# Microsoft Teams Orgwide Integration For calendar/email orgwide integration, please refer to this [document](https://docs.rox.com/development/engineering/docs/rox-enterprise-integrations/orgwide-integration-via-microsoft-graph). ### 1) Scope of Integration Use-case: Organization-wide connection to Microsoft Teams to automatically ingest Microsoft Teams meeting transcripts into Rox for search, analytics, enrichment, and AI-powered insights. This integration allows Rox to: * Discover Teams meeting transcripts across the organization * Download transcript content (WebVTT format) * Parse and structure transcripts * Associate transcripts with meeting metadata and attendees * Enable transcript search and insights within Rox This is a read-only integration. Rox does not modify meetings, users, or transcripts in Microsoft Teams. #### Supported Data Access | Data Type | Purpose | Graph Permission (Application) | | ------------------------- | ---------------------------------------------------- | -------------------------------- | | Teams Meeting Transcripts | Discover and download Teams meeting transcripts | OnlineMeetings.Read.All | | Transcript Content | Download transcript files (WebVTT) | OnlineMeetingTranscript.Read.All | | Meeting Attendance | Retrieve attendee name and email for meeting context | OnlineMeetingArtifact.Read.All | | Directory (Users) | Map meeting organizers to Rox users | User.ReadBasic.All | #### Permission Model * Application-level permissions * Granted once by a Microsoft Teams tenant admin * No per-user consent required * No delegated scopes used * No user credentials stored #### Important Note Rox recommends implementing Application Access Policies to limit which users’ meeting data can be accessed (see Section 8). ### 2) What Data Rox Accesses | Property | Description | | ------------------ | ---------------------------------------------- | | Transcript Content | Full meeting transcript in WebVTT format | | Meeting Metadata | Subject, meeting URL, scheduled start/end time | | Attendance Data | Participant names and email addresses | | Directory Data | Basic user attributes for organizer mapping | #### What Rox Does NOT Access * Chat messages * Channel messages * Files or attachments * Teams messages * Video or audio recordings * User mailboxes * Calendar write access This integration is strictly limited to Teams meeting transcript ingestion. ### 3) Microsoft Entra (Azure AD) Application Details | Property | Description | | ---------------- | -------------------------------------------- | | App Type | Multi-tenant Microsoft Graph application | | Protocol | OAuth 2.0 Client Credentials Grant | | Consent Model | Tenant admin consent (one-time) | | Token Handling | Short-lived service-to-service access tokens | | Redirect URI | | | Directory Access | Read-only (Users only) | No user passwords, MFA tokens, or delegated session tokens are stored. ### 4) Components & Hosting Locations | Component | Vendor | Region | | --------------- | --------- | ----------------------- | | Rox Frontend | Vercel | United States | | Rox Backend | AWS | us-east-2 (Ohio) | | Microsoft Graph | Microsoft | Tenant region dependent | Rox does not proxy Microsoft infrastructure. Your Entra tenant remains the authority for authentication and access control. ### 5) Data Handling & Privacy | Category | Description | | ------------- | ------------------------------------------------ | | Data Accessed | Meeting transcripts, meeting metadata, attendees | | Encryption | TLS 1.2+ in transit, AES-256 at rest | | Storage | Encrypted AWS storage | | Retention | Operational use only | | Deletion | Purged upon tenant request | ### 6) Security Controls | Control | Detail | | --------------- | --------------------------------- | | Auth Model | OAuth 2.0 client credentials | | Credential Type | Certificate-based authentication | | Token Handling | Short-lived application tokens | | Revocation | Admin-controlled in Entra anytime | | Audit | Rox logs + Microsoft audit logs | | Least Privilege | Transcript-only Graph scopes | ### 7) Customer Action Checklist (IT / Admin) 1. Set-up a mail-enabled security group and restrict access with Application Access Policy using the instructions in step 8. 2. Go to Rox UI and follow the instructions in step 9 to create the integration 3. Review and approve the **Rox Teams Integration** request through the Microsoft auth page. 4. Verify that Rox appears under **Enterprise Applications → Rox Teams Integration** in your Entra portal. ### 8) Restricting Application Access Policy (Recommended) By default, Microsoft Graph application permissions are tenant-wide. To restrict which users’ Teams meetings and transcripts Rox can access, Microsoft provides Application Access Policies via **Teams PowerShell**. This is strongly recommended for enterprises. #### A) Install Required PowerShell Module ```powershell Install-Module MicrosoftTeams Connect-MicrosoftTeams ``` #### B) Create a Teams Application Access Policy Use AppId **e71c2f8d-6b21-4425-a1bc-73839163c76a** for Microsoft Teams integration. ```powershell New-CsApplicationAccessPolicy ` -Identity "Rox-Teams-Transcript-Policy" ` -AppIds "e71c2f8d-6b21-4425-a1bc-73839163c76a" ` -Description "Allow Rox to access Teams meetings and transcripts" ``` #### C) Grant the Policy to Specific Users ```powerquery Grant-CsApplicationAccessPolicy ` -PolicyName "Rox-Teams-Transcript-Policy" ` -Identity "user@yourdomain.com" ``` #### D) Verify Policies List policies: ```powershell Get-CsApplicationAccessPolicy ``` Check assignment: ```powershell Get-CsOnlineUser -Identity user@yourdomain.com | Select ApplicationAccessPolicy ``` > If Get-CsUser is not recognized, use Get-CsOnlineUser (Teams PowerShell). ### 9) Integration Flow #### Step 1 — Admin Initiates Connection A Microsoft Entra Global Admin (or Privileged Role Admin): Goes to Rox → Settings → Integrations → Click "Connect" on Microsoft Teams
#### Step 2 — Admin Consent The admin is redirected to Microsoft’s standard Admin Consent screen. Microsoft displays the requested application permissions: * OnlineMeetings.Read.All * OnlineMeetingTranscript.Read.All * OnlineMeetingArtifact.Read.All * User.ReadBasic.All
The admin reviews and clicks Accept. You will be redirected to the Rox application where you can see that the Microsoft Teams integration will be connected. #### Step 3 — Tenant Authorization Microsoft: * Registers Rox as an Enterprise Application * Grants application-level Graph permissions * Enables Rox to access transcripts across the tenant No user-level login is required after this step. ### 9) Summary | Aspect | Detail | | ------------------ | -------------------------------------------------------------------------------------------------------------------------- | | Purpose | Org-wide Teams transcript ingestion | | Access Model | Application permissions | | Write Access | None | | Restriction Method | CsApplicationAccessPolicy | | Permissions |

OnlineMeetings.Read.All, OnlineMeetingTranscript.Read.All, OnlineMeetingArtifact.Read.All,

User.ReadBasic.All

| | Revocable | Yes, anytime | | Hosting | Vercel (US), AWS us-east-2 (US) | | Data | Transcripts, meetings, meeting attendees, and user directory data synced securely and encrypted | | Controls | OAuth 2.0 client credentials flow; no user credentials stored; admin consent required; least-privilege scope | | Governance | Microsoft Entra remains authoritative; revocation and audit available anytime via Microsoft portal |