# Microsoft Teams Orgwide Integration

For calendar/email orgwide integration, please refer to this [document](/development/engineering/docs/rox-enterprise-integrations/orgwide-integration-via-microsoft-graph.md).

### 1) Scope of Integration

Use-case:

Organization-wide connection to Microsoft Teams to automatically ingest Microsoft Teams meeting transcripts into Rox for search, analytics, enrichment, and AI-powered insights.

This integration allows Rox to:

* Discover Teams meeting transcripts across the organization
* Download transcript content (WebVTT format)
* Parse and structure transcripts
* Associate transcripts with meeting metadata and attendees
* Enable transcript search and insights within Rox

This is a read-only integration. Rox does not modify meetings, users, or transcripts in Microsoft Teams.

#### Supported Data Access

| Data Type                 | Purpose                                              | Graph Permission (Application)   |
| ------------------------- | ---------------------------------------------------- | -------------------------------- |
| Teams Meeting Transcripts | Discover and download Teams meeting transcripts      | OnlineMeetings.Read.All          |
| Transcript Content        | Download transcript files (WebVTT)                   | OnlineMeetingTranscript.Read.All |
| Meeting Attendance        | Retrieve attendee name and email for meeting context | OnlineMeetingArtifact.Read.All   |
| Directory (Users)         | Map meeting organizers to Rox users                  | User.ReadBasic.All               |

#### Permission Model

* Application-level permissions
* Granted once by a Microsoft Teams tenant admin
* No per-user consent required
* No delegated scopes used
* No user credentials stored

#### Important Note

Rox recommends implementing Application Access Policies to limit which users’ meeting data can be accessed (see Section 8).

### 2) What Data Rox Accesses

| Property           | Description                                    |
| ------------------ | ---------------------------------------------- |
| Transcript Content | Full meeting transcript in WebVTT format       |
| Meeting Metadata   | Subject, meeting URL, scheduled start/end time |
| Attendance Data    | Participant names and email addresses          |
| Directory Data     | Basic user attributes for organizer mapping    |

#### What Rox Does NOT Access

* Chat messages
* Channel messages
* Files or attachments
* Teams messages
* Video or audio recordings
* User mailboxes
* Calendar write access

This integration is strictly limited to Teams meeting transcript ingestion.

### 3) Microsoft Entra (Azure AD) Application Details

| Property         | Description                                  |
| ---------------- | -------------------------------------------- |
| App Type         | Multi-tenant Microsoft Graph application     |
| Protocol         | OAuth 2.0 Client Credentials Grant           |
| Consent Model    | Tenant admin consent (one-time)              |
| Token Handling   | Short-lived service-to-service access tokens |
| Redirect URI     | <https://run.rox.com/settings>               |
| Directory Access | Read-only (Users only)                       |

No user passwords, MFA tokens, or delegated session tokens are stored.

### 4) Components & Hosting Locations

| Component       | Vendor    | Region                  |
| --------------- | --------- | ----------------------- |
| Rox Frontend    | Vercel    | United States           |
| Rox Backend     | AWS       | us-east-2 (Ohio)        |
| Microsoft Graph | Microsoft | Tenant region dependent |

Rox does not proxy Microsoft infrastructure. Your Entra tenant remains the authority for authentication and access control.

### 5) Data Handling & Privacy

| Category      | Description                                      |
| ------------- | ------------------------------------------------ |
| Data Accessed | Meeting transcripts, meeting metadata, attendees |
| Encryption    | TLS 1.2+ in transit, AES-256 at rest             |
| Storage       | Encrypted AWS storage                            |
| Retention     | Operational use only                             |
| Deletion      | Purged upon tenant request                       |

### 6) Security Controls

| Control         | Detail                            |
| --------------- | --------------------------------- |
| Auth Model      | OAuth 2.0 client credentials      |
| Credential Type | Certificate-based authentication  |
| Token Handling  | Short-lived application tokens    |
| Revocation      | Admin-controlled in Entra anytime |
| Audit           | Rox logs + Microsoft audit logs   |
| Least Privilege | Transcript-only Graph scopes      |

### 7) Customer Action Checklist (IT / Admin)

1. Set-up a mail-enabled security group and restrict access with Application Access Policy using the instructions in step 8.
2. Go to Rox UI and follow the instructions in step 9 to create the integration
3. Review and approve the **Rox Teams Integration** request through the Microsoft auth page.
4. Verify that Rox appears under **Enterprise Applications → Rox Teams Integration** in your Entra portal.

### 8) Restricting Application Access Policy (Recommended)

By default, Microsoft Graph application permissions are tenant-wide.

To restrict which users’ Teams meetings and transcripts Rox can access, Microsoft provides Application Access Policies via **Teams PowerShell**.

This is strongly recommended for enterprises.

#### A) Install Required PowerShell Module

```powershell
Install-Module MicrosoftTeams
Connect-MicrosoftTeams
```

#### B) Create a Teams Application Access Policy

Use AppId **e71c2f8d-6b21-4425-a1bc-73839163c76a** for Microsoft Teams integration.

```powershell
New-CsApplicationAccessPolicy `
  -Identity "Rox-Teams-Transcript-Policy" `
  -AppIds "e71c2f8d-6b21-4425-a1bc-73839163c76a" `
  -Description "Allow Rox to access Teams meetings and transcripts"
```

#### C) Grant the Policy to Specific Users

```powerquery
Grant-CsApplicationAccessPolicy `
  -PolicyName "Rox-Teams-Transcript-Policy" `
  -Identity "user@yourdomain.com"
```

#### D) Verify Policies

List policies:

```powershell
Get-CsApplicationAccessPolicy
```

Check assignment:

```powershell
Get-CsOnlineUser -Identity user@yourdomain.com | Select ApplicationAccessPolicy
```

> If Get-CsUser is not recognized, use Get-CsOnlineUser (Teams PowerShell).

### 9) Integration Flow

#### Step 1 — Admin Initiates Connection

A Microsoft Entra Global Admin (or Privileged Role Admin):

Goes to Rox → Settings → Integrations → Click "Connect" on Microsoft Teams

<figure><img src="/files/64AH1Jtdb4bNcSVkKXAe" alt=""><figcaption></figcaption></figure>

#### Step 2 — Admin Consent

The admin is redirected to Microsoft’s standard Admin Consent screen.

Microsoft displays the requested application permissions:

* OnlineMeetings.Read.All
* OnlineMeetingTranscript.Read.All
* OnlineMeetingArtifact.Read.All
* User.ReadBasic.All

<figure><img src="/files/VFPpqLxC65mp0QuREshn" alt=""><figcaption></figcaption></figure>

The admin reviews and clicks Accept. You will be redirected to the Rox application where you can see that the Microsoft Teams integration will be connected.

#### Step 3 — Tenant Authorization

Microsoft:

* Registers Rox as an Enterprise Application
* Grants application-level Graph permissions
* Enables Rox to access transcripts across the tenant

No user-level login is required after this step.

### 9) Summary

| Aspect             | Detail                                                                                                                     |
| ------------------ | -------------------------------------------------------------------------------------------------------------------------- |
| Purpose            | Org-wide Teams transcript ingestion                                                                                        |
| Access Model       | Application permissions                                                                                                    |
| Write Access       | None                                                                                                                       |
| Restriction Method | CsApplicationAccessPolicy                                                                                                  |
| Permissions        | <p>OnlineMeetings.Read.All, OnlineMeetingTranscript.Read.All, OnlineMeetingArtifact.Read.All,</p><p>User.ReadBasic.All</p> |
| Revocable          | Yes, anytime                                                                                                               |
| Hosting            | Vercel (US), AWS us-east-2 (US)                                                                                            |
| Data               | Transcripts, meetings, meeting attendees, and user directory data synced securely and encrypted                            |
| Controls           | OAuth 2.0 client credentials flow; no user credentials stored; admin consent required; least-privilege scope               |
| Governance         | Microsoft Entra remains authoritative; revocation and audit available anytime via Microsoft portal                         |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.rox.com/development/engineering/docs/rox-enterprise-integrations/microsoft-teams-orgwide-integration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.