Overview
This integration uses application based authentication to access your company's Teams data. This makes it easy for anyone with access to the MS365 cloud upload feature to seamlessly use our Teams integration.
A subscription is also required to access the metered Teams API endpoints that are used to export messages. Customers will be charged directly by Microsoft as per their pricing model (Model B).
This article describes the steps required to set up the integration. For details on how to use Teams once it's been set up, click here:
Configuring the Integration in Azure Active Directory
You will need access to your organization's Microsoft Tenant's Azure Active Directory to register the application.
Register/Create Application in Azure AD
Navigate to Azure Portal Home > Azure Active Directory:
Click App registrations > New registration:
Name the application, select supported account types, and click Register:
Set Application Permissions
Once the application is registered, navigate to API Permissions:
Click Add a permission, then select Microsoft Graph from the list of APIs:
Search for and add all of the necessary APPLICATION permissions for Microsoft Graph:
Required permissions for Microsoft Graph API:
Channel.ReadBasic.All
ChannelMember.Read.All
ChannelMessage.Read.All
Chat.Read.All
Files.Read.All
Group.Read.All
Team.ReadBasic.All
TeamMember.Read.All
User.Read
User.Read.All
With all Microsoft Graph permissions configured, click Grant admin consent. Green check marks indicate permissions have been granted:
Create a Subscription
Navigate to Azure Portal Home > Subscriptions:
Add a New Subscription. In this example, we will create a “Pay-As-You-Go” subscription:
Enter billing and payment information:
A green check mark indicates the subscription has been added successfully:
Link Subscription to Registered Application
To link the subscription to the registered application and allow it to use the metered MS Graph API endpoints, follow these instructions:
https://learn.microsoft.com/en-us/graph/metered-api-setup
Setting up the Integration in Logikcull
This initial setup must be completed by an Account Admin or the Account Owner. Once complete, any users with the necessary permissions may use the integration.
Generate/Download a Certificate in Logikcull Account
Navigate to the Account Preferences page. Click the house icon on the left toolbar and select Preferences:
Scroll down to the Third Party Integrations header > click Connect next to Microsoft Teams:
When prompted, click Generate New Certificate. Next, click Download Certificate. The certificate (a file with a .pem extension) will be saved to your local drive:
Add Certificate to Registered App in Microsoft Tenant
If you have not yet registered an Application in Azure Active Directory, follow the instructions in 🔗 Configuring the Integration in Azure Active Directory.
Open Azure Active Directory > App Registrations. Click on the name of the registered Application for the Logikcull Teams Integration:
Click Certificates & secrets (or the link under Client Credentials):
Click Upload Certificate and upload the certificate (.pem extension) downloaded from Logikcull:
Browse for the certificate, enter a description, and click Add:
You should now see the certificate listed in Azure Active Directory:
Add the Registered App Information in Logikcull
Locate the Application ID, Object ID, and Tenant ID within your Microsoft Tenant Application. Copy them to your clipboard and paste them into the Logikcull Account Administration modal:
Paste the Application ID, Object ID, and Tenant IDs from your clipboard. Click Connect to Microsoft Teams:
Once the connection has been established, Logikcull will display a summary page. Click Close summary, and you’re ready to start using the integration!
How the Integration Accesses Data
The Logikcull MS365 Teams Integration reads an organization's Teams data in order to create a Logikcull Cloud Upload. The data is read and then processed by Logikcull to create HTML-formatted documents.
Read more about how data is accessed
The Integration makes secure web requests via the Microsoft Graph API to read Teams data.
The Integration needs to have a registered identity in the Microsoft Tenant (organization) it is reading from. This identity is given permissions to the data. The Integration gets this identity when a user creates/registers an Application in their Microsoft Tenant’s Azure Active Directory.
The registered Application’s information is entered into a Logikcull account’s administration page to generate a secure certificate. This secure certificate is then added to the registered Application.
With a certificate in place, a secure path is created between Logikcull and the Microsoft Tenant. Every time the Integration connects to the organization, it verifies itself using the certificate. If the certificate is valid, a token is granted to the Integration, and it can then read data.
Accessing Microsoft data using a registered application, as opposed to using a specific Microsoft user is also known as “App access”.
Learn More:
App Access: https://learn.microsoft.com/en-us/graph/auth-v2-service
FAQs
Why can’t I connect the integration with a Microsoft user?
A Microsoft user can only see MS Teams data they can access; information in private channels that a user is not a part of will not be visible. The integration's use of “app-level access" (versus user-level access) allows it to collect all Teams data, including private channels.
Why do I need to register an Application in my Azure Active Directory?
Using the MS Graph Teams API endpoints (that read data in bulk) requires a Microsoft Azure Subscription. Registering an Application in your Tenant allows the subscription to be controlled by your organization and not Logikcull.
Why do I need an Azure Subscription?
Microsoft established consumption-based pricing for exporting MS Teams data in July of 2022: (https://devblogs.microsoft.com/microsoft365dev/upcoming-billing-changes-for-microsoft-graph-apis-for-teams-messages/).
To ensure usage is transparent to customers, the Logikcull and MS Teams integration leverages a registered Application defined in a customer's Tenant, linked to an Azure Subscription owned and managed by customers.
References
Metered API Overview:
Metered API Setup:
App Access:
Register an application with the Microsoft identity platform:
What is an Azure Active Directory Application?