Teams Connector Setup
Index Teams channels, chat, messages, and meeting transcripts by creating a dedicated App Registration with the appropriate permissions.
Setup Checklist
Before starting, ensure you have:
- Azure Global Administrator or Cloud Application Administrator role
- Teams Premium licensing (for meeting transcripts)
- Certificate generated (see Certificate Generation Guide)
- Active Atolio deployment
Required API Permissions
Step 1: Create App Registration
- Navigate to Azure Portal > App Registrations
- Click “New registration”
- Enter name:
Atolio Teams
- Select “Accounts in this organizational directory only”
- Click “Register”
Step 2: Add API Permissions
⚠️ Important: Only add Application permissions, not Delegated permissions
- In your App Registration, click “API permissions” in the left menu
- Click “Add a permission”
- Select “Microsoft Graph”
- Click “Application permissions” (not Delegated permissions)
Add these Microsoft Graph permissions:
Identity & Directory Permissions (Required for ACL mapping)
Application.Read.All
Group.Read.All
GroupMember.Read.All
User.Read.All
Directory.Read.All
(optional - can omit withdisable_full_permissions: true
in configuration)
Teams Content Permissions
Channel.ReadBasic.All
ChannelMember.Read.All
ChannelMessage.Read.All
Chat.Read.All
ChatMember.Read.All
ChatMessage.Read.All
Team.ReadBasic.All
TeamMember.Read.All
Teams Meeting Transcripts (Optional)
OnlineMeetings.Read.All
OnlineMeetingTranscript.Read.All
Calendars.Read
Domain.Read.All
Step 3: Grant Admin Consent
- After adding all permissions, click “Grant admin consent for [your tenant name]” at the top of the API permissions page
- Confirm by clicking “Yes”
- Verify all permissions show “Granted for [your tenant name]” with green checkmarks
Step 4: Upload Certificate
- Click “Certificates & secrets” in the left menu
- Click “Upload certificate”
- Select your
.cer
file (not the.pfx
file) - Add description:
Atolio Teams Authentication
- Click “Add”
Step 5: Collect Configuration Values
From the “Overview” page, copy:
- Application (client) ID
- Directory (tenant) ID
You’ll provide these along with your base64-encoded .pfx
certificate to your Atolio support contact. This link is beside the Add a permission
link.
Application Access Policy for Teams Meeting Transcripts
In addition to Entra ID permissions above, you need to setup an application access policy for Atolio to access transcripts.
- Open PowerShell. Install the Microsoft Teams PS module:
Install-Module -Name MicrosoftTeams -Force -AllowClobber
- Connect to Teams module w/ an admin account on your shell. This will prompt a login page on your browser:
Import-Module MicrosoftTeams
Connect-MicrosoftTeams
- Create a new policy. Assuming the policy name is “Atolio-Transcript-Access-Policy”, and the previously registered application ID (client ID) is “some-app-id”, the shell command will be as follows:
New-CsApplicationAccessPolicy -Identity Atolio-Transcript-Access-Policy -AppIds "some-app-id" -Description "Access policy for teams transcripts"
- Associate users with the policy. You have two options:
- Option 1 - Grant tenant-wide access (recommended). This will allow Atolio to index transcripts owned by every user who does not have an application access policy assigned:
Grant-CsApplicationAccessPolicy -PolicyName Atolio-Transcript-Access-Policy -Global
- Option 2 - Grant user-specific access. This will allow Atolio to index transcripts owned by explicitly declared users only:
Grant-CsApplicationAccessPolicy -PolicyName Atolio-Transcript-Access-Policy -Identity "some-user-id"
- Option 1 - Grant tenant-wide access (recommended). This will allow Atolio to index transcripts owned by every user who does not have an application access policy assigned:
More details about the policy setup can be found in the official documentation:
- https://learn.microsoft.com/en-us/graph/cloud-communication-online-meeting-application-access-policy
Resource Filtering
Limit indexing scope using resource filters. Teams supports team-specific filtering:
Team Filtering
Index specific Teams by name or ID:
resources:
team:
included:
- 66e327b3-321a-4ebf-8e2c-34cebf134bf8 # Engineering Team ID
- 0507654f-506d-4805-95d5-516bcaf1075c # Sales Team ID
excluded:
- b0b083d0-6288-45ce-8ecd-16960ba7b329 # HR Team ID
Sample Configuration
Here’s a complete YAML configuration example for Teams:
connector: microsoft
source: teams
common:
enabled: true
identity-provider: false
cron-spec: "40 */1 * * *"
secrets:
client_cert:
value: "<BASE64_ENCODED_PFX_CONTENT>"
client_cert_password:
value: "<CERTIFICATE_PASSWORD>" # Optional if no password set
configuration:
client-id: "<APPLICATION_CLIENT_ID>"
tenant-id: "<DIRECTORY_TENANT_ID>"
disable_full_permissions: false
enable-transcripts: true # Enable meeting transcript indexing
skip-chats: false # Set to true to skip private chats
resources:
team:
included:
- 66e327b3-321a-4ebf-8e2c-34cebf134bf8 # Engineering Team ID
- 0507654f-506d-4805-95d5-516bcaf1075c # Marketing Team ID
Troubleshooting
Error | Cause | Solution |
---|---|---|
401 Unauthorized | Missing admin consent | Click “Grant admin consent” in API permissions |
403 Forbidden | Wrong permission type | Ensure you added Application permissions, not Delegated |
invalid_client | Certificate not found/expired | Verify certificate is uploaded and valid |
Teams not appearing | Missing team permissions | Verify all Teams permissions are granted |
Transcripts missing | Application access policy not set | Follow PowerShell policy setup steps above |
Private chats missing | Chat.Read.All permission missing | Add permission and re-grant admin consent |
Limitations
- Only first 1000 replies to a channel post will be indexed, due to limitations with the Microsoft API.