Skip to content

RADAR-7960: Add Microsoft Teams cloud data source onboarding doc #2106

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kishanHashicorp wants to merge 3 commits into
base: main
Choose a base branch
from
Open

RADAR-7960: Add Microsoft Teams cloud data source onboarding doc #2106

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
39610c5
RADAR-7960: Adding doc for Microsoft Teams private beta scanning in v…
kishanHashicorp Mar 31, 2026
b03e63c
RADAR-7960: copilot reviews
kishanHashicorp Mar 31, 2026
651e489
RADAR-7960: resolving PR comments
kishanHashicorp Apr 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
185 changes: 185 additions & 0 deletions ...-docs/content/docs/vault-radar/get-started/add-data-sources/microsoft-teams.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,185 @@
---
page_title: Add a data source - Microsoft Teams
description: >-
Add Microsoft Teams as a data source for Vault Radar to monitor Teams channels for sensitive data and secrets.
# START AUTO GENERATED METADATA, DO NOT EDIT
created_at: 2026-03-26T00:00:00Z
last_modified: 2026-03-26T00:00:00Z
# END AUTO GENERATED METADATA
---

# Add a Microsoft Teams data source

Connect Microsoft Teams as a data source to HCP Vault Radar to monitor Teams
channels for sensitive data and secrets.

## Prerequisites

- HCP IAM user with the HCP owner or admin role.

<Tabs>
<Tab heading="HCP Vault Radar cloud scan">

Before you begin, make sure you have the following access:

- Permission to sign in to the Microsoft 365 tenant that contains the Teams
data you want to scan.
- Enable admin consent workflow in the Microsoft 365 tenant if tenant-wide consent is restricted. This
allows users to request admin approval to connect their Microsoft Teams data
to HCP Vault Radar. Refer to the [Microsoft documentation for enabling admin
consent workflow](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow).
Copy link
Copy Markdown
Contributor

@jonathanfrappier jonathanfrappier Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These should be in the prereq section, and I would also rephrase to shorten them. Also, are there specific roles/permissions needed in teams? ive never been an admin for teams so dont know if there is anything extra or just simply be able to log in

Suggested change
- Permission to sign in to the Microsoft 365 tenant that contains the Teams
data you want to scan.
- Enable admin consent workflow in the Microsoft 365 tenant if tenant-wide consent is restricted. This
allows users to request admin approval to connect their Microsoft Teams data
to HCP Vault Radar. Refer to the [Microsoft documentation for enabling admin
consent workflow](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow).
- Access to the Microsoft 365 tenant that contains the Teams data you want to scan.
- Enable [admin consent workflow](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow) in the Microsoft 365 tenant if tenant-wide consent is restricted.

Copy link
Copy Markdown
Contributor Author

@kishanHashicorp kishanHashicorp Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

well you don't need to be an admin to onboard MS Teams on Vault Radar.
But admin consent workflow need to be enabled on the tenant side by the user - this might require the user to contact his admin and get it setup.
Link contain steps involved to make it happen.


## Add a Microsoft Teams data source
Copy link

Copilot AI Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Heading structure is inconsistent with other Vault Radar “Add a ” pages that use tabs (for example, add-data-sources/slack.mdx:30 has the “## Add …” section outside the <Tabs> block). Placing “## Add a Microsoft Teams data source” inside only the cloud-scan tab can create an odd TOC and uneven sectioning between tabs; consider moving the shared “Add …” section heading above <Tabs> and keeping tab content under consistent subheadings.

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Contributor

@jonathanfrappier jonathanfrappier Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree w copilot here - move this up above tabs


1. Click **Settings/Data Sources**.

1. Select **HCP Vault Radar Scan**.

1. Under **Team Collaboration**, click **Microsoft Teams**.
![Select Microsoft Teams data source](/img/docs/vault-radar/microsoft-teams-onboarding-saas-flow.png)

1. Click **Connect to Microsoft Teams**. This starts the Microsoft sign-in and
consent flow.

1. Sign in with an account of the tenant you want to scan.

1. Review the requested permissions and click **Accept**.

<Note title="Administrator consent may be required">

If your organization restricts tenant-wide consent, Microsoft displays a
message that asks you to request approval from an administrator.

</Note>

1. HCP Vault Radar displays the message **Authenticated to Microsoft Teams**.

1. Click **Next**.

1. Select either **All teams and channels** or **Select teams and channels to
monitor**.

1. Click **Finish** to start onboarding and scanning the selected Teams
channels.

</Tab>
<Tab heading="HCP Vault Radar agent scan">

Before you add Microsoft Teams as an agent-scanned data source, make sure you
have the following access:

- Permission to register an application in [Microsoft Entra
ID](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app).
- Vault Radar agent deployed and running. Refer to the [HCP Vault Radar
operations
tutorials](/hcp/tutorials/hcp-vault-radar-operations/install-vault-radar-agent).

### Register a Microsoft Entra application

For step-by-step instructions on registering an app, see [Quickstart: Register an application](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app).

1. Sign in to the [Microsoft Entra admin
center](https://entra.microsoft.com/) with an account that can register
applications.

1. Navigate to **Entra ID > App registrations**.

1. Click **New registration**.

1. Enter a name for the application, such as `HashiCorp Vault Radar`.

1. For **Supported account types**, select single tenant or multitenant based on your organization's needs.

1. Click **Register**.

### Enable ID token issuance

1. In the Microsoft Entra application, open **Authentication (Preview) > Settings**.

1. Under **Implicit grant and hybrid flows**, select **ID tokens**.

1. Click **Save**.

### Configure Microsoft Graph permissions

Grant the application the Microsoft Graph application permissions required to
read the Teams content that Vault Radar scans.

For a guide to adding API permissions to an app, see [Quickstart: Configure app access to web APIs](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-configure-app-access-web-apis).

- `Team.ReadBasic.All` to list teams.
- `Channel.ReadBasic.All` to list channels.
- `ChannelMessage.Read.All` to read channel messages.
- `Organization.Read.All` to read organization information, such as the tenant name.
- `openId` to sign users in.
Copy link

Copilot AI Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The OIDC scope is spelled openid (all lowercase). Using openId may cause confusion when readers configure permissions/scopes in Entra / Microsoft Graph.

Suggested change
- `openId` to sign users in.
- `openid` to sign users in.

Copilot uses AI. Check for mistakes.
- `profile` to view users basic profile.
Copy link

Copilot AI Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Grammar: “view users basic profile” is missing an apostrophe/article. Consider changing this to “view the user's basic profile” (or equivalent) to keep the permission descriptions clear.

Suggested change
- `profile` to view users basic profile.
- `profile` to view the user's basic profile.

Copilot uses AI. Check for mistakes.
- `offline_access` to allow the application to maintain access to the Microsoft Graph API when the user is not signed in.
Copy link

Copilot AI Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This section states that Vault Radar requires “Microsoft Graph application permissions”, but the list later includes openid, profile, and offline_access, which are delegated OIDC scopes rather than Graph application permissions. Update the wording to match the permission type actually required (delegated vs application), or split the lists so readers grant the right permission types in Entra.

Suggested change
### Configure Microsoft Graph permissions
Grant the application the Microsoft Graph application permissions required to
read the Teams content that Vault Radar scans.
For a guide to adding API permissions to an app, see [Quickstart: Configure app access to web APIs](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-configure-app-access-web-apis).
- `Team.ReadBasic.All` to list teams.
- `Channel.ReadBasic.All` to list channels.
- `ChannelMessage.Read.All` to read channel messages.
- `Organization.Read.All` to read organization information, such as the tenant name.
- `openId` to sign users in.
- `profile` to view users basic profile.
- `offline_access` to allow the application to maintain access to the Microsoft Graph API when the user is not signed in.
### Configure Microsoft Graph and delegated permissions
Grant the application the following permissions in Microsoft Entra ID so Vault Radar can
read the Teams content it scans and sign users in.
For a guide to adding API permissions to an app, see [Quickstart: Configure app access to web APIs](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-configure-app-access-web-apis).
- **Microsoft Graph application permissions:**
- `Team.ReadBasic.All` to list teams.
- `Channel.ReadBasic.All` to list channels.
- `ChannelMessage.Read.All` to read channel messages.
- `Organization.Read.All` to read organization information, such as the tenant name.
- **Delegated permissions (scopes):**
- `openid` to sign users in.
- `profile` to view users' basic profile.
- `offline_access` to allow the application to maintain access to the Microsoft Graph API when the user is not signed in.

Copilot uses AI. Check for mistakes.

After you add the permissions, grant admin consent for the tenant. Refer to the
[Microsoft documentation for granting tenant-wide admin
consent](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent).

### Create a client secret and store the values

1. In the Microsoft Entra application, navigate to **Certificates & secrets**.

1. Click **New client secret**.

1. Copy the client secret value and store it securely.

1. Copy the **Application (client) ID** and the **Directory (tenant) ID**.

1. Set an environment variable on the agent host to store the client secret.

**Example shell command:**

<CodeBlockConfig hideClipboard>

```shell-session
export MICROSOFT_TEAMS_CLIENT_SECRET="<client-secret-value>"
export MICROSOFT_TEAMS_CLIENT_ID="<application-client-id>"
```

</CodeBlockConfig>

### Add a Microsoft Teams data source

1. Click **Settings** and select **Data Sources**.

1. Select **HCP Vault Radar Agent Scan**.

1. Under **Team Collaboration**, click **Microsoft Teams**.
![Select Microsoft Teams data source](/img/docs/vault-radar/microsoft-teams-onboarding-agent-flow.png)

1. Enter the following information:

- **Microsoft Entra tenant ID:** The **Directory (tenant) ID** for the
Microsoft Entra application.

- **Microsoft Entra client ID:** The environment variable path where you stored the client ID on the agent host.

- **Microsoft Entra client secret:** The environment variable path where you
stored the client secret on the agent host.

**Example:**

<CodeBlockConfig hideClipboard>

```plaintext
env://MICROSOFT_TEAMS_CLIENT_SECRET
env://MICROSOFT_TEAMS_CLIENT_ID
```

</CodeBlockConfig>

1. Click **Next**.

1. Select either **All channels** or **Select channels to
monitor**.

1. Click **Finish** to start onboarding and scanning the selected Teams
channels.

</Tab>
</Tabs>

4 changes: 4 additions & 0 deletions content/hcp-docs/data/docs-nav-data.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -733,6 +733,10 @@
}
]
},
{
"title": "Microsoft Teams <sup>Beta</sup>",
"path": "vault-radar/get-started/add-data-sources/microsoft-teams"
},
{
"title": "Slack",
"path": "vault-radar/get-started/add-data-sources/slack/"
Expand Down
Binary file added content/hcp-docs/img/docs/vault-radar/microsoft-teams-onboarding-agent-flow.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added content/hcp-docs/img/docs/vault-radar/microsoft-teams-onboarding-saas-flow.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading