Microsoft Teams
Collaborationsystem_type: "teams"Proxy Teams Graph API calls and incoming webhook notifications with PQC-sealed Azure AD credentials.
Overview#
The Microsoft Teams connector proxies Microsoft Graph API calls for Teams channels, messages, and files. Azure AD OAuth2 client credentials are sealed in QuantaVault. Incoming webhook payloads can be verified against the sealed webhook secret.
https://api.quantaseal.io/api/v2/proxy/outboundAuth header:
X-API-Key: qs_live_...Prerequisites#
- 1An Azure AD App Registration with the required Microsoft Graph API permissions (ChannelMessage.Send, Channel.ReadBasic.All, etc.)
- 2Client ID, Client Secret, and Tenant ID
- 3A QuantaSeal API key
Configuration#
Follow these steps to connect Microsoft Teams to QuantaSeal. You can configure integrations via the Admin Console or directly via the API.
- 1
In Azure Portal, create an App Registration with ChannelMessage.Send and Team.ReadBasic.All Graph permissions. Grant admin consent.
- 2
Note the Client ID, Client Secret, and Tenant ID.
- 3
Seal credentials: POST /api/v2/vault/seal with credential_type: oauth2_client.
- 4
Create the integration: POST /api/v2/integrations with system_type: teams.
Authentication Types#
Use oauth2_client with Azure AD client_credentials flow. For incoming webhooks from Teams, seal the webhook secret as webhook_secret.
All credential types are sealed in QuantaVault with ML-KEM-768 + AES-256-GCM and wrapped by your tenant AWS KMS CMK before storage. See the Vault API reference for the full list of credential types and seal/unseal endpoints.
Available Operations#
QuantaSeal enforces a default-deny operation policy. Only operations listed in your integration's allowed_operations array will be permitted. Add operations when creating or updating the integration.
| Operation | Description |
|---|---|
send_message | Send a message to a Teams channel. |
list_channels | List channels in a Team. |
get_message | Retrieve a channel message by ID. |
create_channel | Create a new channel in a Team. |
Code Example#
Every proxy call returns a HybridCryptoEnvelope - the response is ML-KEM-768 key-encapsulated, AES-256-GCM encrypted, and signed with ML-DSA-65 + HMAC-SHA-512. Verify both signatures before trusting the decrypted payload.
curl -X POST https://api.quantaseal.io/api/v2/proxy/outbound \
-H "X-API-Key: qs_live_your_key_here" \
-H "Content-Type: application/json" \
-d '{
"integration_id": "int_01HZ9X2K4MNPQRTEAMS000001",
"operation": "send_message",
"payload": {
"team_id": "19:abc123@thread.tacv2",
"channel_id": "19:def456@thread.tacv2",
"body": {
"contentType": "html",
"content": "<b>QuantaSeal Alert:</b> Anomaly detected in proxy traffic. Review audit logs."
}
}
}'
# Response - HybridCryptoEnvelope
{
"success": true,
"encrypted": {
"ciphertext_kem": "<base64 - 1088 bytes ML-KEM-768>",
"ciphertext_data": "<base64 - AES-256-GCM encrypted Graph API response>",
"nonce": "<base64 - 12 bytes>",
"tenant_id": "ten_01HZ9X2K4MNPQR5STUVWXYZ00",
"algorithm": "ML-KEM-768"
},
"signature": {
"pqc_signature": "<base64 - ~3309 bytes ML-DSA-65>",
"hmac_signature": "<base64 - 64 bytes HMAC-SHA-512>",
"tenant_id": "ten_01HZ9X2K4MNPQR5STUVWXYZ00",
"algorithm": "ML-DSA-65+HMAC-SHA-512"
},
"audit_event_id": "aud_01HZ9XABCDEF"
}client.encryption.decrypt(envelope). Both the ML-DSA-65 signature and the HMAC-SHA-512 signature must pass - QuantaSeal uses a bitwise & check, not short-circuit and.Troubleshooting#
403 - Forbidden: ChannelMessage.Send requires admin consent
In Azure Portal, navigate to the App Registration → API Permissions and click Grant Admin Consent. Application permissions require this step.