Installation and Configuration

Microsoft Teams Connector

Mindbreeze GmbH, A-4020 Linz, 2024.

These documents are strictly confidential. The submission and presentation of these documents does not confer any rights to our software, our services and service outcomes, or any other protected rights. The dissemination, publication, or reproduction hereof is prohibited.

For ease of readability, gender differentiation has been waived. Corresponding terms and definitions apply within the meaning and intent of the equal treatment principle for both sexes.

Installation

Before installing the Microsoft Teams connector, make sure that Mindbreeze Server is installed. To install or update the connector, please use the Mindbreeze Management Center.

Plugin installation via Mindbreeze Management Center

To install the plug-in, open the Mindbreeze Management Center. Select “Configuration” from the menu pane on the left-hand side. Then navigate to the “Plugins” tab. Under “Plugin Management,” select the appropriate zip file and upload it by clicking “Upload.” This automatically installs or updates the connector, as the case may be. In the process, the Mindbreeze services are restarted.

Configuring Mindbreeze

Select the “Advanced” installation method for configuration.

Configuring the index

To create a new index, navigate to the “Indices” tab and click the “Add new index” icon in the upper right corner.

Change the display name of the created index as necessary.

Configuring the data source

Add a new data source by clicking the “Add new custom source” icon at the top right. Select the category “Microsoft Teams” and configure the data source according to your needs.

Creating the Application in Azure

In order to crawl Microsoft Teams with the Microsoft Teams Connector, a new app must first be created that has the permissions to read Microsoft Teams. This app can be created on portal.azure.com.

Navigate to Azure Active Directory -> App registrations and click on the button "New Registration" to register a new app:

After you have created the app, you have to create a secret so that the crawler can actually log in:

When creating the Secret, you can set the expiration time. If you select "Never", the secret will never expire, which is easy to maintain, but involves some security risks. We recommend a runtime of 1-2 years, so that the Secret is changed regularly.

After that you can copy the secret. When you leave the page, you can no longer view the secret, so make sure you enter the secret directly into the Mindbreeze configuration (see next section).

Now you have to give the app the required permissions. To do this, navigate to "App permissions". The Microsoft Teams Crawler needs the following Application Permissions in Microsoft Graph:

ChannelMember.Read.All
ChannelMessage.Read.All
Group.Read.All
User.Read.All

After you have given the app the permission, you have to grant "admin consent". Use the button "Grant admin consent for <MyInstance>" for this:

Request access to protected APIs

Certain endpoints that we need for indexing Microsoft Teams are so-called "protected APIs". For these a request has to be made to Microsoft to get permission to use them. You can read more about this here: https://docs.microsoft.com/en-us/graph/teams-protected-apis

The request form can be found here: https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR1ax4zKyZjVBmutzKVo1pVtUQ1VJMlNTNUdJV1FKTzVZSVU4MlMwTTdOTSQlQCN0PWcu

Access requests are reviewed every Wednesday and permissions are granted every Friday except during major holiday weeks in the US.

You can fill out this form roughly as follows:

Your email address and any others you want to list as an owner (semicolon separated)

The email address(es) of the O365 admin(s).

May we contact you about your app's use of non-protected APIs? (E.g., reliability issues, advanced notice of breaking changes, throttling, etc)

Publisher name

Mindbreeze GmbH

App name
Mindbreeze Microsoft Teams Connector
App id(s) to enable application permissions for

App Id of the app created for the connector.

What does your app do? Why does it exist? (2-3 sentences explaining to an admin who has never heard of your app what it is and why they want it)

Mindbreeze InSpire is a software system enabling the search for information objects in a corporate context ("Enterprise Search Software"). Information objects can be any kind of information contained in structured, partially structured or unstructured storage systems. For most use cases these information objects will be document files in a file system, e-mails in an e-mail box system or documents in a document management system or archive.
Microsoft Teams is one of many supported data sources and Mindbreeze InSpire needs to build an index of the channel messages for the customers.

Why does your app need read access to all messages in the tenant? (If you don't, you don't need protected APIs)

As stated above, Mindbreeze InSpire needs to fetch all messages from channels to build an index that the customer can search in. This index also contains many other data sources.

Data retention - select one of these options:

It is obvious to any admin installing this app that it will make a copy Microsoft Teams messages.

What are the tenant ID's that this app needs to run in? (semicolon-separated. Put "all" if you're writing software for other organizations to use.)

Tenant ID of your O365 tenant

Does your organization own all those tenants? (if no, your answer above should be "all", or you should get the tenant owner to submit the request)

Yes

Section „Connection Settings“

In the "Connection Settings" area you can define your Microsoft Teams instance to be indexed. The following options are available:

Graph Service Root (Advanced Settings)	The endpoint/URL of the Microsoft Graph API. By default, "https://graph.microsoft.com". Change this setting only if you are using a national (non-international) Microsoft Cloud. A list of all available national Microsoft Graph endpoints can be found below.
Azure AD Url (Advanced Settings)	The endpoint/URL to the Azure Active Directory. By default, "https://login.microsoftonline.com". Change this setting only if you are using a national (non-international) Microsoft Cloud. A list of all available national Azure AD endpoints can be found below.
Trust all SSL certificates (Advanced Settings)	Allows the use of non-secured connections, for example for test systems. Must not be enabled in production.
Tenant ID	The Tenant ID of your Microsoft 365 instance. This can be found on the overview page of the app in Azure
App ID	The Application (Client) ID of the app created in Azure
Client Secret	The Credential created in the Network tab, which contains the created Client Secret
SharePoint Online Category Instance	Attachments of Teams messages are stored in Microsoft SharePoint Online. If a reference from Microsoft Teams to the files in Microsoft SharePoint Online is to be created, you must create the Microsoft SharePoint Online Crawler in the same index as the Microsoft Teams Crawler and enter its category instance here. To set up the SharePoint Online Connector, see Configuration - Microsoft SharePoint Online Connector
Crawler Thread Count	Number of threads used for indexing
Log All Requests (Advanced Settings)	If this option is activated, all requests against the Graph API are written to a logfile. Should only be activated for troubleshooting.
Synthesized Title Length (Advanced Settings)	If a message in Microsoft Teams has no subject, the content of the message is used as the title of the Mindbreeze document. This value determines the maximum length of titles that are set in this way. If the title is longer, it will be truncated with ...
Max Retries (Advanced Settings)	The maximum number of retries that will be attempted when the server sends certain throttling responses (e.g. 429).
Enable Delta Crawl (Advanced Settings)	As long as this option is activated, the crawler only retrieves all messages from all Microsoft Teams channels during the first crawl run; afterwards, only the changes in the channels are retrieved, which significantly improves performance. Only deactivate this option if there is an inconsistency between the index and the actual messages in Microsoft Teams.
[Deprecated] Exclusively Use Beta API (Advanced Settings)	This option is deprecated and should not be enabled. If this option is deactivated, make sure that the permissions of the app are correct (see Section 2.2.1 Creating the Application in Azure), because the /beta API sometimes allows API queries despite insufficient permissions. If this option is enabled, the crawler will only use the /beta API. Otherwise, the /beta API is only used to fetch all teams, and the /v1.0 API is used for all other requests.

Available national Microsoft Graph endpoints

Microsoft Graph global service	https://graph.microsoft.com
Microsoft Graph for US Government L4	https://graph.microsoft.us
Microsoft Graph for US Government L5 (DOD)	https://dod-graph.microsoft.us
Microsoft Graph China operated by 21Vianet	https://microsoftgraph.chinacloudapi.cn

Available national Azure AD endpoints

Azure AD (global service)	https://login.microsoftonline.com
Azure AD for US Government	https://login.microsoftonline.us
Azure AD China operated by 21Vianet	https://login.chinacloudapi.cn

Content Settings

Excluded Team Name Patterns	Regular expressions that can be used to specify which teams should be excluded. The regex matches the display name of the team.
Included Team Name Patterns	Regular Expressions that can be used to specify which teams should be crawled. If this option is left empty, all teams will be crawled. The regex matches the display name of the team.
Index Private Teams	If this option is enabled, private teams will be indexed.
Index Archived Teams	If this option is enabled, archived teams will be indexed.
Excluded Team IDs (Advanced Settings)	This option allows you to specify the IDs of the teams that should be excluded.
Included Team IDs (Advanced Settings)	This option allows you to specify the IDs of the teams to be indexed.

[Deprecated] Configuring the principal resolution service

The Teams Principal Resolution Service has been deprecated. Use Microsoft Azure Principal Resolution Service instead. (For completeness, the following sections describe the configuration of the deprecated Teams Principal Resolution Service).

Select “Advanced Settings” to configure the following settings.

Enable the option “Enforce ACL Evaluation.”

Scroll down and add a new service in the "Services" section by clicking on "Add Service". Select "Microsoft Teams Principal Resolution Service" and assign a display name.