hashicorp · kishanHashicorp · Mar 31, 2026 · Mar 31, 2026 · Apr 1, 2026
@@ -0,0 +1,192 @@
+---
+page_title: Add a data source - Microsoft Teams
+description: >-
+  Add Microsoft Teams as a data source for Vault Radar to monitor Teams channels for sensitive data and secrets.
+# START AUTO GENERATED METADATA, DO NOT EDIT
+created_at: 2026-03-26T00:00:00Z
+last_modified: 2026-03-26T00:00:00Z
+# END AUTO GENERATED METADATA
+---
+
+# Scan Microsoft Teams for secrets
+
+@include 'beta-feature.mdx'
+
+Connect Microsoft Teams as a data source to HCP Vault Radar to monitor Teams
+channels for sensitive data and secrets.
+
+## Prerequisites
+
+- HCP IAM user with the HCP owner or admin role.
+
+## Add a Microsoft Teams data source
+
+<Tabs>
+<Tab heading="HCP Vault Radar cloud scan">
+
+Before you begin, make sure you have the following access:
+
+- Access to the Microsoft 365 tenant that contains the Teams data you want to scan.
+- Enable [admin consent workflow](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow) in the Microsoft 365 tenant if tenant-wide consent is restricted.
+- Permission to register an application in [Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app) (for agent scan).
+- Vault Radar agent deployed and running. Refer to the [HCP Vault Radar
+  operations
+  tutorials](/hcp/tutorials/hcp-vault-radar-operations/install-vault-radar-agent) (for agent scan).
+
+1. Click **Settings/Data Sources**.
+
+1. Select **HCP Vault Radar Scan**.
+
+1. Under **Team Collaboration**, click **Microsoft Teams**.
+   ![Select Microsoft Teams data source](/img/docs/vault-radar/microsoft-teams-onboarding-saas-flow.png)
+
+1. Click **Connect to Microsoft Teams**. This starts the Microsoft sign-in and
+   consent flow.
+
+1. Sign in with an account of the tenant you want to scan.
+
+1. Review the requested permissions and click **Accept**.
+
+   <Note title="Administrator consent may be required">
+
+   If your organization restricts tenant-wide consent, Microsoft displays a
+   message that asks you to request approval from an administrator.
+
+   </Note>
+
+1. HCP Vault Radar displays the message **Authenticated to Microsoft Teams**.
+
+1. Click **Next**.
+
+1. Select either **All teams and channels** or **Select teams and channels to
+   monitor**.
+
+1. Click **Finish** to start onboarding and scanning the selected Teams
+   channels.
+
+</Tab>
+<Tab heading="HCP Vault Radar agent scan">
+
+### Register a Microsoft Entra application
+
+For step-by-step instructions on registering an app, see [Quickstart: Register an application](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app).
+
+1. Sign in to the [Microsoft Entra admin
+   center](https://entra.microsoft.com/) with an account that can register
+   applications.
+
+1. Navigate to **Entra ID > App registrations**.
+
+1. Click **New registration**.
+
+1. Enter a name for the application, such as `HashiCorp Vault Radar`.
+
+1. For **Supported account types**, select single tenant or multitenant based on your organization's needs.
+
+1. Click **Register**.
+
+### Enable ID token issuance
+
+1. In the Microsoft Entra application, open **Authentication (Preview) > Settings**.
+
+1. Under **Implicit grant and hybrid flows**, select **ID tokens**.
+
+1. Click **Save**.
+
+### Configure Microsoft Graph permissions
+
+Complete the following steps in the Microsoft Entra app registration in
+Microsoft Entra ID so Vault Radar can read the Teams content it scans and sign
+users in.
+
+For a guide to adding API permissions to an app, see [Quickstart: Configure app access to web APIs](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-configure-app-access-web-apis).
+
+1. Navigate to **Entra ID > App registrations**, and then select your client application
+
+1. Select **API permissions**.
+
+1. Click **Add a permission**.
+
+1. Select **Microsoft Graph**.
+
+1. Add the following permissions:
+
+   - **Microsoft Graph application permissions:**
+     - `Team.ReadBasic.All` to list teams.
+     - `Channel.ReadBasic.All` to list channels.
+     - `ChannelMessage.Read.All` to read channel messages.
+     - `Organization.Read.All` to read organization information, such as the tenant name.
+
+   - **Delegated permissions (scopes):**
+     - `openid` to sign users in.
+     - `profile` to view user's basic profile.
+     - `offline_access` to allow the application to maintain access to the Microsoft Graph API when the user is not signed in.
+
+1. Grant admin consent for the tenant after you add the permissions. Refer to the
+   [Microsoft documentation for granting tenant-wide admin
+   consent](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent).
+
+### Create a client secret and store the values
+
+1. In the Microsoft Entra application, navigate to **Certificates & secrets**.
+
+1. Click **New client secret**.
+
+1. Copy the client secret value and store it securely.
+
+1. Copy the **Application (client) ID** and the **Directory (tenant) ID**.
+
+1. Set an environment variable on the agent host to store the client secret.
+
+   **Example shell command:**
+
+   <CodeBlockConfig hideClipboard>
+
+   ```shell-session
+   export MICROSOFT_TEAMS_CLIENT_SECRET="<client-secret-value>"
+   export MICROSOFT_TEAMS_CLIENT_ID="<application-client-id>"
+   ```
+
+   </CodeBlockConfig>
+
+### Add a Microsoft Teams data source
+
+1. Click **Settings** and select **Data Sources**.
+
+1. Select **HCP Vault Radar Agent Scan**.
+
+1. Under **Team Collaboration**, click **Microsoft Teams**.
+   ![Select Microsoft Teams data source](/img/docs/vault-radar/microsoft-teams-onboarding-agent-flow.png)
+
+1. Enter the following information:
+
+   - **Microsoft Entra tenant ID:** The **Directory (tenant) ID** for the
+     Microsoft Entra application.
+
+   - **Microsoft Entra client ID:** The environment variable path where you stored the client ID on the agent host.
+
+   - **Microsoft Entra client secret:** The environment variable path where you
+     stored the client secret on the agent host.
+
+   **Example:**
+
+   <CodeBlockConfig hideClipboard>
+
+   ```plaintext
+   env://MICROSOFT_TEAMS_CLIENT_SECRET
+   env://MICROSOFT_TEAMS_CLIENT_ID
+   ```
+
+   </CodeBlockConfig>
+
+1. Click **Next**.
+
+1. Select either **All channels** or **Select channels to
+   monitor**.
+
+1. Click **Finish** to start onboarding and scanning the selected Teams
+   channels.
+
+</Tab>
+</Tabs>
+
@@ -733,6 +733,10 @@
                   }
                 ]
               },
+              {
+                "title": "Microsoft Teams <sup>Beta</sup>",
+                "path": "vault-radar/get-started/add-data-sources/microsoft-teams"
+              },
               {
                 "title": "Slack",
                 "path": "vault-radar/get-started/add-data-sources/slack/"