Microsoft Teams Orgwide Integration
Enable organization-wide Microsoft Teams connectivity for Rox, allowing IT administrators to authorize Rox to securely access and ingest Teams meeting transcripts and related meeting metadata.
For calendar/email orgwide integration, please refer to this document.
1) Scope of Integration
Use-case:
Organization-wide connection to Microsoft Teams to automatically ingest Microsoft Teams meeting transcripts into Rox for search, analytics, enrichment, and AI-powered insights.
This integration allows Rox to:
- Discover Teams meeting transcripts across the organization
- Download transcript content (WebVTT format)
- Parse and structure transcripts
- Associate transcripts with meeting metadata and attendees
- Enable transcript search and insights within Rox
This is a read-only integration. Rox does not modify meetings, users, or transcripts in Microsoft Teams.
Supported Data Access
Data Type | Purpose | Graph Permission (Application) |
|---|---|---|
Teams Meeting Transcripts | Discover and download Teams meeting transcripts | OnlineMeetings.Read.All |
Transcript Content | Download transcript files (WebVTT) | OnlineMeetingTranscript.Read.All |
Meeting Attendance | Retrieve attendee name and email for meeting context | OnlineMeetingArtifact.Read.All |
Directory (Users) | Map meeting organizers to Rox users | User.ReadBasic.All |
Permission Model
- Application-level permissions
- Granted once by a Microsoft Teams tenant admin
- No per-user consent required
- No delegated scopes used
- No user credentials stored
Important Note
Rox recommends implementing Application Access Policies to limit which users’ meeting data can be accessed (see Section 8).
2) What Data Rox Accesses
Property | Description |
|---|---|
Transcript Content | Full meeting transcript in WebVTT format |
Meeting Metadata | Subject, meeting URL, scheduled start/end time |
Attendance Data | Participant names and email addresses |
Directory Data | Basic user attributes for organizer mapping |
What Rox Does NOT Access
- Chat messages
- Channel messages
- Files or attachments
- Teams messages
- Video or audio recordings
- User mailboxes
- Calendar write access
This integration is strictly limited to Teams meeting transcript ingestion.
3) Microsoft Entra (Azure AD) Application Details
Property | Description |
|---|---|
App Type | Multi-tenant Microsoft Graph application |
Protocol | OAuth 2.0 Client Credentials Grant |
Consent Model | Tenant admin consent (one-time) |
Token Handling | Short-lived service-to-service access tokens |
Redirect URI | |
Directory Access | Read-only (Users only) |
No user passwords, MFA tokens, or delegated session tokens are stored.
4) Components & Hosting Locations
Component | Vendor | Region |
|---|---|---|
Rox Frontend | Vercel | United States |
Rox Backend | AWS | us-east-2 (Ohio) |
Microsoft Graph | Microsoft | Tenant region dependent |
Rox does not proxy Microsoft infrastructure. Your Entra tenant remains the authority for authentication and access control.
5) Data Handling & Privacy
Category | Description |
|---|---|
Data Accessed | Meeting transcripts, meeting metadata, attendees |
Encryption | TLS 1.2+ in transit, AES-256 at rest |
Storage | Encrypted AWS storage |
Retention | Operational use only |
Deletion | Purged upon tenant disconnection |
6) Security Controls
Control | Detail |
|---|---|
Auth Model | OAuth 2.0 client credentials |
Credential Type | Certificate-based authentication |
Token Handling | Short-lived application tokens |
Revocation | Admin-controlled in Entra anytime |
Audit | Rox logs + Microsoft audit logs |
Least Privilege | Transcript-only Graph scopes |
7) Customer Action Checklist (IT / Admin)
- Set-up a mail-enabled security group and restrict access with Application Access Policy using the instructions in step 8.
- Go to Rox UI and follow the instructions in step 9 to create the integration
- Review and approve the Rox Teams Integration request through the Microsoft auth page.
- Verify that Rox appears under Enterprise Applications → Rox Teams Integration in your Entra portal.
8) Restricting Access Using Mail Enabled Security Group & Application Access Policy (Recommended)
Steps for setting up a mail-enabled security group (for IT Admins)
Connect to exchange online
Connect-ExchangeOnline -UserPrincipalName admin@domain.com
Create the mail-enabled security group
New-DistributionGroup -Name "LimitedAppAccessGroup" -Type Security
Add members (the users whose data the app can access)
Add-DistributionGroupMember -Identity "LimitedAppAccessGroup" -Member
user1@domain.com
Add-DistributionGroupMember -Identity "LimitedAppAccessGroup" -Member
user2@domain.com
By default, Microsoft Graph application permissions are tenant-wide.
To restrict which users’ Teams meetings and transcripts Rox can access, Microsoft provides Application Access Policies via Teams PowerShell.
This is strongly recommended for enterprises.
A) Install Required PowerShell Module
Install-Module MicrosoftTeams Connect-MicrosoftTeams
B) Create a Teams Application Access Policy
Use AppId e71c2f8d-6b21-4425-a1bc-73839163c76a for Microsoft Teams integration.
New-CsApplicationAccessPolicy ` -Identity "Rox-Teams-Transcript-Policy" ` -AppIds "e71c2f8d-6b21-4425-a1bc-73839163c76a" ` -Description "Allow Rox to access Teams meetings and transcripts"
C) Grant the Policy to Specific Users
Grant-CsApplicationAccessPolicy ` -PolicyName "Rox-Teams-Transcript-Policy" ` -Identity "user@yourdomain.com"
D) Verify Policies
List policies:
Get-CsApplicationAccessPolicy
Check assignment:
Get-CsOnlineUser -Identity user@yourdomain.com | Select ApplicationAccessPolicy
If Get-CsUser is not recognized, use Get-CsOnlineUser (Teams PowerShell).
9) Integration Flow
Step 1 — Admin Initiates Connection
A Microsoft Entra Global Admin (or Privileged Role Admin):
Goes to Rox → Settings → Integrations → Click "Connect" on Microsoft Teams
Step 2 — Admin Consent
The admin is redirected to Microsoft’s standard Admin Consent screen.
Microsoft displays the requested application permissions:
- OnlineMeetings.Read.All
- OnlineMeetingTranscript.Read.All
- OnlineMeetingArtifact.Read.All
- User.ReadBasic.All
The admin reviews and clicks Accept. You will be redirected to the Rox application where you can see that the Microsoft Teams integration will be connected.
Step 3 — Tenant Authorization
Microsoft:
- Registers Rox as an Enterprise Application
- Grants application-level Graph permissions
- Enables Rox to access transcripts across the tenant
No user-level login is required after this step.
9) Summary
Aspect | Detail |
|---|---|
Purpose | Org-wide Teams transcript ingestion |
Access Model | Application permissions |
Write Access | None |
Restriction Method | CsApplicationAccessPolicy |
Permissions | OnlineMeetings.Read.All, OnlineMeetingTranscript.Read.All, OnlineMeetingArtifact.Read.All, User.ReadBasic.All |
Revocable | Yes, anytime |
Hosting | Vercel (US), AWS us-east-2 (US) |
Data | Transcripts, meetings, meeting attendees, and user directory data synced securely and encrypted |
Controls | OAuth 2.0 client credentials flow; no user credentials stored; admin consent required; least-privilege scope |
Governance | Microsoft Entra remains authoritative; revocation and audit available anytime via Microsoft portal |