Microsoft Teams
Chat and collaborate with Opulent directly in Microsoft Teams
Tag @Opulent in Microsoft Teams as soon as bugs, feature requests, and questions come in. Opulent responds in-thread with updates and questions when it's tagged, starting a Session your team can follow without leaving the channel.
This integration is a Gap today. The Microsoft Teams app is on the roadmap and is not yet shipped. To start sessions from chat right now, use the Slack integration, or trigger sessions with email and automation events (see Automations). The setup, scopes, and architecture below describe the planned Teams experience so admins can review what consent will be required ahead of general availability.
Get started
Installation
- Go to Settings > Connections and select Microsoft Teams
- Click "Connect"
- You'll be prompted to install the Opulent app for Microsoft Teams in your tenant and/or target Team
- Make sure to link your individual user. All users in your organization will need to complete this step to use Opulent
- Mention
@Opulentin a Team channel or chat to start a session
Note: For Opulent to work for each user, every individual must connect their own account in the Opulent dashboard (Settings > Connections). This lets Opulent associate their Microsoft Teams identity with their Opulent user.
How to use Opulent from Microsoft Teams
Once you've installed the Microsoft Teams integration, simply trigger Opulent with @Opulent in any Team channel.
Opulent will respond in-thread to your session. You can communicate back and forth just like in the regular Opulent chat interface.
Note that Opulent may make mistakes. Please double-check responses.
Inline Teams Keywords & Functions
| Keyword | Function |
|---|---|
!ask |
Begin your message with !ask to get a quick codebase answer without starting a full agent |
!deep |
Get a deeper research answer using advanced search |
mute |
Prevents Opulent from seeing further messages in the thread |
unmute |
Reverses the above |
(aside), !aside |
Causes Opulent to ignore the message (useful for commentary on Opulent's run directly in-thread) |
sleep |
Puts Opulent to sleep; to wake Opulent up, send any message in the thread |
archive |
Puts Opulent to sleep + archives the session |
EXIT |
Ends the session |
help |
Shows help message with available keywords and functions |
Pricing
If you don't yet have an Opulent account, you can learn more about pricing and plans here.
Privacy
Our privacy policy is available here.
Authentication Flow
The diagram below illustrates the high-level authentication architecture for the planned Microsoft Teams integration, showing how authentication flows from Teams through various layers to create authenticated Opulent sessions.
graph TB
subgraph MSTeams ["Microsoft Teams"]
A[Teams User] --> B[Teams Channel]
B --> C[Teams Bot Framework]
C --> D[Microsoft Graph API]
end
subgraph AuthLayer ["Authentication Layer"]
E[Certificate-Based Auth] --> F[JWT Token Validation]
F --> G[Tenant ID Verification]
G --> H[User Identity Claims]
end
subgraph OpulentPlat ["Opulent Platform"]
I[Chat Manager] --> J[Identity Mapping Service]
J --> K[Organization Resolver]
K --> L[RBAC Authorization]
L --> M[Session Creation]
end
subgraph IdProviders ["Identity Providers"]
N[Microsoft Entra ID] --> O[SAML/SSO Provider]
O --> P[Opulent Identity Store]
end
A --> E
D --> F
H --> J
N --> J
P --> L
M --> Q[Opulent Session]
Permissions Details
Below is a summary of the Microsoft Teams and Microsoft Graph permissions the integration requires—what each grants, why we need it, and where it's used.
At a glance
- Graph (Application, tenant-wide): discovery & installation orchestration.
- Teams bot RSC (per Team/Chat): scoped access to messages/members/settings only where the bot is installed or present.
Tenant-wide Microsoft Graph (Application) Permissions
These require Admin Consent in Microsoft Entra ID. They are app-only (no user delegation).
| Permission | What it allows | Why we need it |
|---|---|---|
Organization.Read.All |
Read basic org profile | Validate the tenant where the app is being installed |
User.ReadBasic.All |
Read basic profiles for all users | Map member identities and resolve mentions in linked Teams |
AppCatalog.Read.All |
Read the Teams app catalog | Locate our app and fetch teamsAppId required for installation |
TeamsAppInstallation.ReadWriteAndConsentSelfForTeam.All |
Install/uninstall our own app; grant app RSC | Install/remove the bot in a selected Team from the Opulent dashboard |
Note: We do not use tenant-wide Graph to read message content. Message access is granted only via RSC and only where the bot is installed/present.
Teams Bot Resource-Specific Consent (RSC) Permissions
These are granted per Team/Chat at install time (do not apply tenant-wide).
| Permission | Scope | What it allows | Why we need it |
|---|---|---|---|
ChannelMessage.Read.Group |
Team/Channel | Read channel messages where the app is installed | Process channel conversations (summaries, triggers, syncing) |
ChannelMessage.Send.Group |
Team/Channel | Send messages in channels (new posts and threaded replies) where the app is installed | Respond to messages in channel threads and proactively post updates to channels |
Member.Read.Group |
Team/Channel | Read team membership | Map identities, permission checks, mention routing |
TeamSettings.Read.Group |
Team/Channel | Read Team settings | Respect Team-level policies and tailor behavior |
ChatMember.Read.Chat |
Chat | Read chat participants | Address/respond correctly and support audit trails |
ChatMessage.Read.Chat |
Chat | Read messages in chats where the bot participates | Process prompts, context, and follow-ups |
ChatMessage.Send.Chat |
Chat | Send messages in 1:1 and group chats (DMs) where the bot participates; not for channels | Respond to users in DMs and group chats, post notifications, and interactive replies in chat threads |
ChatSettings.Read.Chat |
Chat | Read chat settings (e.g., moderation) | Align behavior with chat policies (rate limits, who can post, etc.) |
RSC guardrails: Access is limited to the specific Team/Chat where the app is installed or participates. Removing the app from a Team/Chat revokes that access.
Example: Certificate-Based Authentication for Teams Discovery
The diagram below illustrates our app-only, certificate-based authentication with Microsoft Graph. Using an X.509 client certificate, the service acquires an access token and then calls Graph to list Teams (GET /v1.0/teams). This example demonstrates how Opulent securely performs tenant discovery without user context.
sequenceDiagram
participant S as Opulent
participant M as MSAL client
participant K as Certificate private key
participant A as Entra ID token endpoint
participant G as Microsoft Graph
S->>M: Acquire token for Graph (.default scope)
M->>M: Check token cache (tenant, scope, client)
M->>K: Build client_assertion JWT (sign with cert)
K-->M: client_assertion (signed JWT)
M->>A: POST /oauth2/v2.0/token
A-->A: Validate signature & cert thumbprint<br/>Verify app roles to Graph
A-->M: 200 access_token (aud=graph)
M-->S: Return access_token (store in cache)
S->>G: GET /v1.0/teams with Authorization: Bearer access_token
G-->S: 200 list of teams (paged via @odata.nextLink)
Credential note: We use an X.509 certificate (client assertion) rather than a client secret for service-to-service authentication. This applies to Microsoft Graph calls, bot communications with the Bot Framework adapter, and any app-only API calls from the integration.
Complete Message Processing Flow (Teams → Opulent)
The diagram below shows the complete end-to-end flow when a user sends a message to Opulent in Microsoft Teams, including token validation and bot processing.
sequenceDiagram
participant U as Teams client
participant T as Teams service
participant W as Bot webhook adapter
participant J as Jwt validator
participant O as OpenID metadata & keys
participant C as Credential provider
participant B as Bot logic
U->>T: @Opulent user message
T->>W: HTTP POST activity + Authorization Bearer token
note over W: Extract Authorization header and token
W->>J: Validate token
J->>O: Fetch OpenID config and signing keys
O-->J: Return JWKS keys
J->>J: Verify RS256 signature<br/>and parse claims
J-->W: Validated claims
W->>C: Check appId against credentials
C-->W: AppId recognized
W->>W: Add serviceUrl to trusted list
W->>B: Create TurnContext and call bot handler
B->>B: Execute business logic
B-->W: Outgoing activity
W->>T: Send reply via connector service
T->>U: Deliver message to user
Credential note: We use an X.509 certificate (client assertion) rather than a client secret for service-to-service authentication. This applies to Microsoft Graph calls, bot communications with the Bot Framework adapter, and any app-only API calls from the integration.
Consent & Installation Flow
- Admin Consent (tenant-wide)
- An Entra ID admin grants the Graph Application permissions listed above.
- App Discovery
- The integration queries the Teams app catalog to locate our app and retrieve
teamsAppId.
- The integration queries the Teams app catalog to locate our app and retrieve
- Targeted Installation
- From our dashboard, we install the bot into a specific Team.
- During installation, the RSC scopes are granted only to that Team (or to the specific Chat when invoked in a chat).
- Operation
- Discovery (org/teams/channels/app catalog) uses Graph Application permissions.
- Reading/sending messages and reading members/settings rely on RSC within installed surfaces.
Least-Privilege Notes
- Basic readers only:
User.ReadBasic.All(no tenant-wide message reading). - Message content is accessed exclusively via RSC and only where the bot is installed/present.
- No mailbox, files, or calendar permissions are requested.
Revocation & Uninstallation
- Revoke Admin Consent: A tenant admin can remove the app's enterprise app permissions in Entra ID.
- Uninstall from Teams: Remove the app from a Team/Chat to revoke RSC for that resource.
- Data Handling: On uninstall, our integration stops processing events for that Team/Chat and cleans up related subscriptions/links.