The Microsoft Teams application is a subordinate application and uses the Azure Active Directory database. It consists of teams and channels with members of their own. MS Teams further divides members into team and channel members, or team and channel owners, with higher privileges. Teams are public and private and channels are standard and private. Each team can have a number of channels with one default standard channel.
While collecting data from the Microsoft Teams application, you must use the Azure AD MS Graph collector for collecting accounts and identities and use the MS Teams collector to collect teams, channels, their members, and the associated permissions. However, for the collector to work, you must have the following API permissions in Azure Active Directory.
|
Resource |
Type |
Permission |
Description |
|---|---|---|---|
|
Team |
Application |
TeamSettings.Read.Group |
Read team’s settings |
|
Application |
TeamSettings.ReadWrite.Group |
Read and write team's settings |
|
Application |
User.Read.All |
Read all user profiles |
|
Application |
User.ReadWrite.All |
Read and write all user profiles |
|
Application and Delegated |
Team.ReadBasic.All |
Read names and descriptions of all teams |
|
Application and Delegated |
TeamSettings.Read.All |
Read all teams settings |
|
Application and Delegated |
TeamSettings.ReadWrite.All |
Read and change all teams settings |
|
Application and Delegated |
Group.Read.All |
Read all groups |
|
Application and Delegated |
Group.ReadWrite.All |
Read and write all groups |
|
Application and Delegated |
GroupMember.ReadWrite.All |
Read and modify the membership of groups within an organization. Also, manage group memberships, add and remove members. |
|
Application and Delegated |
Directory.Read.All |
Read all directory data |
|
Application and Delegated |
Directory.ReadWrite.All |
Read and write directory data |
|
Application |
Directory.AccessAsUser.All |
Access the directory as the signed-in user |
|
Application |
TeamMember.Read.Group |
Read team’s members |
|
Application and Delegated |
TeamMember.Read.All |
Read all team members |
|
Application and Delegated |
TeamMember.ReadWrite.All |
Add, remove, and change roles for members of all teams |
|
Application |
TeamMember.ReadWriteNonOwnerRole.All |
Add and remove members with non-owner roles for all teams |
|
Channel |
Application |
ChannelSettings.Read.Group |
Read channel data of a team |
|
Application |
ChannelSettings.ReadWrite.Group |
Update channel data of a team |
|
Application and Delegated |
Channel.ReadBasic.All |
Read all channel names and descriptions |
|
Application and Delegated |
ChannelSettings.Read.All |
Read all channel data of a team |
|
Application and Delegated |
ChannelSettings.ReadWrite.All |
Read and write all channel data |
|
Application and Delegated |
Group.Read.All |
Read all groups |
|
Application and Delegated |
Group.ReadWrite.All |
Read and write all groups |
|
Application and Delegated |
Directory.Read.All |
Read directory data |
|
Application and Delegated |
Directory.ReadWrite.All |
Read and write directory data |
|
Application and Delegated |
ChannelMember.Read.All |
Read channel members |
|
Application and Delegated |
ChannelMember.ReadWrite.All |
Add, remove, and change roles for members of all channels |
IMPORTANT:The Microsoft Teams collector does not collect data for itself. So, you must enable the Azure Active Directory data source to collect permissions from MS Teams.
You have the option to configure the MS Teams collector as a hierarchical structure and map the attribute Unique Application ID with the applicationId. Ensure that the outputValue in the ECMA script is mapped to the name of the collector. For example, outputValue='MS_Teams'. Also, configure the MS Teams Permission collector template mandatory attribute mappings, such as ID, and objectType. ID is the unique ID from a team or a channel, and objectType indicates whether the object is for teams or channels.
Occasionally, while collecting data using the MS Teams collector, the collection might fail with an error message. This occurs because of issues such as an application timeout when the response from the Microsoft Teams API takes a long time to return or a backend error when the Microsoft Teams API is not able to process the request. Check your configuration, change the timeout value, view logs and audit events, and try again.