> ## Documentation Index
> Fetch the complete documentation index at: https://docs.rad.security/llms.txt
> Use this file to discover all available pages before exploring further.

# Microsoft Teams

> Connect Microsoft Teams to RAD Security for workflow notifications and alerts.

# Microsoft Teams Integration Setup

This guide walks you through connecting Microsoft Teams to RAD Security, enabling automated notifications from workflows directly to your Teams channels and users. The setup requires administrative access to configure a service account and grant organization-wide consent.

<Note>
  **Important:** Microsoft Teams is currently designed for workflow notifications and is **not integrated with RADBot**.
</Note>

## Prerequisites

Before you begin, ensure you have:

<Check>Microsoft 365 Business or Enterprise subscription</Check>
<Check>Global Administrator or Application Administrator role in Microsoft Entra ID</Check>
<Check>Access to create users in your Microsoft 365 tenant</Check>
<Check>Access to RAD Security workspace with integration permissions</Check>

<Warning>
  This integration requires one-time administrative setup including creating a service account and granting admin consent. Plan for approximately 10-15 minutes for the complete setup process.
</Warning>

***

## Step 1: Grant Admin Consent

The first step is to grant organization-wide consent for the RAD Security application. This allows the service account (created in Step 2) to send notifications without requiring individual user consent.

<Info>
  **Time Required:** 2-3 minutes
  **Required Role:** Global Administrator or Application Administrator
</Info>

<Steps>
  <Step title="Access the Admin Consent URL">
    Open the following admin consent URL in your browser:

    ```
    https://login.microsoftonline.com/common/adminconsent?client_id=7f4e5217-6d0a-4fa2-97d8-a55ab5a67ec4&redirect_uri=https://api.rad.security/integrations/admin-consent/callback
    ```

    This will grant consent for your organization and redirect you to a confirmation page.
  </Step>

  <Step title="Log in as Administrator">
    You'll be redirected to Microsoft's login page. Log in using your Microsoft 365 administrator account (Global Administrator or Application Administrator role).
  </Step>

  <Step title="Review Permissions">
    Review the permissions that RAD Security is requesting:

    * **Read team names and descriptions** - To identify available Teams
    * **Read channel names and descriptions** - To target specific channels
    * **Send messages to channels** - To deliver workflow notifications
    * **Send and read direct messages** - To send notifications to individual users
    * **Read user profiles** - To identify users for direct messaging
    * **Maintain offline access** - To refresh tokens automatically
  </Step>

  <Step title="Grant Consent">
    Click **Accept** to grant organization-wide consent for the RAD Security application.

    You'll be redirected to a confirmation page showing "Admin Consent Granted" when successful.
  </Step>
</Steps>

<Check>
  Admin consent is now granted! This step only needs to be completed once for your entire organization. Regular users and the service account won't see permission prompts after this.
</Check>

***

## Step 2: Create Service Account

The Microsoft Teams integration uses a dedicated service account to send notifications on behalf of RAD Security. This ensures notifications come from a consistent, identifiable source.

<Info>
  **Time Required:** 5 minutes
  **Required Role:** User Administrator or Global Administrator
</Info>

<Steps>
  <Step title="Navigate to Microsoft 365 Admin Center">
    Go to [Microsoft 365 Admin Center](https://admin.microsoft.com) and sign in with your administrator account.

    Navigate to **Users** → **Active users**
  </Step>

  <Step title="Create New User">
    Click **Add a user** to begin creating the service account.

    Enter the following details:

    * **Username:** Choose a descriptive name (e.g., `rad-bot`, `rad-security`, `security-notifications`)
    * **Display name:** "RAD Security" or "RAD Security Bot"
    * **Domain:** Use your organization's primary domain

    Example: `rad-bot@yourcompany.com`
  </Step>

  <Step title="Assign License">
    Select a license that includes Microsoft Teams access:

    * Microsoft 365 Business Basic (minimum)
    * Microsoft 365 Business Standard
    * Microsoft 365 E3 or E5

    <Warning>
      A license is required for the service account to send Teams messages using delegated permissions. The account cannot send messages without a license that includes Teams functionality.
    </Warning>
  </Step>

  <Step title="Configure Password">
    Set a strong password for the service account:

    * **Uncheck** "Require this user to change their password when they first sign in"
    * Generate a secure password (20+ characters recommended)
    * **Save these credentials securely** in your organization's password manager or secrets vault

    <Warning>
      Store the username and password securely! You'll need these credentials in Step 4 to complete the OAuth flow.
    </Warning>
  </Step>

  <Step title="Complete User Creation">
    Review the settings and click **Finish adding** to create the service account.

    Verify the account appears in your Active Users list with an active license.
  </Step>
</Steps>

<Check>
  Your service account is now ready! Make sure the credentials are stored securely before proceeding.
</Check>

***

## Step 3: Configure Integration in RAD Security

Now that admin consent is granted and the service account is created, you can configure the integration in RAD Security.

<Info>
  **Time Required:** 2 minutes
  **Required Role:** RAD Security tenant administrator
</Info>

<Steps>
  <Step title="Navigate to Integrations">
    Log in to RAD Security and navigate to **Data Sources** → **Integrations**.
  </Step>

  <Step title="Select Microsoft Teams">
    Find and click on **Microsoft Teams** from the list of available notification integrations.
  </Step>

  <Step title="Enter Integration Details">
    Provide a descriptive name for this integration:

    * **Integration Name:** e.g., `Microsoft Teams - Production`

    Click **Connect** to begin the OAuth authorization flow.
  </Step>
</Steps>

***

## Step 4: Complete OAuth Authorization

You'll now complete the OAuth flow using the service account credentials you created in Step 2.

<Info>
  **Time Required:** 2 minutes
  **Required Credentials:** Service account username and password from Step 2
</Info>

<Steps>
  <Step title="Sign In as Service Account">
    After clicking **Connect**, you'll be redirected to Microsoft's login page.

    <Warning>
      **Important:** Log in using the **service account** credentials (e.g., `rad-bot@yourcompany.com`), **not** your personal administrator account.
    </Warning>
  </Step>

  <Step title="Complete Authentication">
    Enter the service account password.

    Since admin consent was already granted in Step 1, you should not see a permissions consent screen. The authentication will complete automatically.
  </Step>

  <Step title="Verify Success">
    You'll be redirected back to RAD Security with the integration configured.

    Verify that:

    * Integration status shows **Connected**
    * Tenant name is displayed correctly
    * Scopes are listed properly
  </Step>
</Steps>

<Check>
  OAuth authorization is complete! The integration is now active and ready to send notifications.
</Check>

***

## Step 5: Add Bot to Teams Channels

For the RAD Security bot to send messages to Teams channels, the service account must be added as a member of those channels. This is required because we use delegated permissions where the authenticated user (service account) must be a channel member to post messages.

<Info>
  This step is performed by **Teams users**, not administrators. Each channel owner or member can add the bot to their channels as needed.
</Info>

<Steps>
  <Step title="Open Microsoft Teams">
    Launch Microsoft Teams (desktop app or web version).
  </Step>

  <Step title="Navigate to Target Channel">
    Go to the Team and channel where you want to receive notifications.
  </Step>

  <Step title="Add the Bot as a Member">
    Click the three dots (⋯) next to the channel name and select **Manage channel**.

    1. Go to the **Members** tab
    2. Click **Add members**
    3. Search for your service account name (e.g., "RAD Security Bot" or "[rad-bot@yourcompany.com](mailto:rad-bot@yourcompany.com)")
    4. Click **Add** and set the role to **Member**

    <Note>
      You can also add the bot by typing `/add` in the channel followed by the bot's name or email address.
    </Note>
  </Step>

  <Step title="Repeat for Other Channels">
    Repeat this process for each channel that should receive workflow notifications.
  </Step>
</Steps>

<Info>
  **Note:** The bot does **not** need to be added to send direct messages to users. DMs work automatically once the integration is configured.
</Info>

***

## Verify Integration

After completing the setup, verify that the integration is working properly:

<Steps>
  <Step title="Check Integration Status">
    Go to **Data Sources** → **Integrations** in RAD Security and locate your Microsoft Teams integration.

    Verify that:

    * Status shows **Connected**
    * Tenant name matches your organization
    * User information is displayed correctly
  </Step>

  <Step title="Send Test Notification to Channel">
    Configure a test workflow to send a notification to a Teams channel:

    * Target format: `"Team Name/Channel Name"`
    * Example: `"Security Operations/Alerts"`

    Verify the message appears in the specified Teams channel.
  </Step>

  <Step title="Send Test Direct Message">
    Configure a test workflow to send a notification to a user:

    * Target format: User's email address
    * Example: `"user@yourcompany.com"`

    Verify the user receives a direct message from the RAD Security bot in Teams Chat.
  </Step>
</Steps>

<Check>
  Your Microsoft Teams integration is now fully configured! You can now receive workflow notifications and alerts in Teams channels and direct messages.
</Check>

***

## Configuring Notification Destinations

When setting up workflow notifications, you can specify where messages should be delivered in Microsoft Teams:

### Send to a Channel

To send notifications to a specific Teams channel, use the format **"Team Name/Channel Name"**:

```
Security Operations/Critical Alerts
```

<Note>
  * Team and channel names are **case-sensitive**
  * Use the exact names as they appear in Microsoft Teams
  * The service account must be added as a member of the channel (see Step 5)
  * Works with both standard and private channels
</Note>

**Example targets:**

* `"Engineering/Deployments"`
* `"Security Team/Incident Response"`
* `"Operations/Monitoring Alerts"`

### Send Direct Messages to Users

To send notifications directly to a specific user, provide their **email address**:

```
user@yourcompany.com
```

<Info>
  * Use the email address associated with the user's Microsoft 365 account
  * The user will receive a direct message from the RAD Security bot
  * No additional setup required - DMs work once the integration is configured
  * The user must be in the same Microsoft 365 tenant
</Info>

**Example targets:**

* `"john.doe@company.com"`
* `"security-team@company.com"`
* `"oncall@company.com"`

***

## What Notifications Are Sent

<AccordionGroup>
  <Accordion title="Workflow Completion" icon="circle-check">
    * Notifications when automated workflows complete successfully
    * Summary of workflow actions taken
    * Links to detailed results in RAD Security
  </Accordion>

  <Accordion title="Security Alerts" icon="triangle-exclamation">
    * Critical security events detected by workflows
    * Threshold violations and policy breaches
    * Urgent issues requiring immediate attention
  </Accordion>

  <Accordion title="Custom Workflow Events" icon="bell">
    * Custom notifications configured in your workflows
    * Scheduled report summaries
    * Integration status updates
  </Accordion>
</AccordionGroup>

***

## Use Cases

<CardGroup cols={2}>
  <Card title="Workflow Monitoring" icon="chart-line">
    Receive real-time updates when security workflows complete, keeping your team informed of automated actions.
  </Card>

  <Card title="Incident Response" icon="siren">
    Get immediate alerts in dedicated incident response channels when critical security events are detected.
  </Card>

  <Card title="Team Collaboration" icon="users">
    Share security findings and workflow results with relevant teams in their existing Teams channels.
  </Card>

  <Card title="On-Call Notifications" icon="bell-on">
    Send direct messages to on-call engineers for time-sensitive security issues requiring immediate action.
  </Card>
</CardGroup>

***

## Troubleshooting

<AccordionGroup>
  <Accordion title="Need admin approval error during OAuth" icon="triangle-exclamation">
    **Possible causes:**

    * Admin consent (Step 1) was not completed successfully
    * You're logging in with your personal account instead of the service account
    * Admin consent was granted for a different tenant

    **Solution:**

    * Verify Step 1 (Admin Consent) was completed successfully
    * Ensure you're logging in with the **service account** credentials during OAuth (Step 4)
    * Check that admin consent was granted for the correct Microsoft 365 tenant
    * Try the admin consent flow again if needed
  </Accordion>

  <Accordion title="Channel not found error" icon="message-slash">
    **Possible causes:**

    * The team or channel name is misspelled or incorrectly formatted
    * The service account hasn't been added as a member of the channel
    * The channel is private and the service account doesn't have access

    **Solution:**

    * Verify the exact team and channel names (they are case-sensitive)
    * Check the format is exactly: `"Team Name/Channel Name"`
    * Add the service account as a member of the channel (see Step 5)
    * For private channels, ensure the service account has been explicitly added
  </Accordion>

  <Accordion title="User not found error" icon="user-xmark">
    **Possible causes:**

    * The email address is incorrect or misspelled
    * The user doesn't exist in your Microsoft 365 tenant
    * The user is in a different tenant

    **Solution:**

    * Verify the email address is correct
    * Check that the user exists in your Microsoft 365 tenant
    * Ensure the user is in the same tenant as the service account
    * Try sending to a different user to isolate the issue
  </Accordion>

  <Accordion title="Integration status shows Pending" icon="clock">
    **Possible causes:**

    * The OAuth flow (Step 4) wasn't completed
    * You logged in with the wrong account during OAuth
    * The OAuth flow was interrupted

    **Solution:**

    * Complete the OAuth authorization flow (Step 4)
    * Ensure you're logging in with the service account credentials
    * Delete the integration and start over from Step 3 if needed
  </Accordion>

  <Accordion title="Token expired or authentication failed" icon="key">
    **Possible causes:**

    * The service account password was changed
    * The service account was disabled or deleted
    * Admin consent was revoked
    * The service account license was removed

    **Solution:**

    * Verify the service account is still active in Microsoft 365
    * Check that the service account still has a Teams license assigned
    * Verify that admin consent is still granted
    * Re-authorize the integration by clicking **Reconnect** in RAD Security
    * If the service account password changed, you may need to delete and recreate the integration
  </Accordion>

  <Accordion title="Forbidden error when sending messages" icon="lock">
    **Possible causes:**

    * The service account is not a member of the target channel
    * The service account's Teams license expired or was removed

    **Solution:**

    * Add the service account to the channel as a member (Step 5)
    * Verify the service account has an active Teams license
    * Check that the service account can access Teams by logging in manually
  </Accordion>
</AccordionGroup>

***

## Security Best Practices

<CardGroup cols={2}>
  <Card title="Secure Credential Storage" icon="vault">
    Store the service account credentials in your organization's password manager or secrets vault. Multiple administrators should not share credentials directly.
  </Card>

  <Card title="Channel Access Control" icon="lock">
    Only send sensitive security notifications to private channels with restricted membership to prevent information disclosure.
  </Card>

  <Card title="Service Account Monitoring" icon="user-shield">
    Monitor the service account for unusual activity and treat it as a privileged account in your security policies.
  </Card>

  <Card title="Least Privilege" icon="shield-check">
    The service account only has the minimum required permissions to send messages and read basic user/team information.
  </Card>

  <Card title="Regular Access Reviews" icon="clipboard-check">
    Periodically review which Teams channels receive RAD Security notifications and adjust as team membership changes.
  </Card>

  <Card title="Message Content" icon="message">
    Configure workflow notifications to avoid including sensitive data like credentials or PII in Teams messages.
  </Card>
</CardGroup>

***

## Next Steps

<CardGroup cols={2}>
  <Card title="Notification Integrations" icon="bell" href="/rad-security/integrations/notifications/overview">
    Explore other notification integration options
  </Card>

  <Card title="Workflows" icon="diagram-project" href="/rad-security/platform/workspace">
    Configure workflows to trigger Teams notifications
  </Card>
</CardGroup>