Microsoft Teams

Microsoft Teams is a collaboration platform where teams hold conversations, share files, and meet across channels and chats. The Glean Microsoft Teams connector brings this content into Glean for permission-aware search and AI assistance, so users can find channel discussions, chat messages, and meeting transcripts without leaving Glean.

For an overview of the Microsoft Teams connector and its benefits, see the Microsoft Teams integration page.

Supported objects

The Microsoft Teams connector indexes the following Teams content and metadata through the Microsoft Graph API.

Channel messages

• Messages and replies in public and private channels
• Channel name, description, and settings
• Authorship and timestamps

Chat messages

• Group chat messages
• Optionally, private (direct) messages and meeting chats (enabled during setup — see Configure optional crawl settings)

Team and channel membership

• Team and channel membership
• Team and channel settings

Meeting transcripts (optional)

• Microsoft Teams meeting transcripts, enabled through additional setup. See Meeting transcripts.

Supported API endpoints

The connector reads from the following Microsoft Graph API endpoints. Each requires the corresponding application permission to be granted and admin-consented (see Permission requirements).

Endpoint	Permissions	Purpose	reference
GET /users	User.Read.All	Reads all user profiles for identity crawl.	List users
GET /groups (filtered to Microsoft 365 groups provisioned as teams)	GroupMember.Read.All	Lists groups while discovering Microsoft 365 groups provisioned as teams, using the resourceProvisioningOptions group property.	List groups, permissions reference
GET /groups/{groupId}	GroupMember.Read.All	Reads basic metadata for a backing Microsoft 365 group.	Get group, permissions reference
GET /groups/{groupId}/members	GroupMember.Read.All	Reads direct backing-group memberships for team access.	List group members
GET /groups/{productAccessGroupId}/transitiveMembers/microsoft.graph.user	GroupMember.Read.All and User.Read.All	Traverses nested product-access-group membership and returns selected user fields for identity processing.	List group transitive members
GET /users/{userId}/teamwork/associatedTeams	Team.ReadBasic.All	Lists teams associated with a user, including host teams for shared channels.	List associatedTeamInfo
GET /teams/{teamId}	Team.ReadBasic.All	Reads team metadata.	Get team
GET /teams/{teamId}/channels	ChannelSettings.Read.All	Lists channel metadata.	List channels
GET /teams/{teamId}/channels?$filter=isArchived eq false	ChannelSettings.Read.All	Same channel-list API, filtered by archived state.	List channels
GET /teams/{teamId}/channels/{channelId}	ChannelSettings.Read.All	Reads channel metadata and archived-channel state in restriction checks.	Get channel
GET /teams/{teamId}/channels/{channelId}/members	ChannelMember.Read.All	Reads channel membership.	List channel members
GET /teams/{teamId}/channels/{channelId}/messages	ChannelMessage.Read.All	Reads channel root messages.	List channel messages
GET /teams/{teamId}/channels/{channelId}/messages/delta	ChannelMessage.Read.All	Reads channel message delta pages.	Get incremental changes for messages
GET /teams/{teamId}/channels/{channelId}/messages/{messageId}	ChannelMessage.Read.All	Reads a specific channel message.	Get chatMessage
GET /teams/{teamId}/channels/{channelId}/messages/{messageId}/replies	ChannelMessage.Read.All	Reads replies to a channel message.	List replies
GET /teams/{teamId}/channels/{channelId}/messages/{messageId}/replies/{replyId}	ChannelMessage.Read.All	Reads a specific channel-message reply.	Get chatMessage
POST /subscriptions (resource /teams/{teamId}/channels/{channelId}/messages)	ChannelMessage.Read.All	Creates a change-notification subscription for the channel-message resource.	Create subscription, Teams message notifications
PATCH /subscriptions/{subscriptionId}	ChannelMessage.Read.All	Renews a subscription for the channel-message resource.	Update subscription
DELETE /subscriptions/{subscriptionId}	ChannelMessage.Read.All	Deletes a subscription for the channel-message resource.	Delete subscription
GET /users/{userId}/chats	Chat.Read.All	Lists chats for a user when private or meeting chat crawl is enabled.	List chats
GET /chats/{chatId}	Chat.Read.All	Reads chat metadata.	Get chat
GET /chats/{chatId}/members	Chat.Read.All	Reads chat members; Chat.Read.All is retained because message content is also crawled.	List chat members
GET /chats/{chatId}/messages	Chat.Read.All	Reads private or meeting chat messages.	List chat messages
GET /chats/{chatId}/messages/{messageId}	Chat.Read.All	Reads a specific private or meeting chat message.	Get chatMessage

Meeting transcripts (optional) additionally use these endpoints:

Endpoint	Purpose	Permission
/me/calendars, /me/calendar/calendarView	Read calendars and calendar events	Calendars.Read
/me/onlineMeetings	Read online meetings	OnlineMeetings.Read.All
/me/onlineMeetings/{id}/transcripts	Read meeting transcripts	OnlineMeetingTranscript.Read.All

Limitations

• SharePoint-backed team sites are not covered by this connector; associated file uploads are included through SharePoint.
• Cross-tenant and external Teams content is not supported. Glean can only crawl Teams content that belongs to the Microsoft 365 tenant in which the connector is configured. Chats, channels, or meeting chats hosted in another tenant — for example, a chat created by an external user — may not be indexed.
• Meetings organized ad hoc directly from Teams channels (not accessible through Outlook) are not indexed for transcripts.

Requirements

Technical requirements

To use the Microsoft Teams connector, you need:

• A Microsoft 365 tenant with Microsoft Teams enabled.
• The ability to register an application in Microsoft Entra ID (Azure Active Directory) and access to Microsoft Graph API v1.0.
• A Glean deployment with access to the Admin console to manage connectors.

Glean connects to Microsoft Teams via the Microsoft Graph API over HTTPS and stores indexed data in your organization's Glean deployment.

Credential requirements

The connector authenticates to Microsoft Graph as an Entra ID application. Two authentication methods are supported:

• Certificate-based authentication (recommended) — a client certificate (certificate.crt) and a private key (privatekey.key) in PKCS#8 format, with the certificate uploaded to your Entra ID app registration.
• Client secret — a secret value generated in your Entra ID app registration.

Both methods also require:

• Application (client) ID of your Entra ID app registration
• Directory (tenant) ID of your Microsoft 365 tenant

Certificate-based authentication is recommended. Microsoft is phasing out client-secret authentication for these APIs following the retirement of Azure Access Control Services (ACS). Client secrets remain supported for the Microsoft Teams connector, but new setups should use a certificate. For the secret-based steps, see Client secret setup.

Permission requirements

The person performing setup must be a Global Administrator in Microsoft 365 (to register the app and grant admin consent) and a Glean admin with permission to add and configure connectors.

Admin consent must be granted for the following Microsoft Graph application permissions.

Messaging and team data:

• Team.ReadBasic.All
• ChannelMember.Read.All
• ChannelMessage.Read.All
• ChannelSettings.Read.All

Identity resolution:

• User.Read.All
• GroupMember.Read.All

Private and meeting chats (optional):

• Chat.Read.All

Meeting transcripts (optional):

• Calendars.Read
• OnlineMeetings.Read.All
• OnlineMeetingTranscript.Read.All

Microsoft Teams setup (Azure)

Before configuring the connector in Glean, register and configure an application in Microsoft Entra ID.

1. Register an application

1. Sign in to the Azure portal. Select Microsoft Entra ID, then Manage → App registrations → New registration.

2. On the Register an application page, register an app with the following:

   Field	Value
   Name	Glean MSFT Teams App (for messages)
   Supported account types	Accounts in this organizational directory only (Single tenant)
   Redirect URI	(Leave this field blank)

3. Click Register.

   

2. Add and grant API permissions

1. On the left navigation of the overview page, click Manage → API permissions.

2. Click Add a permission and select Microsoft Graph. Choose Application permissions and add the permissions listed above.

   

3. After all permissions are added, click Grant admin consent for tenant. Ensure you're signed in to Azure as a Global, Application, or Cloud Application Administrator, otherwise the grant may fail.

3. Generate a certificate and private key

Generate a certificate and a PKCS#8 private key using OpenSSL. OpenSSL is installed by default on macOS and Linux. On Windows, install a third-party OpenSSL build and add its \bin directory to your PowerShell PATH.

1. Run the following commands. Microsoft requires the certificate to be verified with a private key in PKCS#8 syntax.

   openssl genrsa -out tempprivatekey.key 2048
   openssl pkcs8 -topk8 -inform PEM -outform PEM -in tempprivatekey.key -out privatekey.key -nocrypt
   openssl req -new -key privatekey.key -out request.csr
   openssl x509 -req -days 365 -in request.csr -signkey privatekey.key -out certificate.crt

2. Verify that both certificate.crt and privatekey.key exist and conform to these formats:

   • certificate.crt starts with a BEGIN CERTIFICATE header and ends with an END CERTIFICATE footer.
   • privatekey.key starts with a BEGIN PRIVATE KEY header and ends with an END PRIVATE KEY footer. It must not include RSA in the header (a BEGIN RSA PRIVATE KEY header is PKCS#1 and is not accepted at save time) and must not be encrypted.
   warning

   The private key must be in PKCS#8 format. A PKCS#1 key (a BEGIN RSA PRIVATE KEY header) uploads successfully but fails when you save the connector. If you have a PKCS#1 key, convert it: openssl pkcs8 -topk8 -inform PEM -outform PEM -in privatekey.key -out privatekey_pkcs8.key -nocrypt.

4. Upload the certificate to Azure

1. Navigate back to Microsoft Entra ID → Manage → App registrations and select the app you created. Then click Manage → Certificates & secrets in the left sidebar.

2. Select the Certificates tab and click Upload certificate.

3. Upload the certificate.crt file you generated. After uploading, the application lists the new certificate.

   

4. Scroll to the top of the left sidebar and click Overview. Copy the Application (client) ID and Directory (tenant) ID from the Essentials panel; you'll enter these in Glean.

   note

   In deployments that use more than one Entra ID app registration, upload the same certificate to every app registration. A certificate that is missing from one of the apps causes a "Certificate is not authorized" error for that app.

Client secret setup (alternative)

Instead of a certificate, you can authenticate the connector with a client secret. Certificate-based authentication is recommended because Microsoft is phasing out client-secret authentication for these APIs, but client secrets remain supported for the Microsoft Teams connector. If you use a client secret, follow these steps instead of generating and uploading a certificate:

1. After granting admin consent, go to Manage → Certificates & secrets and click New client secret. Enter a description, select 24 months for expiry, then click Add.

2. Under Client secrets, copy the Value (not the Secret ID) — it is shown only once — and enter it in Glean as the Client secret.

   

Configure Glean

Once the Azure app is configured, complete setup in the Glean Admin console.

1. Start connector setup

1. In the Glean Admin console, go to Connectors → Add connector.
2. Search for Microsoft Teams and select the connector.
3. Provide a Name and optional Icon for the connector. This label appears for users in search results.

2. Provide credentials

Supply the values collected during the Azure setup:

• Directory (tenant) ID
• Application (client) ID
• For certificate-based authentication (recommended): upload the Client certificate (certificate.crt) and the Private key (privatekey.key, PKCS#8).
• For client secret authentication: enter the Client secret value you generated.

Glean uses these to authenticate to the Microsoft Graph API as your Entra ID application.

3. Configure optional crawl settings

• Allow crawling Teams private chats — enables crawling of private (direct) messages.
• Allow crawling Teams meeting chats — enables crawling of meeting chat messages.

4. Save and start the initial crawl

1. Review your configuration.
2. Click Save to complete setup.
3. Glean starts an initial crawl of Teams content. Once it finishes, Teams results begin to appear in users' Glean search and AI experiences.

Meeting transcripts (optional)

Glean can index Microsoft Teams meeting transcripts so that transcript content is searchable and attendees can generate meeting summaries from the Glean home page calendar. This requires additional Microsoft Graph permissions (Calendars.Read, OnlineMeetings.Read.All, OnlineMeetingTranscript.Read.All) and a Microsoft application access policy granted globally.

For the full walkthrough, see Teams transcripts.

warning

The application access policy must be created with the transcript app's Application (client) ID and granted globally (Grant-CsApplicationAccessPolicy -Global). Using the wrong client ID, or creating the policy without granting it globally, is the most common cause of the TEAMS-2 error and silently returns zero transcripts. Policy changes can take 24–48 hours to propagate.

Permissions & security

How permissions are enforced

The connector mirrors Teams membership and access:

• Users see only the teams, channels, and chats they are a member of in Microsoft Teams.
• Channel and chat content visibility follows Teams membership and settings.
• Meeting transcripts are visible only to meeting attendees.

Glean evaluates permissions at query time so users only see content they are allowed to access in Teams.

Data access model

• The connector uses the Microsoft Graph API with read-only, application-level access through your Entra ID app registration.
• Indexed content is stored within your organization's Glean deployment; Glean enforces least-privilege read access.

Crawling and freshness

The connector combines periodic crawls with real-time updates to keep the index fresh.

Full and incremental crawls

• Full crawls re-enumerate teams, channels, chats, and supported content accessible to the connector.
• Incremental crawls fetch newly created and recently updated content since the last crawl.

Real-time updates (webhooks)

• Where supported, Glean subscribes to Microsoft Graph change notifications (webhooks) to update channel content in near real time, subject to Microsoft subscription limits.

Use cases and example queries

Once crawls have completed, users can search and ask natural-language questions across Teams content. Example use cases include:

• Finding decisions and discussions
  • What did the platform team decide about the launch date?
• Catching up on a channel
  • Summarize recent discussion in the #incidents channel.
• Locating shared resources
  • Where is the onboarding checklist shared in Teams?
• Recalling meeting outcomes
  • What were the action items from yesterday's planning meeting? (requires meeting transcripts)

Because Glean combines Teams with other enterprise sources (for example, SharePoint, Jira, and Google Drive), users can also ask cross-system questions, subject to permissions.

Troubleshooting

The private key must be in PKCS#8 format (a BEGIN PRIVATE KEY header). A PKCS#1 key (a BEGIN RSA PRIVATE KEY header) uploads successfully but fails validation at save time. Convert it with:

openssl pkcs8 -topk8 -inform PEM -outform PEM -in privatekey.key -out privatekey_pkcs8.key -nocrypt

Re-upload the converted key and save again.

The certificate has not been uploaded to the Entra ID app registration, or it is missing from one of them. Upload certificate.crt under Certificates & secrets → Certificates for the app. In deployments with more than one app registration, upload the same certificate to every app.

The uploaded private key does not correspond to the uploaded certificate. Make sure privatekey.key and certificate.crt are the matching pair generated together in step 3, and that the same certificate was uploaded to Azure.

Confirm the Application (client) ID and Directory (tenant) ID exactly match the values from your Entra ID app's Overview page.

Transcripts require an application access policy granted globally. Verify that the policy references the transcript app's Application (client) ID and was granted with Grant-CsApplicationAccessPolicy -Global. Allow 24–48 hours for the policy to propagate. See Teams transcripts and the TEAMS-2 error reference.

Glean does not show content a user cannot access in Teams. Confirm the user is a member of the relevant teams, channels, or chats, and that the required Graph permissions were granted and admin-consented during setup.

The Glean Teams bot uses a separate authentication model from the connector crawler and is configured independently. A bot 401 ("Authorization has been denied for this request") is not related to connector certificate auth. See the Glean in Microsoft Teams admin guide.

FAQs

Both are supported for the Microsoft Teams connector. Certificate-based authentication is recommended for new setups because Microsoft is phasing out client-secret authentication for these APIs, following the retirement of Azure Access Control Services (ACS).

Yes. Client secrets are still supported for the Microsoft Teams connector, though a certificate is recommended for new setups. See Client secret setup.

Attachments and file content are indexed through the SharePoint connector, not from Teams directly.

Group chats are supported. You can enable crawling of private (direct) messages and meeting chats during setup using the Allow crawling Teams private chats and Allow crawling Teams meeting chats options.

Yes, with additional setup. Transcripts require extra Graph permissions and a globally granted application access policy. See Teams transcripts.

No. Glean only crawls Teams content belonging to the Microsoft 365 tenant in which the connector is configured. Content hosted in another tenant may not be indexed.

No. The connector crawls and indexes Teams content; the Glean Teams bot answers questions inside Teams. They are configured separately and use different authentication. Setting up one does not configure the other.