# Connecting to Microsoft Teams
Microsoft Teams is a collaborative workspace within Microsoft 365 that acts as a central hub for workplace conversations, collaborative teamwork, video chats and document sharing, all designed to aid worker productivity in a unified suite of tools.
**Topics**
+ [AWS Glue support for Microsoft Teams](microsoft-teams-support.md)
+ [Policies containing the API operations for creating and using connections](microsoft-teams-configuring-iam-permissions.md)
+ [Configuring Microsoft Teams](microsoft-teams-configuring.md)
+ [Configuring Microsoft Teams connections](microsoft-teams-configuring-connections.md)
+ [Reading from Microsoft Teams entities](microsoft-teams-reading-from-entities.md)
+ [Microsoft Teams connection option reference](microsoft-teams-connection-options.md)
+ [Limitations](microsoft-teams-connector-limitations.md)
+ [Create a new Microsoft Teams account:](#microsoft-teams-account-creation)
# AWS Glue support for Microsoft Teams
AWS Glue supports Microsoft Teams as follows:
**Supported as a source?**
Yes. You can use AWS Glue ETL jobs to query data from Microsoft Teams.
**Supported as a target?**
No.
**Supported Microsoft Teams API versions**
v1. For entity support per version specific, see Supported entities for source.
# Policies containing the API operations for creating and using connections
The following sample policy describes the required AWS permissions for creating and using connections. If you are creating a new role, create a policy that contains the following:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"glue:ListConnectionTypes",
"glue:DescribeConnectionType",
"glue:RefreshOAuth2Tokens",
"glue:ListEntities",
"glue:DescribeEntity"
],
"Resource": "*"
}
]
}
```
------
You can also use the following managed IAM policies to allow access:
+ [ AWSGlueServiceRole ](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole) – Grants access to resources that various AWS Glue processes require to run on your behalf. These resources include AWS Glue, Amazon S3, IAM, CloudWatch Logs, and Amazon EC2. If you follow the naming convention for resources specified in this policy, AWS Glue processes have the required permissions. This policy is typically attached to roles specified when defining crawlers, jobs, and development endpoints.
+ [ AWSGlueConsoleFullAccess ](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AWSGlueConsoleFullAccess) – Grants full access to AWS Glue resources when an identity that the policy is attached to uses the AWS Management Console. If you follow the naming convention for resources specified in this policy, users have full console capabilities. This policy is typically attached to users of the AWS Glue console.
# Configuring Microsoft Teams
Before you can use AWS Glue to transfer data from Microsoft Teams, you must meet these requirements:
## Minimum requirements
+ You have a Microsoft Teams developer account with Email and Password. For more information, see [Create a new Microsoft Teams account:](connecting-to-microsoft-teams.md#microsoft-teams-account-creation).
+ You should have setup an OAuth2 app in your Microsoft account that provides the client ID and secret credentials that AWS Glue uses to access your data securely when it makes authenticated calls to your account. For more information, see [Create a new Microsoft Teams account:](connecting-to-microsoft-teams.md#microsoft-teams-account-creation).
If you meet these requirements, you’re ready to connect AWS Glue to your Microsoft Teams account. For typical connections, you don't need do anything else in Microsoft Teams.
# Configuring Microsoft Teams connections
Microsoft Teams supports following two types for authentication mechanism:
1. OAuth Auth: Microsoft Teams supports AUTHORIZATION\$1CODE grant type for OAuth2.
+ This grant type is considered “three-legged” OAuth as it relies on redirecting users to the third party authorization server to authenticate the user. It is used when creating connections via the AWS Glue Console. The user creating a connection may by default rely on a AWS Glue-owned connected app where they do not need to provide any OAuth related information except for the Microsoft Teams instanceurl. The AWS Glue Console will redirect the user to Microsoft Teams where the user must login and allow AWS Glue the requested permissions to access their Microsoft Teams instance.
+ Users may opt to create their own connected app in Microsoft Teams and provide their own client id and client secret when creating connections through the AWS Glue Console. In this scenario, they will still be redirected to Microsoft Teams to login and authorize AWS Glue to access their resources.
+ This grant type results in a refresh token and access token. The access token is active for one hour, and may be refreshed automatically without user interaction using the refresh token.
+ For public Microsoft Teams documentation on creating a connected app for Authorization Code OAuth flow, see \$1 Microsoft Learn. [Register an application with the Microsoft identity platform - Microsoft Graph](https://learn.microsoft.com/en-us/graph/auth-register-app-v2).
To configure a Microsoft Teams connection:
1. In AWS Secrets Manager, create a secret with the following details. It is required to create a secret for each connection in AWS Glue.
1. For OAuth auth:
+ For customer managed connected app - Secret should contain the connected app Consumer Secret with USER\$1MANAGED\$1CLIENT\$1APPLICATION\$1CLIENT\$1SECRET as key.
1. In AWS Glue Studio, create a connection under **Data Connections** by following the steps below:
1. Under Data Connections, choose **Create connection**.
1. When selecting a **Data Source**, select Microsoft Teams.
1. Provide your Microsoft Teams **Tenant ID**.
1. Select the IAM role that AWS Glue can assume and has permissions for following actions:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:PutSecretValue",
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface"
],
"Resource": "*"
}
]
}
```
------
1. Provide User Managed Client Application ClientId of Microsoft Teams app.
1. Select the `secretName` which you want to use for this connection in AWS Glue to put the tokens.
1. Select the network options if you want to use your network.
1. Grant the IAM role associated with your AWS Glue job permission to read `secretName`. Choose **Next**.
1. In your AWS Glue job configuration, provide `connectionName` as an **Additional network connection**.
# Reading from Microsoft Teams entities
**Prerequisites**
+ A Microsoft Teams object you would like to read from. You will need the object name such as team or channel-message. The following table shows the supported entities.
**Supported entities for Source**
All entities are supported with API version 1.0.
| Entity | Can be Filtered | Supports Limit | Supports Order By | Supports Select \$1 | Supports Partitioning |
| --- | --- | --- | --- | --- | --- |
| Teams | No | No | No | Yes | No |
| Team Members | Yes | Yes | No | Yes | Yes |
| Groups | Yes | Yes | Yes | Yes | Yes |
| Group Members | Yes | Yes | No | Yes | No |
| Channels | Yes | No | No | Yes | Yes |
| Channel Messages | No | Yes | No | Yes | No |
| Channel Message Replies | No | Yes | No | Yes | No |
| Channel Tabs | Yes | No | No | Yes | No |
| Chats | Yes | Yes | Yes | Yes | Yes |
| Calendar Events | Yes | Yes | Yes | Yes | Yes |
**Example**
```
MicrosoftTeams_read = glueContext.create_dynamic_frame.from_options(
connection_type="MicrosoftTeams",
connection_options={
"connectionName": "connectionName",
"ENTITY_NAME": "company",
"API_VERSION": "v1.0"
}
```
## Microsoft Teams Entity and Field Details
Entities list:
+ Team: [ https://docs.microsoft.com/en-us/graph/api/user-list-joinedteams?view=graph-rest-1.0 ](https://docs.microsoft.com/en-us/graph/api/user-list-joinedteams?view=graph-rest-1.0)
+ Team-Member: [ https://docs.microsoft.com/en-us/graph/api/team-list-members?view=graph-rest-1.0 ](https://docs.microsoft.com/en-us/graph/api/team-list-members?view=graph-rest-1.0)
+ Group: [ https://docs.microsoft.com/en-us/graph/api/group-list?view=graph-rest-1.0 ](https://docs.microsoft.com/en-us/graph/api/group-list?view=graph-rest-1.0)
+ Group-Member: [ https://docs.microsoft.com/en-us/graph/api/group-list-members?view=graph-rest-1.0 ](https://docs.microsoft.com/en-us/graph/api/group-list-members?view=graph-rest-1.0)
+ Channel: [ https://docs.microsoft.com/en-us/graph/api/channel-list?view=graph-rest-1.0 ](https://docs.microsoft.com/en-us/graph/api/channel-list?view=graph-rest-1.0)
+ Channel-Message: [ https://docs.microsoft.com/en-us/graph/api/channel-list-messages?view=graph-rest-1.0 ](https://docs.microsoft.com/en-us/graph/api/channel-list-messages?view=graph-rest-1.0)
+ Channel-Message-Reply: [ https://docs.microsoft.com/en-us/graph/api/chatmessage-list-replies?view=graph-rest-1.0 ](https://docs.microsoft.com/en-us/graph/api/chatmessage-list-replies?view=graph-rest-1.0)
+ Channel-Tab: [ https://docs.microsoft.com/en-us/graph/api/channel-list-tabs?view=graph-rest-1.0 ](https://docs.microsoft.com/en-us/graph/api/channel-list-tabs?view=graph-rest-1.0)
+ Chat: [ https://docs.microsoft.com/en-us/graph/api/chat-list?view=graph-rest-1.0 ]( https://docs.microsoft.com/en-us/graph/api/chat-list?view=graph-rest-1.0)
+ Calendar-Event: [ https://docs.microsoft.com/en-us/graph/api/group-list-events?view=graph-rest-1.0 ](https://docs.microsoft.com/en-us/graph/api/group-list-events?view=graph-rest-1.0)
**Partitioning queries**
Additional spark options `PARTITION_FIELD`, `LOWER_BOUND`, `UPPER_BOUND`, `NUM_PARTITIONS` can be provided if you want to utilize concurrency in Spark. With these parameters, the original query would be split into `NUM_PARTITIONS` number of sub-queries that can be executed by spark tasks concurrently.
+ `PARTITION_FIELD`: the name of the field to be used to partition query.
+ `LOWER_BOUND`: an inclusive lower bound value of the chosen partition field.
For date, we accept the Spark date format used in Spark SQL queries. Example of valid values: `"2024-02-06"`.
+ `UPPER_BOUND`: an exclusive upper bound value of the chosen partition field.
+ `NUM_PARTITIONS`: number of partitions.
Entity wise partitioning field support details are captured in below table:
| Entity Name | Partitioning Fields | Data Type |
| --- | --- | --- |
| Team Members | visibleHistoryStartDateTime | DateTime |
| Groups | createdDateTime | DateTime |
| Channels | createdDateTime | DateTime |
| Chats | createdDateTime, lastModifiedDateTime | DateTime |
| Calendar Events | createdDateTime, lastModifiedDateTime, originalStart | DateTime |
**Example**
```
microsoftteams_read = glueContext.create_dynamic_frame.from_options(
connection_type="MicrosoftTeams",
connection_options={
"connectionName": "connectionName",
"ENTITY_NAME": "group",
"API_VERSION": "v1.0",
"PARTITION_FIELD": "createdDateTime"
"LOWER_BOUND": "2022-07-13T07:55:27.065Z"
"UPPER_BOUND": "2022-08-12T07:55:27.065Z"
"NUM_PARTITIONS": "2"
}
```
# Microsoft Teams connection option reference
The following are connection options for Microsoft Teams:
+ `ENTITY_NAME`(String) - (Required) Used for Read. The name of your Object in Microsoft Teams.
+ `API_VERSION`(String) - (Required) Used for Read. Microsoft Teams Rest API version you want to use. Example: v1.0.
+ `SELECTED_FIELDS`(List) - Default: empty(SELECT \$1). Used for Read. Columns you want to select for the object.
+ `FILTER_PREDICATE`(String) - Default: empty. Used for Read. It should be in the Spark SQL format.
+ `QUERY`(String) - Default: empty. Used for Read. Full Spark SQL query.
+ `PARTITION_FIELD`(String) - Used for Read. Field to be used to partition query.
+ `LOWER_BOUND`(String)- Used for Read. An inclusive lower bound value of the chosen partition field.
+ `UPPER_BOUND`(String) - Used for Read. An exclusive upper bound value of the chosen partition field.
+ `NUM_PARTITIONS`(Integer) - Default: 1. Used for Read. Number of partitions for read.
# Limitations
The following are limitations for the Microsoft Teams connector:
+ The Microsoft Teams API returns less number of records than specified for Chat and Team Member entities. This issue is reported to Microsoft Teams Support and it is under investigation.
## Create a new Microsoft Teams account:
1. Navigate to Microsoft Teams’s homepage, [https://account.microsoft.com/account/](https://account.microsoft.com/account/) and choose **Sign in**.
1. Choose **Create one\$1**.
1. Enter the required information for account creation and create a new account.
1. Navigate to the Microsoft Teams website at [ https://www.microsoft.com/en-in/microsoft-teams/log-in](https://www.microsoft.com/en-in/microsoft-teams/log-in).
1. Sign up using the Microsoft Account you just created.
1. After successful sign up on Teams, navigate to [https://account.microsft.com/services](https://account.microsft.com/services).
1. Choose **Try Microsoft 365**.
1. Activate one of below Microsoft 365 or Microsoft Teams subscription to access all required features of Microsoft Teams connector:
+ Microsoft Teams Essentials
+ Microsoft 365 Business
+ Microsoft 365 Business Basic
+ Microsoft 365 Business Standard
+ Microsoft 365 Business Premium
**Create a managed client app:**
1. To create a managed application, you need to register a new OAuth app on Microsoft Entra (formerly Azure Active Directory):
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com).
1. If you have access to multiple tenants, use the Settings icon in the top menu to switch to the tenant in which you want to register the application from the Directories \$1 subscriptions menu.
1. Navigate to Identity > Applications > App registrations and select **New registration**.
1. Enter a display Name for your application.
1. Specify who can use the application in the Supported account types section. To make this app global select “Accounts in any organizational directory” or “Accounts in any organizational directory and personal Microsoft accounts”.
1. Enter Redirect URI `https://{region}.console.aws.amazon.com/appflow/oauth`. For example, for the `us-west-2 region`, add `https://us-west-2.console.aws.amazon.com/appflow/oauth`. You can add multiple URLs for different regions that you want to use.
1. Register the app.
1. Note the Client ID for future use.
1. Choose **Add a certificate or secret** in the Essentials section.
1. Choose **New Client Secret**.
1. Enter Description and Expires duration.
1. Copy and save the client secret for future use.
1. In the left side menu list, select **API permissions**.
1. Choose **Add a permission**.
1. Select “Microsoft Graph“.
1. Select “Delegated permissions”.
1. Check all the following permissions:
+ User.Read
+ Offline\$1access
+ User.Read.All
+ User.ReadWrite.All
+ TeamsTab.ReadWriteForTeam
+ TeamsTab.ReadWriteForChat
+ TeamsTab.ReadWrite.All
+ TeamsTab.Read.All
+ TeamSettings.ReadWrite.All
+ TeamSettings.Read.All
+ TeamMember.ReadWrite.All
+ TeamMember.Read.All
+ Team.ReadBasic.All
+ GroupMember.ReadWrite.All
+ GroupMember.Read.All
+ Group.ReadWrite.All
+ Group.Read.All
+ Directory.ReadWrite.All
+ Directory.Read.All
+ Directory.AccessAsUser.All
+ Chat.ReadWrite
+ Chat.ReadBasic
+ Chat.Read
+ ChannelSettings.ReadWrite.All
+ ChannelSettings.Read.All
+ ChannelMessage.Read.All
+ Channel.ReadBasic.All
1. Choose **Add permissions**. Your app is now setup successfully. You can use the client ID and client secret to create a new connection. For more information, see [https://learn.microsoft.com/en-us/graph/auth-register-app-v2](https://learn.microsoft.com/en-us/graph/auth-register-app-v2).