoftTeams
    • Connect-MicrosoftTeams
  • Create a new policy. Assuming the policy name is “Atolio-Transcript-Access-Policy”, and the previously registered application ID (client ID) is “some-app-id”, the shell command will be as follows:
    • New-CsApplicationAccessPolicy -Identity Atolio-Transcript-Access-Policy -AppIds "some-app-id" -Description "Access policy for teams transcripts"
  • Associate users with the policy. You have two options:
    • Option 1 - Grant tenant-wide access (recommended). This will allow Atolio to index transcripts owned by every user who does not have an application access policy assigned:
      • Grant-CsApplicationAccessPolicy -PolicyName Atolio-Transcript-Access-Policy -Global
    • Option 2 - Grant user-specific access. This will allow Atolio to index transcripts owned by explicitly declared users only:
      • Grant-CsApplicationAccessPolicy -PolicyName Atolio-Transcript-Access-Policy -Identity "some-user-id"

More details about the policy setup can be found in the official documentation:

Resource Filtering

Limit indexing scope using resource filters. Teams supports team-specific filtering:

Team Filtering

Index specific Teams by name or ID:

resources:
  team:
    included:
      - 66e327b3-321a-4ebf-8e2c-34cebf134bf8 # Engineering Team ID
      - 0507654f-506d-4805-95d5-516bcaf1075c # Sales Team ID
    excluded:
      - b0b083d0-6288-45ce-8ecd-16960ba7b329 # HR Team ID

Sample Configuration

Here’s a complete YAML configuration example for Teams:

connector: microsoft
source: teams
common:
  enabled: true
  identity-provider: false
  cron-spec: "40 */1 * * *"
secrets:
  client_cert:
    value: "<BASE64_ENCODED_PFX_CONTENT>"
  client_cert_password:
    value: "<CERTIFICATE_PASSWORD>"  # Optional if no password set
configuration:
  client-id: "<APPLICATION_CLIENT_ID>"
  tenant-id: "<DIRECTORY_TENANT_ID>"
  disable_full_permissions: false
  enable-transcripts: true  # Enable meeting transcript indexing
  skip-chats: false        # Set to true to skip private chats
  resources:
    team:
      included:
        - 66e327b3-321a-4ebf-8e2c-34cebf134bf8 # Engineering Team ID
        - 0507654f-506d-4805-95d5-516bcaf1075c # Marketing Team ID

Troubleshooting

ErrorCauseSolution
401 UnauthorizedMissing admin consentClick “Grant admin consent” in API permissions
403 ForbiddenWrong permission typeEnsure you added Application permissions, not Delegated
invalid_clientCertificate not found/expiredVerify certificate is uploaded and valid
Teams not appearingMissing team permissionsVerify all Teams permissions are granted
Transcripts missingApplication access policy not setFollow PowerShell policy setup steps above
Private chats missingChat.Read.All permission missingAdd permission and re-grant admin consent

Limitations

  • Only first 1000 replies to a channel post will be indexed, due to limitations with the Microsoft API.