16.8 Understanding and Configuring MS Teams Templates

Identity Governance provides the following templates for MS Teams:

  • MS Teams Permission Collector

  • MS Teams Fulfillment

For additional information about configuring MS Teams templates, see the following sections:

16.8.1 About Microsoft Teams Collectors

The Microsoft Teams application is a subordinate application and uses the Azure Active Directory database. It consists of teams and channels with members of their own. MS Teams further divides members into team and channel members, or team and channel owners, with higher privileges. Teams are public and private and channels are standard and private. Each team can have a number of channels with one default standard channel.

While collecting data from the Microsoft Teams application, you must use the Azure AD MS Graph collector for collecting accounts and identities and use the MS Teams collector to collect teams, channels, their members, and the associated permissions. However, for the collector to work, you must have the following API permissions in Azure Active Directory.

Resource

Permission

Type

Description

Team

TeamSettings.Read.Group

Application

Read team’s settings

 

TeamSettings.ReadWrite.Group

Application

Read and write team's settings

 

User.Read.All

Application

Read all user profiles

 

User.ReadWrite.All

Application

Read and write all user profiles

 

Team.ReadBasic.All

Application and Delegated

Read names and descriptions of all teams

 

TeamSettings.Read.All

Application and Delegated

Read all teams settings

 

TeamSettings.ReadWrite.All

Application and Delegated

Read and change all teams settings

 

Group.Read.All

Application and Delegated

Read all groups

 

Group.ReadWrite.All

Application and Delegated

Read and write all groups

 

Directory.Read.All

Application and Delegated

Read all directory data

 

Directory.ReadWrite.All

Application and Delegated

Read and write directory data

 

Directory.AccessAsUser.All

Application

Access the directory as the signed-in user

 

TeamMember.Read.Group

Application

Read team’s members

 

TeamMember.Read.All

Application and Delegated

Read all team members

 

TeamMember.ReadWrite.All

Application and Delegated

Add, remove, and change roles for members of all teams

 

TeamMember.ReadWriteNonOwnerRole.All

Application

Add and remove members with non-owner roles for all teams

Channel

ChannelSettings.Read.Group

Application

Read channel data of a team

 

ChannelSettings.ReadWrite.Group

Application

Update channel data of a team

 

Channel.ReadBasic.All

Application and Delegated

Read all channel names and descriptions

 

ChannelSettings.Read.All

Application and Delegated

Read all channel data of a team

 

ChannelSettings.ReadWrite.All

Application and Delegated

Read and write all channel data

 

Group.Read.All

Application and Delegated

Read all groups

 

Group.ReadWrite.All

Application and Delegated

Read and write all groups

 

Directory.Read.All

Application and Delegated

Read directory data

 

Directory.ReadWrite.All

Application and Delegated

Read and write directory data

 

ChannelMember.Read.All

Application and Delegated

Read channel members

 

ChannelMember.ReadWrite.All

Application and Delegated

Add, remove, and change roles for members of all channels

IMPORTANT:The Microsoft Teams collector does not collect data for itself. So, you must enable the Azure Active Directory data source to collect permissions from MS Teams.

You have the option to configure the MS Teams collector as a hierarchical structure and map the attribute Unique Application ID with the applicationId. Ensure that the outputValue in the ECMA script is mapped to the name of the collector. For example, outputValue='MS_Teams'. Also, configure the MS Teams Permission collector template mandatory attribute mappings, such as ID, and objectType. ID is the unique ID from a team or a channel, and objectType indicates whether the object is for teams or channels.

Occasionally, while collecting data using the MS Teams collector, the collection might fail with an error message. This occurs because of issues such as an application timeout when the response from the Microsoft Teams API takes a long time to return or a backend error when the Microsoft Teams API is not able to process the request. Check your configuration, change the timeout value, view logs and audit events, and try again.

16.8.2 About Microsoft Teams Fulfillment

If you have the appropriate permissions in Azure Active Directory, you can fulfill the following change requests:

  • ADD PERMISSION TO USER

  • REMOVE ACCOUNT PERMISSION

  • REMOVE PERMISSION ASSIGNMENT

You can add or remove a member only from a private channel. However, before adding a member to a channel, ensure that the member is already a part of the team. When you add a user to a team, the Microsoft Teams fulfiller adds the user automatically to all standard channels under the team, as a member.

NOTE:To avoid unexpected behavior from the application, we recommend that you do not add a team and a channel member in the same request.

You can assign the user the role of an owner. To do so, you need to customize the request form and add ‘owner’ as Data Source Values and ‘roles’ as Label, then publish the form. This will allow you to select the role as ‘owner’ when you request permission for the user. For information about customizing forms using Form Builder, see Creating a Request or Approval Form. Additionally, while configuring Fulfillment item configuration and mapping in the template, you must add "flowdata" for the attribute Permission Profile. For example, add ["flowdata", "permissionProfile"].

NOTE:To assign a user as an owner you need to create custom forms for each team and channel separately.

For the fulfillment to process successfully, you must add the following attributes to the fulfillment context attribute:

Fulfillment Context Attributes

Attributes

Recipient

  • User ID from Source

  • Full Name

  • Employee Status

  • Last Name

  • First Name

  • Email

Account

  • Account ID from Source

  • Account Disabled

Permission

  • Permission Type

  • Permission ID from Source

  • Permission Name