Microsoft Teams Integration Setup
This guide walks you through connecting Microsoft Teams to RAD Security, enabling automated notifications from workflows directly to your Teams channels and users. The setup requires administrative access to configure a service account and grant organization-wide consent.Important: Microsoft Teams is currently designed for workflow notifications and is not integrated with RADBot.
Prerequisites
Before you begin, ensure you have:Microsoft 365 Business or Enterprise subscription
Global Administrator or Application Administrator role in Microsoft Entra ID
Access to create users in your Microsoft 365 tenant
Access to RAD Security workspace with integration permissions
Step 1: Grant Admin Consent
The first step is to grant organization-wide consent for the RAD Security application. This allows the service account (created in Step 2) to send notifications without requiring individual user consent.Time Required: 2-3 minutes
Required Role: Global Administrator or Application Administrator
Access the Admin Consent URL
Open the following admin consent URL in your browser:This will grant consent for your organization and redirect you to a confirmation page.
Log in as Administrator
You’ll be redirected to Microsoft’s login page. Log in using your Microsoft 365 administrator account (Global Administrator or Application Administrator role).
Review Permissions
Review the permissions that RAD Security is requesting:
- Read team names and descriptions - To identify available Teams
- Read channel names and descriptions - To target specific channels
- Send messages to channels - To deliver workflow notifications
- Send and read direct messages - To send notifications to individual users
- Read user profiles - To identify users for direct messaging
- Maintain offline access - To refresh tokens automatically
Admin consent is now granted! This step only needs to be completed once for your entire organization. Regular users and the service account won’t see permission prompts after this.
Step 2: Create Service Account
The Microsoft Teams integration uses a dedicated service account to send notifications on behalf of RAD Security. This ensures notifications come from a consistent, identifiable source.Time Required: 5 minutes
Required Role: User Administrator or Global Administrator
Navigate to Microsoft 365 Admin Center
Go to Microsoft 365 Admin Center and sign in with your administrator account.Navigate to Users → Active users
Create New User
Click Add a user to begin creating the service account.Enter the following details:
- Username: Choose a descriptive name (e.g.,
rad-bot,rad-security,security-notifications) - Display name: “RAD Security” or “RAD Security Bot”
- Domain: Use your organization’s primary domain
[email protected]Assign License
Select a license that includes Microsoft Teams access:
- Microsoft 365 Business Basic (minimum)
- Microsoft 365 Business Standard
- Microsoft 365 E3 or E5
Configure Password
Set a strong password for the service account:
- Uncheck “Require this user to change their password when they first sign in”
- Generate a secure password (20+ characters recommended)
- Save these credentials securely in your organization’s password manager or secrets vault
Your service account is now ready! Make sure the credentials are stored securely before proceeding.
Step 3: Configure Integration in RAD Security
Now that admin consent is granted and the service account is created, you can configure the integration in RAD Security.Time Required: 2 minutes
Required Role: RAD Security tenant administrator
Select Microsoft Teams
Find and click on Microsoft Teams from the list of available notification integrations.
Step 4: Complete OAuth Authorization
You’ll now complete the OAuth flow using the service account credentials you created in Step 2.Time Required: 2 minutes
Required Credentials: Service account username and password from Step 2
Complete Authentication
Enter the service account password.Since admin consent was already granted in Step 1, you should not see a permissions consent screen. The authentication will complete automatically.
OAuth authorization is complete! The integration is now active and ready to send notifications.
Step 5: Add Bot to Teams Channels
For the RAD Security bot to send messages to Teams channels, the service account must be added as a member of those channels. This is required because we use delegated permissions where the authenticated user (service account) must be a channel member to post messages.This step is performed by Teams users, not administrators. Each channel owner or member can add the bot to their channels as needed.
Add the Bot as a Member
Click the three dots (⋯) next to the channel name and select Manage channel.
- Go to the Members tab
- Click Add members
- Search for your service account name (e.g., “RAD Security Bot” or “[email protected]”)
- Click Add and set the role to Member
You can also add the bot by typing
/add in the channel followed by the bot’s name or email address.Note: The bot does not need to be added to send direct messages to users. DMs work automatically once the integration is configured.
Verify Integration
After completing the setup, verify that the integration is working properly:Check Integration Status
Go to Data Sources → Integrations in RAD Security and locate your Microsoft Teams integration.Verify that:
- Status shows Connected
- Tenant name matches your organization
- User information is displayed correctly
Send Test Notification to Channel
Configure a test workflow to send a notification to a Teams channel:
- Target format:
"Team Name/Channel Name" - Example:
"Security Operations/Alerts"
Send Test Direct Message
Configure a test workflow to send a notification to a user:
- Target format: User’s email address
- Example:
"[email protected]"
Your Microsoft Teams integration is now fully configured! You can now receive workflow notifications and alerts in Teams channels and direct messages.
Configuring Notification Destinations
When setting up workflow notifications, you can specify where messages should be delivered in Microsoft Teams:Send to a Channel
To send notifications to a specific Teams channel, use the format “Team Name/Channel Name”:- Team and channel names are case-sensitive
- Use the exact names as they appear in Microsoft Teams
- The service account must be added as a member of the channel (see Step 5)
- Works with both standard and private channels
"Engineering/Deployments""Security Team/Incident Response""Operations/Monitoring Alerts"
Send Direct Messages to Users
To send notifications directly to a specific user, provide their email address:- Use the email address associated with the user’s Microsoft 365 account
- The user will receive a direct message from the RAD Security bot
- No additional setup required - DMs work once the integration is configured
- The user must be in the same Microsoft 365 tenant
What Notifications Are Sent
Workflow Completion
Workflow Completion
- Notifications when automated workflows complete successfully
- Summary of workflow actions taken
- Links to detailed results in RAD Security
Security Alerts
Security Alerts
- Critical security events detected by workflows
- Threshold violations and policy breaches
- Urgent issues requiring immediate attention
Custom Workflow Events
Custom Workflow Events
- Custom notifications configured in your workflows
- Scheduled report summaries
- Integration status updates
Use Cases
Workflow Monitoring
Receive real-time updates when security workflows complete, keeping your team informed of automated actions.
Incident Response
Get immediate alerts in dedicated incident response channels when critical security events are detected.
Team Collaboration
Share security findings and workflow results with relevant teams in their existing Teams channels.
On-Call Notifications
Send direct messages to on-call engineers for time-sensitive security issues requiring immediate action.
Troubleshooting
Need admin approval error during OAuth
Need admin approval error during OAuth
Possible causes:
- Admin consent (Step 1) was not completed successfully
- You’re logging in with your personal account instead of the service account
- Admin consent was granted for a different tenant
- Verify Step 1 (Admin Consent) was completed successfully
- Ensure you’re logging in with the service account credentials during OAuth (Step 4)
- Check that admin consent was granted for the correct Microsoft 365 tenant
- Try the admin consent flow again if needed
Channel not found error
Channel not found error
Possible causes:
- The team or channel name is misspelled or incorrectly formatted
- The service account hasn’t been added as a member of the channel
- The channel is private and the service account doesn’t have access
- Verify the exact team and channel names (they are case-sensitive)
- Check the format is exactly:
"Team Name/Channel Name" - Add the service account as a member of the channel (see Step 5)
- For private channels, ensure the service account has been explicitly added
User not found error
User not found error
Possible causes:
- The email address is incorrect or misspelled
- The user doesn’t exist in your Microsoft 365 tenant
- The user is in a different tenant
- Verify the email address is correct
- Check that the user exists in your Microsoft 365 tenant
- Ensure the user is in the same tenant as the service account
- Try sending to a different user to isolate the issue
Integration status shows Pending
Integration status shows Pending
Possible causes:
- The OAuth flow (Step 4) wasn’t completed
- You logged in with the wrong account during OAuth
- The OAuth flow was interrupted
- Complete the OAuth authorization flow (Step 4)
- Ensure you’re logging in with the service account credentials
- Delete the integration and start over from Step 3 if needed
Token expired or authentication failed
Token expired or authentication failed
Possible causes:
- The service account password was changed
- The service account was disabled or deleted
- Admin consent was revoked
- The service account license was removed
- Verify the service account is still active in Microsoft 365
- Check that the service account still has a Teams license assigned
- Verify that admin consent is still granted
- Re-authorize the integration by clicking Reconnect in RAD Security
- If the service account password changed, you may need to delete and recreate the integration
Forbidden error when sending messages
Forbidden error when sending messages
Possible causes:
- The service account is not a member of the target channel
- The service account’s Teams license expired or was removed
- Add the service account to the channel as a member (Step 5)
- Verify the service account has an active Teams license
- Check that the service account can access Teams by logging in manually
Security Best Practices
Secure Credential Storage
Store the service account credentials in your organization’s password manager or secrets vault. Multiple administrators should not share credentials directly.
Channel Access Control
Only send sensitive security notifications to private channels with restricted membership to prevent information disclosure.
Service Account Monitoring
Monitor the service account for unusual activity and treat it as a privileged account in your security policies.
Least Privilege
The service account only has the minimum required permissions to send messages and read basic user/team information.
Regular Access Reviews
Periodically review which Teams channels receive RAD Security notifications and adjust as team membership changes.
Message Content
Configure workflow notifications to avoid including sensitive data like credentials or PII in Teams messages.