Certificate-based authentication for Microsoft Teams Connectors

When using certificate-based authentication, you must create an App Registration in the organization's Azure Active Directory.

  • Since the connector will potentially crawl millions of records, please make sure to create a dedicated App Registration for the connector.

  • Sharing the App Registration between the connector and another client may lead to excessive throttling for both clients and poor indexing speed.

Application Permissions

The Azure application must be granted one of the following Microsoft Graph API Application permissions, depending on the level of access that you want to enable (see register the Azure application for more information):

  • ChannelMessage.Read.All: This permission allows the app to read all channel messages in Microsoft Teams

  • Directory.Read.All: This permission allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user.

  • Group.Read.All: This permission allows the app to read group properties and memberships, and read conversations for all groups, without a signed-in user.

  • Member.Read.Hidden: This permission allows the app to read the memberships of hidden groups and administrative units without a signed-in user.

  • User.Read.All: This permission allows the app to read user profiles without a signed in user.

Certificate Requirements

For the following topics you need the signed certificate in PFX and CER formats (created here) as well as the password for the PFX certificate.

Register the Azure Application

  1. Go to https://portal.azure.com/ and login with Azure Global Admin user credentials.
  2. Click Azure Active Directory and click on the desired directory.
  3. From the menu select App Registrations.
  4. Click New registration to register a new app.
  5. In the Name field, Enter a name for your app.
  6. In the Redirect URI section, specify the Application type by select Web or API app from the drop-down list.
  7.  Enter a URI of your choosing. The URI is not used in the Microsoft Teams Authorization mechanism.
  8. Click Register at the bottom of the page.
  9. Within the app, go to API Permissions.
  10. Under API Permissions >  Add a permission >Microsoft Graph.
  11. Under Application Permissions, select the following permissions for the app depending on the Authentication mechanism used:

    • ChannelMessage.Read.All

    • Directory.Read.All

    • Group.Read.All

    • Member.Read.Hidden

    • User.Read.All

  12. Click the Add Permissions button at the bottom of the screen.
  13. In the Configured permissions menu, click the Grant admin consent button to grant the selected permissions (requires admin rights).


  14. Repeat this process (Steps through 13) for each of the Microsoft Graph API permissions listed in the Application permissions:
  15. Open the Azure app you created in the previous steps, above. Under Manage, click Certificates and secrets

  16. Add your newly created certificate.

    There are multiple methods that can be used to create a certificate. BA Insight recommends the following instructions to create a certificate: How to Create a Self-Signed Certificate.

    If you use another program, such as IIS, when you export the certificate, ensure you do not mark the key as exportable:

    Also, when exporting your certificate using IIS, note that it MUST BE Base-64 encoded:
     

Certificate Installation Options

When configuring the Teams connector with App Registration and Certificate Authentication, BA Insight supports two certificate installation methods. Both are fully compatible, the correct choice depends on your security model and permissions available to the service account.

Method Certificate store Permissions required Notes
Recommended (least privilege) CurrentUser\Personal (CurrentUser\My) No Local Administrator rights required rights required Service account imports certificate into its personal store
LocalMachine store (legacy/existing deployments) LocalMachine\Trusted Root Certification Authorities (LocalMachine\Root) Local Administrator rights required Remains supported for existing configurations


For new installations or security-restricted environments, use the Current User installation method to avoid requiring Local Administrator rights.

Install the Certificate Using the Recommended (Non-Admin) Method

  1. Sign in to the server using the service account that will run the connector.

  2. Ensure the account is not a Local Administrator.

  3. Open the Certificate Manager for the current user by typing certmgr.msc in the start menu.

  4. Navigate to Personal > Certificates.

  5. Right-click and choose All Tasks > Import....

  6. Import your .pfx certificate file.

  7. Complete the wizard and verify the certificate appears in Personal > Certificates.

Install the Certificate Using the LocalMachine Store

  1. Run the Microsoft Management Console (MMC) as an Administrator.
  2. Add the Certificates Snap-in.
  3. Expand Trusted Root Certification Authority.

  4. Use the Actions menu to import your PFX certificate.
Important: The user account running the Teams Connector application pool, must have read access to the Trusted Root Certificate store on the local machine. This user account cannot be Network Service.