Identity Governance provides the following templates for MS Teams:
MS Teams Permission Collector
MS Teams Fulfillment
For additional information about configuring MS Teams templates, see the following sections:
The Microsoft Teams application is a subordinate application and uses the Azure Active Directory database. It consists of teams and channels with members of their own. MS Teams further divides members into team and channel members, or team and channel owners, with higher privileges. Teams are public and private and channels are standard and private. Each team can have a number of channels with one default standard channel.
While collecting data from the Microsoft Teams application, you must use the Azure AD MS Graph collector for collecting accounts and identities and use the MS Teams collector to collect teams, channels, their members, and the associated permissions. However, for the collector to work, you must have the following API permissions in Azure Active Directory.
|
Resource |
Permission |
Type |
Description |
|---|---|---|---|
|
Team |
TeamSettings.Read.Group |
Application |
Read team’s settings |
|
TeamSettings.ReadWrite.Group |
Application |
Read and write team's settings |
|
User.Read.All |
Application |
Read all user profiles |
|
User.ReadWrite.All |
Application |
Read and write all user profiles |
|
Team.ReadBasic.All |
Application and Delegated |
Read names and descriptions of all teams |
|
TeamSettings.Read.All |
Application and Delegated |
Read all teams settings |
|
TeamSettings.ReadWrite.All |
Application and Delegated |
Read and change all teams settings |
|
Group.Read.All |
Application and Delegated |
Read all groups |
|
Group.ReadWrite.All |
Application and Delegated |
Read and write all groups |
|
Directory.Read.All |
Application and Delegated |
Read all directory data |
|
Directory.ReadWrite.All |
Application and Delegated |
Read and write directory data |
|
Directory.AccessAsUser.All |
Application |
Access the directory as the signed-in user |
|
TeamMember.Read.Group |
Application |
Read team’s members |
|
TeamMember.Read.All |
Application and Delegated |
Read all team members |
|
TeamMember.ReadWrite.All |
Application and Delegated |
Add, remove, and change roles for members of all teams |
|
TeamMember.ReadWriteNonOwnerRole.All |
Application |
Add and remove members with non-owner roles for all teams |
|
Channel |
ChannelSettings.Read.Group |
Application |
Read channel data of a team |
|
ChannelSettings.ReadWrite.Group |
Application |
Update channel data of a team |
|
Channel.ReadBasic.All |
Application and Delegated |
Read all channel names and descriptions |
|
ChannelSettings.Read.All |
Application and Delegated |
Read all channel data of a team |
|
ChannelSettings.ReadWrite.All |
Application and Delegated |
Read and write all channel data |
|
Group.Read.All |
Application and Delegated |
Read all groups |
|
Group.ReadWrite.All |
Application and Delegated |
Read and write all groups |
|
Directory.Read.All |
Application and Delegated |
Read directory data |
|
Directory.ReadWrite.All |
Application and Delegated |
Read and write directory data |
|
ChannelMember.Read.All |
Application and Delegated |
Read channel members |
|
ChannelMember.ReadWrite.All |
Application and Delegated |
Add, remove, and change roles for members of all channels |
IMPORTANT:The Microsoft Teams collector does not collect data for itself. So, you must enable the Azure Active Directory data source to collect permissions from MS Teams.
You have the option to configure the MS Teams collector as a hierarchical structure and map the attribute Unique Application ID with the applicationId. Ensure that the outputValue in the ECMA script is mapped to the name of the collector. For example, outputValue='MS_Teams'. Also, configure the MS Teams Permission collector template mandatory attribute mappings, such as ID, and objectType. ID is the unique ID from a team or a channel, and objectType indicates whether the object is for teams or channels.
Occasionally, while collecting data using the MS Teams collector, the collection might fail with an error message. This occurs because of issues such as an application timeout when the response from the Microsoft Teams API takes a long time to return or a backend error when the Microsoft Teams API is not able to process the request. Check your configuration, change the timeout value, view logs and audit events, and try again.
If you have the appropriate permissions in Azure Active Directory, you can fulfill the following change requests:
ADD PERMISSION TO USER
REMOVE ACCOUNT PERMISSION
REMOVE PERMISSION ASSIGNMENT
You can add or remove a member only from a private channel. However, before adding a member to a channel, ensure that the member is already a part of the team. When you add a user to a team, the Microsoft Teams fulfiller adds the user automatically to all standard channels under the team, as a member.
NOTE:To avoid unexpected behavior from the application, we recommend that you do not add a team and a channel member in the same request.
You can assign the user the role of an owner. To do so, you need to customize the request form and add ‘owner’ as Data Source Values and ‘roles’ as Label, then publish the form. This will allow you to select the role as ‘owner’ when you request permission for the user. For information about customizing forms using Form Builder, see Creating a Request or Approval Form. Additionally, while configuring Fulfillment item configuration and mapping in the template, you must add "flowdata" for the attribute Permission Profile. For example, add ["flowdata", "permissionProfile"].
NOTE:To assign a user as an owner you need to create custom forms for each team and channel separately.
For the fulfillment to process successfully, you must add the following attributes to the fulfillment context attribute:
|
Fulfillment Context Attributes |
Attributes |
|---|---|
|
Recipient |
|
|
Account |
|
|
Permission |
|