Microsoft Teams Setup

Before the connector can traverse content from Microsoft Teams, a few things need to be set up in the source system.

Microsoft Azure App Registration

The Microsoft Teams connector uses the Microsoft Graph and SharePoint Rest API. In order to authenticate against both APIs a single Microsoft Azure application can be registered. The following steps describe how to create such an Azure application.

  1. Visit the Azure Portal and login as a tenant administrator

  2. Go to App registrations.

  3. Register an application and follow the instructions. Supported account types should be Accounts in this organizational directory only. A redirect URL is neither needed nor supported. Note the Application (Client) ID and the Directory (Tenant) ID to use it later in the connector configuration).

  4. Configure the following Application API permissions (see API Permissions for further explanation):

    • Microsoft Graph

      • ChannelMember.Read.All

      • ChannelMessage.Read.All

      • Group.Read.All

      • Sites.Read.All

      • Team.ReadBasic.All

      • TeamMember.Read.All

      • User.Read.All

    • SharePoint

      • Sites.FullControl.All (Have full control of all site collections / Enumerate Site Role Assignments)

  5. Grant admin consent for your tenant.

  6. Go to Certificates & secrets and upload a certificate. Note the location of the certificate file and the certificate password to use it later in the connector configuration).

    See Certificate File Generation for a guide on how to generate a certificate.

  7. Use the Application (client) ID and Directory (tenant) ID from the overview tab to configure the connector.

API Permissions

The following Application API permissions are required by the connector:

Microsoft Graph API

Permission Name Description

ChannelMember.Read.All

Permission to read the members of all channels. Used in principal synchronization to list all members of private or shared channels.

ChannelMessage.Read.All

Permission to read all messages of team channels. Used in content synchronization.

Group.Read.All

Permission to read Azure AD groups. Used in the principal synchronization to list all Azure AD groups and their members.

Sites.Read.All

Permission which grants read access on all site collections in a tenant via the Microsoft Graph API. The connector uses this permission to get the site collections assigned to team and channel drives.

Team.ReadBasic.All

Permission to get a list of all teams. Used for automatic team discovery in content and principal sync.

TeamMember.Read.All

Permission to read the members of all teams. Used in principal synchronization to list all members of any team.

User.Read.All

Permission to read Azure AD users. Used in the principal synchronization to list all Azure AD users.

SharePoint API

Permission Name

Description

Sites.FullControl.All

Provides full control on all site collections. This enables to read content, metadata and security information for all types of content contained in all site collections of the tenant.

Certificate File Generation

The connector provides a PowerShell script to create a self-signed certificate used for application authentication to the server. It can be found in the scripts folder of the connector.

  1. Open a Powershell console as administrator and change directory to the script’s folder location.

  2. Run the Powershell script:

    .\CreateSelfSignedCertificate.ps1

  3. If the Execution Policy denies the execution, it can be bypassed by:

    powershell -ExecutionPolicy Bypass -File .\CreateSelfSignedCertificate.ps1

  4. Enter a name for the certificate.

  5. Define a date range in which the certificate should be valid. The required format is: yyyy-mm-dd.

  6. Enter a password for the certificate. The password is required later to configure the connector.

  7. Two files will be generated. The private key PFX file will be used to configure the connector and the public key CER file to configure the Azure application.