Connecting to Microsoft Teams from an App Connect Designer instance in a containerized environment (local connector)

If you are using an App Connect Designer instance within an installation of IBM Cloud Pak for Integration or IBM App Connect Enterprise certified container, you can choose to use a local connector to establish a connection and interact with Microsoft Teams.

To use a local connector to connect to your Microsoft Teams account, complete the following steps. (For more information about using an App Connect Designer instance in a containerized environment, see Creating and managing flows for an API in App Connect Designer.)

  1. Complete the connection fields that you see in the App Connect Designer Connect > Applications and APIs page or flow editor. If necessary, work with your Microsoft Teams administrator to obtain these values.
    • Access token: Specify the access token generated from the application client ID and application client secret.
    • Refresh token: Specify the refresh token generated from the application client ID and application client secret.
    • Client Id: Specify the consumer key that App Connect uses to identify itself to Microsoft Teams. This key is generated when you create a connected app for App Connect in your Microsoft Teams instance.
    • Client secret: Specify the consumer secret that identifies App Connect as the owner of the consumer key. This secret is generated when you create a connected app for App Connect in your Microsoft Teams instance.
      Note: The following Microsoft Teams user permissions are required to create a connected app: Customize Application AND either Modify All Data OR Manage Connected Apps.
    Tip: If you do not already have these OAuth authentication values, you can obtain them by completing the steps in How to generate OAuth authentication values for Microsoft Teams.
    Example of completed fields for connecting from App Connect
  2. Click Connect (and then click Continue to close the message about your Microsoft Teams account requirements).

This creates an account in App Connect.

Tip:

Before you use the account that is created in App Connect in a flow, rename the account to something meaningful that helps you to identify it. To rename the account on the Applications and APIs page, select the account, open its options menu (⋮), then click Rename Account.

How to generate OAuth authentication values for Microsoft Teams

To use basic OAuth to connect to Microsoft Teams, you'll need to register an app with the required permissions in Microsoft Azure, which will enable App Connect to integrate with Microsoft Teams by using APIs and protocols. You must also obtain an access token from the Microsoft identity platform endpoint, which can be attached to requests that App Connect sends to Microsoft Teams, and a refresh token that can be used to obtain a new access token.

  1. Register an app with Microsoft Azure, for use with App Connect.
    1. Log in to the Microsoft Azure portal, and then locate and click App registrations. (Direct link for the Azure app registration portal: https://go.microsoft.com/fwlink/?linkid=2083908)
    2. In the App registrations page, click New registration.
    3. In the Register an application page, specify a unique name for your app, select Accounts in any organizational directory (Any Azure AD directory - Multitenant) as the account type, and accept the default values for the remaining fields.
      Figure 1. 'Register an application' page
      'Register an application' page
    4. Click Register. The Overview page for the app is displayed.
      Figure 2. Overview page for the registered app
      Overview page for the registered app
    5. Make a note of the Application (client) ID and the Directory (tenant) ID values. You'll need to specify these values later to generate an access token. You'll also need to specify the client ID as a connection value when creating an account in App Connect.
  2. Generate a client secret for your registered app:
    1. Next to Client credentials:, click Add a certificate or secret. This displays the Certificates & secrets page.
    2. Click New client secret
    3. In the Add a client secret panel, specify a description for the secret (for example, App Connect secret) and then select an expiry period.
    4. Click Add. The generated client secret is displayed in the Client secrets section of the Certificates & secrets page.
      Figure 3. Generated client secret for the registered app
      Generated client secret for the registered app
    5. Copy and store the client secret value and ID, because you'll need to specify then later to generate an access token and as connection values when creating an account in App Connect.
      Note: The secret won't be shown again after you leave this page.
  3. Configure the permissions that App Connect needs:
    1. In the left pane, click API permissions and then click Add a permission > Microsoft Graph > Delegated permissions to add each of the following permissions in turn. You can search for and select permissions, and then click Add permissions.
      Permissions Description
      Chat.ReadWrite Reads and writes user chat messages.
      ChatMessage.Send Sends user chat messages.
      Group.ReadWrite.All Reads and writes to all groups.
      OpenId permissions offline_access Maintains access to data that you have given it access to.
      Team.ReadBasic.All Reads the names and descriptions of teams.
      User.Read Signs in and reads user profiles. (This might already be set by default.)
      User.ReadBasic.All Reads basic profiles for all users.
      OnlineMeetings.ReadWrite Reads and creates user's online meetings.
      OnlineMeetingRecording.Read.All Reads all recordings of online meetings.
      OnlineMeetingTranscript.Read.All Reads all transcripts of online meetings.
      Calendars.ReadWrite Has full access to user calendars.

      Note: Group.ReadWrite.All requires admin consent.
    2. If a permission is not granted, you might click Grant admin consent for myDomain, where myDomain is your domain name. Then click Yes to confirm. (This will update the status of all permissions to Granted for myDomain.)
      Figure 4. Required permissions for the registered app
      Required permissions for the registered app
  4. Submit a POST request to generate an access token and a refresh token that will be used to interact with Microsoft Teams on your behalf. Specify the following parameters:
    • URL: https://login.microsoftonline.com/tenantID/oauth2/v2.0/token

      Where tenantID is the Directory (tenant) ID value that was generated for your registered app.

    • Content-Type: application/x-www-form-urlencoded
    • Request parameters:
      Key Value
      client_id Set this to the Application (client) ID value that was generated for your registered app.
      scope Chat.ReadWrite ChatMessage.Send Group.ReadWrite.All Team.ReadBasic.All User.Read User.ReadBasic.All OnlineMeetings.ReadWrite OnlineMeetingRecording.Read.All OnlineMeetingTranscript.Read.All Calendars.ReadWrite offline_access
      grant_type password
      client_secret Set this to the client secret that was generated under Certificates & secrets for your registered app
      userName Set this to the user name that was used to log in to the Azure portal.
      password Set this to the associated password for the user name.
    For example:
    • Using curl: 
      curl -d "client_id=e25bbc19-...bba747&client_secret=xKb7Q~...JlAA1br&scope=Chat.ReadWrite ChatMessage.Send Group.ReadWrite.All Team.ReadBasic.All User.Read User.ReadBasic.All offline_access&grant_type=password&userName=ibmtesta@domain101.onmicrosoft.com&password=N0t||the||Realpwd" -H "Content-Type: application/x-www-form-urlencoded" -X POST https://login.microsoftonline.com/dc4aca22-...bbc/oauth2/v2.0/token
      Response:
      {"token_type":"Bearer","scope":"Chat.ReadWrite ChatMessage.Send Group.ReadWrite.All Team.ReadBasic.All User.Read User.ReadBasic.All profile openid email","expires_in":4125,"ext_expires_in":4125,"access_token":"eyJ0eXAiOiL0V1YiJub25lYSI6Imtzc...-YUpMw","refresh_token":"0.AU2AJ8...oJCzxaWy3m"}
      Note: In this example, the access token is valid for 1hour, and the refresh token will expire after 90 days of inactivity. So it is expected that you'll need to generate new tokens only if the refresh token has been revoked or has not been used in 90 days.
    • Using Postman: (Postman Version 7.13 was used in these instructions, so there might be a slight variation in the fields that you see if your version is different.)
      Figure 5. Configuring the POST request in Postman
      Configuring the POST request in Postman