Microsoft Teams
Discover installed apps/bots, tabs, connectors, **graph application permissions**, teams/channels (incl. private/shared), guest/external access, meetings/recordings options and **effective permissions** at execution time. Govern non-human identities and stop risky actions before impact.
What the connector discovers
- Apps, Bots, Tabs & Connectors
Catalog/Custom apps, bot frameworks, tabs, incoming webhooks, actionable messages and connectors; ownership and install scope (team/chat/org).
- Teams, Channels & Membership
Teams and private/shared channels; owners, members, guests; sensitivity labels and cross-tenant shared channels.
- External & Guest Access
Org-wide settings for external access (federation) and guest permissions; per-team overrides and risky exceptions.
- Meetings & Recording Policies
Meeting/recording/transcription/encryption settings; lobby/bypass rules; compliance recording integrations.
- Graph App Permissions
Application permissions (app-only) and delegated permissions used by Teams apps/bots; effective access across M365 resources.
Teams concentrates conversations, files (SharePoint/OneDrive) and meetings. Apps and automations can exfiltrate data or overreach via Graph. ClarioSec adds **runtime governance**: drift-aware scoring, pre-execution controls and audit-grade narratives.
Drift-aware risk scoring
Baselines per app/bot; peer groups by function/team; detection of scope expansion, excessive channel reach, guest sprawl, risky meeting settings and anomalous file/message flows.
Pre-execution enforcement
Allow / Alert / Block / Approve with governed overrides. Minimize Graph scopes, revoke tokens, and require JIT approvals before sensitive posting/file share or private-channel access.
Audit-grade narratives
Each decision yields **rule → reason → proof → control map** (SOC 2, GDPR, ISO/IEC 27001 & 42001, AI Act), including before/after scopes, affected channels/files and owner context.
Connect Microsoft Teams
ClarioSec connects via **Microsoft Graph** (app-only) using an Entra ID App Registration with minimum read scopes for Teams/SharePoint/Users.
- 1) App Registration
Azure Portal → Entra ID → App registrations → New registration. Record Application (client) ID and Directory (tenant) ID.
- 2) Client secret/certificate
Certificates & secrets → New client secret (or certificate). Store the value securely (shown once).
- 3) Graph application permissions (read-only)
Teams.Read.All, Channel.ReadBasic.All, ChannelMessage.Read.All (optional), Files.Read.All, Sites.Read.All, User.Read.All, Directory.Read.All, AuditLog.Read.All (optional).
- 4) Admin consent
Grant admin consent for Graph permissions; confirm Teams/SharePoint APIs are enabled.
- 5) Add in ClarioSec
Open the Microsoft Teams connector and paste Tenant ID, Client ID and Secret/Certificate (stored per tenant).
High-value signals via Graph (read-only):
- Teams, channels (public/private/shared), members/owners/guests
- Installed apps/bots/tabs; connector & webhook metadata; app permissions/grants
- External access/guest settings; sensitivity labels; DLP hints (if exposed)
- Meetings/recordings/transcription policy surfaces; compliance recording integrations
- SharePoint/OneDrive file signals linked to Teams channels (metadata only)
Endpoint family: Microsoft Graph (Teams, Chat, Users/Groups, Sites/Drive, Audit Logs — read).
- Over-privileged apps & Graph grants
Apps/bots with application permissions spanning Sites/Files/Users; residual grants after uninstall.
- Guest & shared channel exposure
Guests added to sensitive teams; cross-tenant shared channels with lax controls.
- Risky meeting/recording settings
Publicly joinable meetings, auto-recordings, external presenters, transcription without retention guardrails.
- Webhook/connector egress
Incoming webhooks posting to private channels; connectors forwarding messages/files externally.
- Just-in-time approvals for app installs & Graph scope upgrades
- Automatic scope minimization & token revocation (dormant/risky)
- Owner attestations for bots, connectors and webhooks
- Audit-grade narratives mapped to SOC 2 / GDPR / ISO / AI Act
Ready to govern Microsoft Teams apps and bots at runtime?
Move from app posture to provable behavior — identity → scope → action → narrative.