Configure OAuth Authentication

To retrieve information from Microsoft Teams you must go to the Azure portal and register an application to represent the connector. You must then configure the connector to authenticate using OAuth.

To do this, use one of the following procedures:

For more information about creating applications and using OAuth, refer to the Microsoft documentation.

Set up an OAuth Service Application

To set up an OAuth Service Application

  1. Go to the Microsoft Azure Portal.
  2. Click New registration.

    1. Type a name for the new application.
    2. Specify a redirect URL. The "type" of the redirect URL should be "Web".

      • To use the NiFi Ingest connector, the redirect URL must match the URL shown in the advanced configuration dialog of the NiFi processor.
      • To use the standard connector, the redirect URL must match the value of the RedirectUrl parameter in the OAuth tool configuration file, oauth_tool.cfg. The default value is http://localhost:7878/oauth.
  3. Click Certificates and Secrets and upload a certificate to use to authenticate the connector. You can use a self-signed certificate.

  4. Click API Permissions > Add a permission.

    The Request API permissions dialog box opens.

  5. Click Microsoft Graph, followed by Application permissions and select the following permissions.

    Permission Required For
    Team.ReadBasic.All channel messages
    TeamMember.Read.All Mapped security
    Channel.ReadBasic.All channel messages
    ChannelMember.Read.All Mapped Security
    ChannelMessage.Read.All channel messages
    Chat.Read.All user chat messages
    ChatMember.Read.All user chat messages
    ChatMessage.Read.All user chat messages
    Files.Read.All message attachments
    Directory.Read.All Mapped Security
    Group.Read.All Mapped Security / channel messages
    GroupMember.Read.All Mapped Security
    User.Read.All Mapped Security / user chat messages
  6. (Optional) To ingest user chat messages or use TeamMessageRetrievalMethod=Export, ensure that your application satisfies the Teams Export APIs prerequisites at https://learn.microsoft.com/en-us/microsoftteams/export-teams-content.

  7. Run the OAuth configuration tool that is supplied with the connector.

    • To configure the NiFi Ingest connector

      1. In the NiFi web interface, right-click the processor and click Configure.
      2. Click ADVANCED, and complete the guided setup wizard. Then configure OAuth using the OAUTH SETUP > SERVICE ACCOUNT tab.
    • To configure the standard connector

      1. Open the folder where you installed the connector.
      2. Open the OAuth tool configuration file, oauth_tool.cfg, in a text editor.
      3. In the [Default] section, set any SSL or proxy settings that are required to access the repository:

        SSLMethod The version of SSL/TLS to use.
        ProxyHost The host name or IP address of the proxy server to use.
        ProxyPort The port of the proxy server to use.

        For example:

        SSLMethod=NEGOTIATE
        ProxyHost=10.0.0.1
        ProxyPort=8080
      4. In the [OAuthTool_ServiceApp] section, set the following parameters:

        AdminConsentUrl Replace the placeholder {TenantId} with your Microsoft 365 Tenant, for example mydomain.onmicrosoft.com.
        TokenUrl Replace the placeholder {TenantId} with your Microsoft 365 Tenant, for example mydomain.onmicrosoft.com.
        AppKey The application key of the application you created to represent the connector.
        CustomValue0 The path to the .pfx file that contains the certificate and private key to use to authenticate the connector.
        CustomValue1 The password for the private key.
      5. Open a command-line window and run the following command:

        oauth_tool.exe oauth_tool.cfg OAuthTool_ServiceApp

        A web browser opens, asking you to log in and grant admin consent.

      6. Log in and grant admin consent.

        The web page displays a message stating that the OAuth details have been successfully stored, and the OAuth tool creates the files oauth.cfg and oauth2_sites.bin. When you configure the connector, import the parameters from oauth.cfg into your task configuration. For more information about including parameters from another file, see Include an External Configuration File.

Process Data from a Single User

To process data from a single user

  1. Go to the Microsoft Azure Portal.
  2. Click New registration.

    1. Type a name for the new application.
    2. Specify a redirect URL. The "type" of the redirect URL should be "Web".

      • To use the NiFi Ingest connector, the redirect URL must match the URL shown in the advanced configuration dialog of the NiFi processor.
      • To use the standard connector, the redirect URL must match the value of the RedirectUrl parameter in the OAuth tool configuration file, oauth_tool.cfg. The default value is http://localhost:7878/oauth.
  3. Click Certificates and Secrets and create a new client secret.
  4. Click API Permissions > Add a permission.

    The Request API permissions dialog box opens.

  5. Click Microsoft Graph, followed by Delegated permissions and select the following permissions.

    Permission Required For
    Channel.ReadBasic.All channel messages
    ChannelMessage.Read.All channel messages
    Files.Read.All message attachments
    Directory.Read.All Mapped Security
    Group.Read.All Mapped Security / channel messages
    User.Read.All Mapped Security
    ChannelMessage.Send The insert action
    ChatMessage.Send The insert action
    Chat.Create The insert action
    Channel.Create The insert action
    offline_access  
  6. Run the OAuth configuration tool that is supplied with the connector.

    • To configure the NiFi Ingest connector

      1. In the NiFi web interface, right-click the processor and click Configure.
      2. Click ADVANCED, and complete the guided setup wizard. Then configure OAuth using the OAUTH SETUP > SINGLE USER tab.
    • To configure the standard connector

      1. Open the folder where you installed the connector.
      2. Open the OAuth tool configuration file, oauth_tool.cfg, in a text editor.
      3. In the [Default] section, set any SSL or proxy settings that are required to access the repository:

        SSLMethod The version of SSL/TLS to use.
        ProxyHost The host name or IP address of the proxy server to use.
        ProxyPort The port of the proxy server to use.

        For example:

        SSLMethod=NEGOTIATE
        ProxyHost=10.0.0.1
        ProxyPort=8080
      4. In the [OAuthTool] section, set the following parameters:

        AuthorizeUrl Replace the placeholder {TenantId} with your Microsoft 365 Tenant, for example mydomain.onmicrosoft.com.
        TokenUrl Replace the placeholder {TenantId} with your Microsoft 365 Tenant, for example mydomain.onmicrosoft.com.
        AppKey The application key of the application you created to represent the connector.
        AppSecret The client secret you obtained in step 3.
      5. Open a command-line window and run the following command:

        oauth_tool.exe oauth_tool.cfg OAuthTool

        A web browser opens, asking you to log in and grant consent.

      6. Log in and grant consent.

        The web page displays a message stating that the OAuth details have been successfully stored, and the OAuth tool creates the files oauth.cfg and oauth2_sites.bin. When you configure the connector, import the parameters from oauth.cfg into your task configuration. For more information about including parameters from another file, see Include an External Configuration File.