RADAR-7960: Add Microsoft Teams cloud data source onboarding doc#2106
RADAR-7960: Add Microsoft Teams cloud data source onboarding doc#2106kishanHashicorp wants to merge 3 commits intomainfrom
Conversation
Vercel Previews Deployed
|
There was a problem hiding this comment.
Pull request overview
Adds onboarding documentation for connecting Microsoft Teams as an HCP Vault Radar cloud/agent scanned data source, and exposes it in the Vault Radar “Add a data source” docs navigation.
Changes:
- Adds a new Microsoft Teams data source onboarding page (cloud scan + agent scan tabs).
- Adds a “Microsoft Teams (Beta)” entry to the Vault Radar “Add a data source” navigation group.
Reviewed changes
Copilot reviewed 2 out of 4 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| content/hcp-docs/data/docs-nav-data.json | Adds the Microsoft Teams (Beta) nav entry under Vault Radar → Get started → Add a data source. |
| content/hcp-docs/content/docs/vault-radar/get-started/add-data-sources/microsoft-teams.mdx | New end-to-end onboarding doc for Microsoft Teams cloud scan and agent scan. |
| ### Configure Microsoft Graph permissions | ||
|
|
||
| Grant the application the Microsoft Graph application permissions required to | ||
| read the Teams content that Vault Radar scans. | ||
|
|
||
| For a guide to adding API permissions to an app, see [Quickstart: Configure app access to web APIs](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-configure-app-access-web-apis). | ||
|
|
||
| - `Team.ReadBasic.All` to list teams. | ||
| - `Channel.ReadBasic.All` to list channels. | ||
| - `ChannelMessage.Read.All` to read channel messages. | ||
| - `Organization.Read.All` to read organization information, such as the tenant name. | ||
| - `openId` to sign users in. | ||
| - `profile` to view users basic profile. | ||
| - `offline_access` to allow the application to maintain access to the Microsoft Graph API when the user is not signed in. |
There was a problem hiding this comment.
This section states that Vault Radar requires “Microsoft Graph application permissions”, but the list later includes openid, profile, and offline_access, which are delegated OIDC scopes rather than Graph application permissions. Update the wording to match the permission type actually required (delegated vs application), or split the lists so readers grant the right permission types in Entra.
| ### Configure Microsoft Graph permissions | |
| Grant the application the Microsoft Graph application permissions required to | |
| read the Teams content that Vault Radar scans. | |
| For a guide to adding API permissions to an app, see [Quickstart: Configure app access to web APIs](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-configure-app-access-web-apis). | |
| - `Team.ReadBasic.All` to list teams. | |
| - `Channel.ReadBasic.All` to list channels. | |
| - `ChannelMessage.Read.All` to read channel messages. | |
| - `Organization.Read.All` to read organization information, such as the tenant name. | |
| - `openId` to sign users in. | |
| - `profile` to view users basic profile. | |
| - `offline_access` to allow the application to maintain access to the Microsoft Graph API when the user is not signed in. | |
| ### Configure Microsoft Graph and delegated permissions | |
| Grant the application the following permissions in Microsoft Entra ID so Vault Radar can | |
| read the Teams content it scans and sign users in. | |
| For a guide to adding API permissions to an app, see [Quickstart: Configure app access to web APIs](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-configure-app-access-web-apis). | |
| - **Microsoft Graph application permissions:** | |
| - `Team.ReadBasic.All` to list teams. | |
| - `Channel.ReadBasic.All` to list channels. | |
| - `ChannelMessage.Read.All` to read channel messages. | |
| - `Organization.Read.All` to read organization information, such as the tenant name. | |
| - **Delegated permissions (scopes):** | |
| - `openid` to sign users in. | |
| - `profile` to view users' basic profile. | |
| - `offline_access` to allow the application to maintain access to the Microsoft Graph API when the user is not signed in. |
| - `Channel.ReadBasic.All` to list channels. | ||
| - `ChannelMessage.Read.All` to read channel messages. | ||
| - `Organization.Read.All` to read organization information, such as the tenant name. | ||
| - `openId` to sign users in. |
There was a problem hiding this comment.
The OIDC scope is spelled openid (all lowercase). Using openId may cause confusion when readers configure permissions/scopes in Entra / Microsoft Graph.
| - `openId` to sign users in. | |
| - `openid` to sign users in. |
| - `ChannelMessage.Read.All` to read channel messages. | ||
| - `Organization.Read.All` to read organization information, such as the tenant name. | ||
| - `openId` to sign users in. | ||
| - `profile` to view users basic profile. |
There was a problem hiding this comment.
Grammar: “view users basic profile” is missing an apostrophe/article. Consider changing this to “view the user's basic profile” (or equivalent) to keep the permission descriptions clear.
| - `profile` to view users basic profile. | |
| - `profile` to view the user's basic profile. |
| to HCP Vault Radar. Refer to the [Microsoft documentation for enabling admin | ||
| consent workflow](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow). | ||
|
|
||
| ## Add a Microsoft Teams data source |
There was a problem hiding this comment.
Heading structure is inconsistent with other Vault Radar “Add a ” pages that use tabs (for example, add-data-sources/slack.mdx:30 has the “## Add …” section outside the <Tabs> block). Placing “## Add a Microsoft Teams data source” inside only the cloud-scan tab can create an odd TOC and uneven sectioning between tabs; consider moving the shared “Add …” section heading above <Tabs> and keeping tab content under consistent subheadings.
There was a problem hiding this comment.
Agree w copilot here - move this up above tabs
content/hcp-docs/content/docs/vault-radar/get-started/add-data-sources/microsoft-teams.mdx
Show resolved
Hide resolved
Broken Link CheckerThis PR contains broken links, but won't be blocked. Use this report to improve content quality: Quick Actions
Need Help?
Internal LinksExternal Links |
| - Permission to sign in to the Microsoft 365 tenant that contains the Teams | ||
| data you want to scan. | ||
| - Enable admin consent workflow in the Microsoft 365 tenant if tenant-wide consent is restricted. This | ||
| allows users to request admin approval to connect their Microsoft Teams data | ||
| to HCP Vault Radar. Refer to the [Microsoft documentation for enabling admin | ||
| consent workflow](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow). |
There was a problem hiding this comment.
These should be in the prereq section, and I would also rephrase to shorten them. Also, are there specific roles/permissions needed in teams? ive never been an admin for teams so dont know if there is anything extra or just simply be able to log in
| - Permission to sign in to the Microsoft 365 tenant that contains the Teams | |
| data you want to scan. | |
| - Enable admin consent workflow in the Microsoft 365 tenant if tenant-wide consent is restricted. This | |
| allows users to request admin approval to connect their Microsoft Teams data | |
| to HCP Vault Radar. Refer to the [Microsoft documentation for enabling admin | |
| consent workflow](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow). | |
| - Access to the Microsoft 365 tenant that contains the Teams data you want to scan. | |
| - Enable [admin consent workflow](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow) in the Microsoft 365 tenant if tenant-wide consent is restricted. |
There was a problem hiding this comment.
well you don't need to be an admin to onboard MS Teams on Vault Radar.
But admin consent workflow need to be enabled on the tenant side by the user - this might require the user to contact his admin and get it setup.
Link contain steps involved to make it happen.
Please go to the
Previewtab and select the appropriate template:Terraform